Malwarebytes blocking access to malicous sites

[Rich50]

Elise, Hi!

I was following another thread you helped with and need help. I will be bald from yanking my hair out with this.

Malwarebytes is blocking several websites online and offline. Slows computer way down. Have run Nortons NIS 2010, Malwarebytes and Super AntiSptware all with lastest updates and still can't stop this.

IP-BLOCK 94.228.209.200

IP-BLOCK 91.212.226.67

IP-BLOCK 91.212.226.59

IP-BLOCK 94.228.209.214

IP-BLOCK 195.170.178.55

IP-BLOCK 85.12.46.158

IP-BLOCK 85.12.46.157

IP-BLOCK 85.12.46.155

IP-BLOCK 91.212.226.130

IP-BLOCK 91.212.226.178

IP-BLOCK 95.211.96.203

I have already downloaded OTL and GMER and waiting to be advised on what to do.

Thank You

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• GMER log
  

[Rich50]

Here is my OTL Log:

OTL logfile created on: 7/12/2010 1:08:08 PM - Run 2

OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Rich\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.00 Mb Total Physical Memory | 294.00 Mb Available Physical Memory | 38.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free

Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 47.60 Gb Free Space | 10.22% Space Free | Partition Type: NTFS

Drive D: | 149.04 Gb Total Space | 34.78 Gb Free Space | 23.34% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: BOSS

Current User Name: Rich

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/12 10:12:03 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rich\Desktop\OTL.exe

PRC - [2010/07/02 06:36:00 | 002,403,568 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

PRC - [2010/05/31 21:26:56 | 000,061,440 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\nlssrv32.exe

PRC - [2010/05/31 21:26:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\ASTSRV.EXE

PRC - [2010/04/29 12:19:20 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2010/04/29 12:19:20 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

PRC - [2010/02/11 20:28:34 | 000,016,184 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

PRC - [2010/01/04 10:02:14 | 000,086,016 | ---- | M] (Software602) -- C:\Program Files\Software602\Print2PDF\Print2PDF.exe

PRC - [2008/10/25 00:35:16 | 000,605,944 | ---- | M] (iExpert Software) -- C:\Program Files\Registry Clean Expert\RCHelper.exe

PRC - [2008/09/16 22:37:36 | 001,241,088 | ---- | M] () -- C:\Program Files\WhiteSmoke\WSEnrichment.exe

PRC - [2008/08/22 14:33:08 | 001,691,648 | ---- | M] (Language Engineering Corporation, LLC) -- C:\Program Files\Power Translator 12\LogoMedia TranslateDotNet Server.exe

PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/07/24 12:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

PRC - [2006/04/05 22:31:52 | 000,057,344 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Multimedia\main\atidtct.exe

PRC - [2006/03/30 23:44:18 | 000,651,385 | ---- | M] (Koninklijke Philips Electronics N.V.) -- C:\Program Files\CoPilot\Laptop10\App\Spot2741.exe

PRC - [2000/05/03 09:24:32 | 000,102,400 | ---- | M] (Champion Software, Inc.) -- C:\Program Files\Auto-Do-It\Notify.exe

========== Modules (SafeList) ==========

MOD - [2010/07/12 10:12:03 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rich\Desktop\OTL.exe

MOD - [2010/05/14 01:35:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\asoehook.dll

MOD - [2009/07/12 02:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll

MOD - [2009/07/12 00:02:02 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll

MOD - [2009/07/12 00:02:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll

MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

MOD - [2008/01/10 09:06:10 | 000,016,896 | ---- | M] (Deskperience) -- C:\Program Files\WhiteSmoke\WHook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe -- (Roxio UPnP Renderer 11)

SRV - [2010/05/31 21:26:56 | 000,061,440 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\nlssrv32.exe -- (nlsX86cc)

SRV - [2010/05/31 21:26:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\ASTSRV.EXE -- (astcc)

SRV - [2010/04/29 12:19:20 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe -- (NIS)

SRV - [2010/02/19 20:30:16 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®

SRV - [2010/02/12 15:22:35 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/12/16 10:09:04 | 000,188,736 | ---- | M] (Nitro PDF Software) [Auto | Stopped] -- C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe -- (NitroDriverReadSpool)

SRV - [2008/08/22 14:33:08 | 001,691,648 | ---- | M] (Language Engineering Corporation, LLC) [Auto | Running] -- C:\Program Files\Power Translator 12\LogoMedia TranslateDotNet Server.exe -- (LEC TranslateDotNet Server)

SRV - [2007/07/24 12:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)

SRV - [2006/03/30 23:44:18 | 000,651,385 | ---- | M] (Koninklijke Philips Electronics N.V.) [Auto | Running] -- C:\Program Files\CoPilot\Laptop10\App\Spot2741.exe -- (SpotGPSMaxim)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\btwhid.sys -- (btwhid)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\btwdndis.sys -- (BTWDNDIS)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\btport.sys -- (BTDriver)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\btaudio.sys -- (btaudio)

DRV - [2010/05/28 15:33:19 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100709.001\IDSXpx86.sys -- (IDSxpx86)

DRV - [2010/05/27 06:21:44 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/05/27 06:21:44 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2010/05/27 06:12:07 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)

DRV - [2010/05/22 14:16:04 | 000,691,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100619.001\BHDrvx86.sys -- (BHDrvx86)

DRV - [2010/05/10 20:57:33 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100711.002\NAVEX15.SYS -- (NAVEX15)

DRV - [2010/05/10 20:57:32 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100711.002\NAVENG.SYS -- (NAVENG)

DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS -- (SYMTDI)

DRV - [2010/04/29 12:19:14 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS -- (SymIRON)

DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMEFA.SYS -- (SymEFA)

DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS -- (SRTSP)

DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys -- (ccHP)

DRV - [2010/02/18 16:12:07 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)

DRV - [2010/02/18 16:12:06 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)

DRV - [2010/02/12 13:17:58 | 000,682,232 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

DRV - [2010/02/12 12:28:21 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2009/12/30 11:20:54 | 000,027,064 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\revoflt.sys -- (Revoflt)

DRV - [2009/09/01 10:40:42 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys -- (WsAudio_DeviceS(5)) WsAudio_DeviceS(5)

DRV - [2009/09/01 10:40:42 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys -- (WsAudio_DeviceS(4)) WsAudio_DeviceS(4)

DRV - [2009/09/01 10:40:42 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys -- (WsAudio_DeviceS(3)) WsAudio_DeviceS(3)

DRV - [2009/09/01 10:40:42 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys -- (WsAudio_DeviceS(2)) WsAudio_DeviceS(2)

DRV - [2009/09/01 10:40:42 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1)) WsAudio_DeviceS(1)

DRV - [2009/08/29 20:17:18 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMDS.SYS -- (SymDS)

DRV - [2008/04/14 01:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)

DRV - [2008/04/13 23:04:20 | 000,063,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinxsxx.sys -- (ATIXSAudio) ATI WDM TV Audio (Microsoft Corporation) Crossbar (Microsoft Corporation)

DRV - [2008/04/13 23:04:18 | 000,104,960 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx) ATI WDM Rage Theater Video (Microsoft Corporation)

DRV - [2008/04/13 23:04:18 | 000,073,216 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atintuxx.sys -- (ATITUNEP) ATI WDM TV Tuner (Microsoft Corporation)

DRV - [2008/04/13 23:04:18 | 000,052,224 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx) ATI WDM Rage Theater Audio (Microsoft Corporation)

DRV - [2008/04/13 23:04:18 | 000,014,336 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinpdxx.sys -- (PCDCODEC) ATI WDM Specialized PCD Codec (Microsoft Corporation)

DRV - [2008/04/13 23:04:18 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC) ATI WDM Specialized MVD Codec (Microsoft Corporation)

DRV - [2008/04/13 23:04:16 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/01/13 11:06:48 | 000,035,107 | ---- | M] (Winternals) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VDiskBus.sys -- (vdiskbus)

DRV - [2003/09/22 13:43:06 | 001,330,048 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X) Creative SB Live! Series (WDM)

DRV - [2003/09/22 09:48:06 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)

DRV - [2003/09/22 09:47:38 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)

DRV - [2003/04/27 13:39:16 | 000,008,704 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\stwlfbus.sys -- (stwlfbus)

DRV - [2003/04/27 12:43:06 | 000,099,360 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\st3wolf.sys -- (st3wolf)

DRV - [2003/03/05 13:19:28 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)

DRV - [2002/12/16 19:11:02 | 000,076,288 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)

DRV - [2002/12/16 19:11:02 | 000,026,120 | ---- | M] (Rainbow Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (Sntnlusb)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1275210071-790525478-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/

IE - HKU\S-1-5-21-1275210071-790525478-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1275210071-790525478-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "eBay"

FF - prefs.js..extensions.enabledItems: LECToolbar@lec.txt:1.1

FF - prefs.js..extensions.enabledItems: {EA6F5510-6F4D-11DC-B4DA-1B6D56D89593}:0.37

FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0

FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2010/05/25 18:21:51 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/02/12 12:28:40 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/01 08:17:12 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/01 08:17:12 | 000,000,000 | ---D | M]

[2010/02/17 09:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rich\Application Data\Mozilla\Extensions

[2010/05/19 09:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rich\Application Data\Mozilla\Firefox\Profiles\kghxyr0w.default\extensions

[2010/05/19 09:08:51 | 000,000,000 | ---D | M] (recipefox) -- C:\Documents and Settings\Rich\Application Data\Mozilla\Firefox\Profiles\kghxyr0w.default\extensions\{EA6F5510-6F4D-11DC-B4DA-1B6D56D89593}

[2010/05/19 08:59:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2002/09/03 15:39:21 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)

O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)

O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ipsbho.dll (Symantec Corporation)

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)

O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O3 - HKLM\..\Toolbar: (LEC) - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator 12\Applications\LEC IE Translation Extension.dll (Language Engineering Corporation, LLC)

O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)

O3 - HKU\S-1-5-21-1275210071-790525478-839522115-1003\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)

O3 - HKU\S-1-5-21-1275210071-790525478-839522115-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)

O4 - HKLM..\Run: [bluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [Print2PDF Print Monitor] C:\Program Files\Software602\Print2PDF\Print2PDF.exe (Software602)

O4 - HKU\S-1-5-21-1275210071-790525478-839522115-1003..\Run: [ADIReminder] C:\Program Files\Auto-Do-It\Notify.exe (Champion Software, Inc.)

O4 - HKU\S-1-5-21-1275210071-790525478-839522115-1003..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\atidtct.exe (ATI Technologies Inc.)

O4 - HKU\S-1-5-21-1275210071-790525478-839522115-1003..\Run: [Evernote] C:\Program Files\Evernote\Evernote3.5\evernote.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)

O4 - HKU\S-1-5-21-1275210071-790525478-839522115-1003..\Run: [RegClean Expert Scheduler] C:\Program Files\Registry Clean Expert\RCHelper.exe (iExpert Software)

O4 - HKU\S-1-5-21-1275210071-790525478-839522115-1003..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)

O4 - HKU\S-1-5-21-1275210071-790525478-839522115-1003..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launch WhiteSmoke.lnk = C:\Program Files\WhiteSmoke\WSEnrichment.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1275210071-790525478-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-21-1275210071-790525478-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1

O8 - Extra context menu item: Add to &Evernote - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)

O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()

O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()

O8 - Extra context menu item: MasterCook: Select Image - C:\Documents and Settings\Rich\Local Settings\Application Data\MasterCook Web Import\MCIEContext.hta ()

O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClick GoogleSearch & OpenSelectedURL\openselectedurl.htm ()

O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()

O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()

O8 - Extra context menu item: Search &Google - C:\Program Files\RightClick GoogleSearch & OpenSelectedURL\google.htm ()

O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()

O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()

O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()

O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()

O9 - Extra Button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL (ATI Technologies Inc.)

O9 - Extra Button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll (Software602 a.s.)

O9 - Extra 'Tools' menuitem : Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll (Software602 a.s.)

O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()

O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()

O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O9 - Extra Button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)

O9 - Extra 'Tools' menuitem : Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKU\S-1-5-21-1275210071-790525478-839522115-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rich\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/02/09 22:10:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{0323ae9c-337f-11df-ab32-0007e97ed762}\Shell - "" = AutoRun

O33 - MountPoints2\{0323ae9c-337f-11df-ab32-0007e97ed762}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{0323ae9c-337f-11df-ab32-0007e97ed762}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found

O33 - MountPoints2\{0323ae9d-337f-11df-ab32-0007e97ed762}\Shell\AutoRun\command - "" = setupSNK.exe

O33 - MountPoints2\J\Shell - "" = AutoRun

O33 - MountPoints2\J\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/12 10:12:00 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rich\Desktop\OTL.exe

[2010/07/11 12:20:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\Scooter Software

[2010/07/11 12:13:36 | 000,000,000 | ---D | C] -- C:\Program Files\Beyond Compare 3

[2010/07/09 12:39:05 | 000,000,000 | ---D | C] -- C:\WinMerge v2.12.4

[2010/07/01 08:18:08 | 000,226,728 | R--- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid

[2010/07/01 08:15:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Cache

[2010/07/01 08:15:20 | 000,000,000 | ---D | C] -- C:\Program Files\Coupons

[2010/06/25 19:15:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Desktop\attachments_2010_06_25

[2010/06/24 12:15:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Fighters

[2010/06/23 17:32:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\GetRightToGo

[2010/06/22 12:50:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\Malwarebytes

[2010/06/22 12:50:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/06/22 12:50:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/06/22 12:50:05 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/06/22 12:50:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/06/22 06:49:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/06/22 06:49:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/06/16 06:33:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution

[2010/02/10 10:00:50 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll

[2003/04/27 13:39:16 | 000,008,704 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\stwlfbus.sys

[2003/04/27 13:38:56 | 000,054,784 | ---- | C] ( ) -- C:\WINDOWS\daemon.dll

[2003/04/27 12:43:06 | 000,099,360 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\st3wolf.sys

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/12 13:16:19 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Rich\Desktop\~$rsistent_i.doc

[2010/07/12 12:36:45 | 000,202,651 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\Persistent_i.doc

[2010/07/12 11:53:20 | 003,737,559 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\ComboFix.exe

[2010/07/12 10:39:23 | 000,000,579 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\~ Automated Profit Package ~.lnk

[2010/07/12 10:39:13 | 000,000,499 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\~ DVDS ~.lnk

[2010/07/12 10:38:57 | 000,000,539 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\~ DONGLE STUFF ~.lnk

[2010/07/12 10:14:00 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\g0w7fpvv.exe

[2010/07/12 10:12:03 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rich\Desktop\OTL.exe

[2010/07/12 09:37:33 | 018,087,936 | ---- | M] () -- C:\Documents and Settings\Rich\ntuser.dat

[2010/07/12 08:39:33 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/07/12 06:25:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/07/12 06:25:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/07/11 22:14:55 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Rich\ntuser.ini

[2010/07/11 12:44:34 | 000,150,771 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\ALL FRUIT SMOOTHIES 2 SHARE.htm

[2010/07/11 12:22:36 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\Beyond Compare 3.lnk

[2010/07/08 08:52:42 | 000,169,984 | ---- | M] () -- C:\Documents and Settings\Rich\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/07/08 08:50:11 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/07/04 09:27:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/07/01 08:18:08 | 000,226,728 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid

[2010/06/27 11:42:24 | 000,001,023 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\Shortcut to Logs.lnk

[2010/06/27 11:08:55 | 000,000,763 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\Shortcut to hosts.lnk

[2010/06/27 08:10:03 | 001,600,656 | -H-- | M] () -- C:\Documents and Settings\Rich\Local Settings\Application Data\IconCache.db

[2010/06/25 20:51:07 | 001,645,905 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MustangShirts.pdf

[2010/06/25 08:49:04 | 000,008,456 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys

[2010/06/24 09:22:19 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\Rich\Application Data\mcs.rma

[2010/06/24 09:22:19 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Rich\Application Data\822E20

[2010/06/23 21:04:01 | 000,000,180 | ---- | M] () -- C:\Documents and Settings\Rich\default.pls

[2010/06/22 12:50:11 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk

[2010/06/16 08:23:32 | 000,000,534 | ---- | M] () -- C:\Documents and Settings\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\DiffMerge.lnk

[2010/06/13 21:14:40 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/12 12:36:44 | 000,202,651 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\Persistent_i.doc

[2010/07/12 11:53:14 | 003,737,559 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\ComboFix.exe

[2010/07/12 10:39:23 | 000,000,579 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\~ Automated Profit Package ~.lnk

[2010/07/12 10:39:13 | 000,000,499 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\~ DVDS ~.lnk

[2010/07/12 10:38:57 | 000,000,539 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\~ DONGLE STUFF ~.lnk

[2010/07/12 10:13:57 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\g0w7fpvv.exe

[2010/07/11 12:44:33 | 000,150,771 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\ALL FRUIT SMOOTHIES 2 SHARE.htm

[2010/07/11 12:22:36 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\Beyond Compare 3.lnk

[2010/06/27 11:42:23 | 000,001,023 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\Shortcut to Logs.lnk

[2010/06/27 11:08:55 | 000,000,763 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\Shortcut to hosts.lnk

[2010/06/24 11:09:07 | 001,645,905 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MustangShirts.pdf

[2010/06/22 12:50:11 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk

[2010/06/16 08:23:32 | 000,000,534 | ---- | C] () -- C:\Documents and Settings\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\DiffMerge.lnk

[2010/06/14 21:59:57 | 001,472,344 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/06/06 19:08:52 | 000,001,133 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2010/05/07 18:42:06 | 000,000,048 | ---- | C] () -- C:\WINDOWS\PickList.ini

[2010/05/07 18:39:59 | 000,015,630 | ---- | C] () -- C:\WINDOWS\od5.ini

[2010/03/19 09:23:44 | 000,000,304 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2010/03/05 08:22:31 | 000,000,391 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI

[2010/02/15 19:51:48 | 000,000,173 | ---- | C] () -- C:\WINDOWS\pdf2html-embedfonts.INI

[2010/02/15 14:58:19 | 000,000,379 | ---- | C] () -- C:\WINDOWS\pdf2word.INI

[2010/02/15 13:24:21 | 000,000,528 | ---- | C] () -- C:\WINDOWS\PDF2HTML.INI

[2010/02/14 22:31:42 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll

[2010/02/14 13:30:26 | 000,004,094 | ---- | C] () -- C:\WINDOWS\jfff_d64.ini

[2010/02/14 13:30:26 | 000,001,441 | ---- | C] () -- C:\WINDOWS\cqgqvh_d24.ini

[2010/02/14 12:46:00 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\uuddc32.dll

[2010/02/13 11:14:23 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2010/02/12 22:53:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2010/02/12 15:38:50 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll

[2010/02/12 15:11:47 | 000,000,679 | ---- | C] () -- C:\WINDOWS\password.ini

[2010/02/12 14:32:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI

[2010/02/12 13:17:58 | 000,682,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2010/02/12 08:23:12 | 000,000,034 | ---- | C] () -- C:\WINDOWS\Fantastic Flame Screensaver.ini

[2010/02/12 00:31:24 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2010/02/11 23:58:56 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\BtLSt61.dll

[2010/02/10 22:00:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI

[2010/02/10 10:01:14 | 000,000,066 | ---- | C] () -- C:\WINDOWS\SBWIN.INI

[2010/02/10 10:00:50 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll

[2010/02/10 10:00:50 | 000,002,696 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI

[2010/02/10 10:00:50 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini

[2010/02/10 10:00:50 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini

[2009/06/17 11:13:30 | 000,508,224 | ---- | C] () -- C:\WINDOWS\System32\ICCProfiles.dll

[2004/01/30 15:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll

[2004/01/28 12:42:06 | 000,066,560 | ---- | C] () -- C:\WINDOWS\System32\atiyuv12.dll

[2004/01/28 12:42:06 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

[2004/01/28 12:42:06 | 000,013,601 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini

[2004/01/13 02:20:09 | 000,000,037 | ---- | C] () -- C:\WINDOWS\System32\msmd6.dll

[1998/10/23 04:46:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\wh2robo.dll

[1998/05/27 21:13:34 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\_UNODBC.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 171 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EAD001CC

@Alternate Data Stream - 167 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C39E55C5

@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2F2F703

@Alternate Data Stream - 1207 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:xl4fNO0z7s1zXLnexrGETAsk

@Alternate Data Stream - 1047 bytes -> C:\Program Files\Common Files\Microsoft Shared:jifWIUKUN70QEOd2eoRlaPYigK

@Alternate Data Stream - 1006 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:urbGhlYyFgp4Z4XjYjO

< End of report >

Here is the Extras Log:

OTL Extras logfile created on: 7/12/2010 10:15:48 AM - Run 1

OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Rich\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.00 Mb Total Physical Memory | 293.00 Mb Available Physical Memory | 38.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 62.00% Paging File free

Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 47.62 Gb Free Space | 10.22% Space Free | Partition Type: NTFS

Drive D: | 149.04 Gb Total Space | 34.78 Gb Free Space | 23.34% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: BOSS

Current User Name: Rich

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [browse with Corel PaintShop Photo Pro X3] -- "c:\Program Files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)

Directory [DiskInfoByPplus] -- C:\WINDOWS\System32\Shellext\ppshlext.exe "%1" /dinfo ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)

Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)

Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"_{D1AEB5DB-04FA-489D-94EF-8600898B93EE}" = Corel PaintShop Photo Pro X3

"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3

"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{08A6039D-A5B8-46E8-A3F9-7E2AE5C1B191}" = Nitro PDF Professional

"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting

"{08F32589-5E39-42B8-8BC5-6A8126ED2A70}" = Microsoft Visual C++ 2008 Redistributable Package

"{09BDEEF0-5590-457D-89A9-5DB2742F9BBF}" = 32 Bit HP CIO Components Installer

"{0C123C63-84FD-4D13-96E7-EEB5C11893F2}" = LEC Translate

"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox

"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update

"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin

"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService

"{18AE8ACB-0419-45F6-9CF6-155E128A4BCE}_is1" = WinTools.net 9.11.1 Ultimate

"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets

"{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax

"{1DA07BCA-FD11-406E-89A8-5B4496F43FC5}" = EZ Label Xpress Lite

"{20B30DC1-E423-4939-B51D-05C58B0F9BBB}" = HP Photosmart All-In-One Driver Software 10.0 Rel .2

"{25CA5771-2536-4D47-A12F-E9AF3B5ADB81}" = MasterCook 11

"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java 6 Update 17

"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3

"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder

"{32C74893-0243-4235-A6F3-201F0E5D2C03}" = Print2PDF

"{34AFE453-F544-4269-89C9-CAB7F0744963}" = Nuance OmniPage 17

"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup

"{38F48AED-66D8-464C-993E-C7296C7A199B}" = Intel® IPP Run-Time Installer 5.2 for Windows* on IA-32

"{3a6f8a27-fa78-48a4-bbd1-399b000bcc9a}" = C8100_Help

"{3B2DACD1-BAB5-4760-BF4C-3DC9054A751C}" = Living Cookbook 2008

"{3B8F29EB-703C-4723-8CDE-4B2E5D695972}" = DxO Optics Pro 6

"{3CBA0E30-6F54-47EF-910E-1D4D450AFE45}" = ATI Multimedia Center

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{43FFE159-3199-4188-A1CD-629166AD1033}" = Nero 7 Ultra Edition

"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup

"{44BC4C60-6F50-439F-B442-5B4CD8A300AD}" = VOB2MPG PRO

"{4744A01E-4B17-4643-A1FA-44FF83CB316D}" = PhotoTools 2.5 Professional Edition

"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter

"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout

"{4ED7D297-58F7-45C3-A9BA-A7CD6FA0D373}_is1" = SureThing CD Labeler Deluxe 5

"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC

"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings

"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery

"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3

"{55647779-010F-4903-AA1B-76A564739E22}" = LEAD Command Line Utils

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{5AB6F784-1163-4EE6-96EB-05BAB1B46DBA}" = TouchCopy 09

"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp

"{5C820C4F-ACEE-4C26-BFE5-1FF4CB0D20E5}" = SVCD2DVD 2.5

"{5F7DFDFA-27B3-4E06-BCDE-B371424C0032}" = OnDemand5

"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.1.5

"{677A19B8-446D-4797-A071-977A30EAD01D}" = Winternals Administrator's Pak

"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc

"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1

"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All

"{6B437F94-056F-4791-AF2C-0D10E2706AF0}" = PanoStandAlone

"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3

"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files

"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash

"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{7A27AE24-F5B8-4ABC-B3DA-AB57BC7309FB}" = DAEMON Tools

"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3

"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan

"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes

"{81CB77FF-9789-4337-A46E-185F7876AC40}" = Adobe Photoshop Lightroom 2.6

"{81FD761C-3F60-4A3A-BD5E-8D1B1C659F05}" = VidaOne Diet and Fitness

"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles

"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection

"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder

"{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}" = Adobe Flash Player 9 Plugin

"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport

"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3

"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)

"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3

"{909B62B0-8ACA-4061-A83B-09CAEF609619}" = MSXML 6.0 Parser

"{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine

"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings

"{96172E04-BB14-45F6-A77B-8EE7A421B903}" = SAPI Wrapper

"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Live!

"{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}" = TTS Wrapper

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3

"{9D89EE43-B471-40EC-9550-6BD77C7BE3F4}" = WhiteSmoke

"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel

"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status

"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps

"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3

"{AD6677B3-8585-4C2E-B2D1-EBB8127391F1}" = CoPilot Live - Laptop 10

"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin

"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan

"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0

"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc

"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3

"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3

"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3

"{b9be267c-e096-4cce-a4fd-f24eec004938}" = PS_AIO_02_ProductContext

"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2

"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant

"{c4549405-195f-4450-8865-6be9dc5ad136}" = PS_AIO_02_Software_Min

"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3

"{C82185E8-C27B-4EF4-2010-4444BC2C2B6D}" = Microsoft Streets & Trips 2010

"{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3

"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg

"{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010

"{cd0b9359-b716-4fd0-8e0a-09b3e312e8a4}" = PS_AIO_02_Software

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Professional

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client

"{D1612A3D-0DCC-4055-BB6A-0036F31158A0}" = Setup

"{D1AEB5DB-04FA-489D-94EF-8600898B93EE}" = ICA

"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files

"{D3BCC13A-E4F2-45EE-846F-D143CEDDDBCB}" = DeviceIO

"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3

"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential

"{D7D99A66-493F-468B-BCE1-6F88612B89D5}" = Contents

"{D84B7C7E-2E4D-4002-8CA8-EED4EDB333AC}" = MLE

"{D875FFEE-2FCE-4774-902A-749198C00A68}" = PureHD

"{D94ABC2B-5CA9-48B2-9266-15AB78384D3C}" = Share

"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component

"{D9C4FA35-7C6B-4C9E-863B-58C4D7472F41}" = VIO

"{DA4A2F61-1E26-4D51-94BB-36D77678BDAD}" = PSPH10Pro

"{DA4BF4BE-3CDC-43B5-BBDA-DDDA73103111}" = Corel PaintShop Photo Pro X3

"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings

"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime

"{DCD941B6-F2E7-4FAF-B102-F7D4DE5FF99A}" = IPM_PSP_Pro

"{DCF1928A-FC01-48E7-A7E6-4651D42EF6A1}" = PSPPRO_DCRAW

"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings

"{DDAC27F9-8293-465f-A4B0-011F1D38BBA1}" = RoxioShim

"{DF8B9311-ADE7-4EDE-B121-326CAA3D225D}" = PSPPContent

"{E0267007-A6FD-4304-8131-346D1CEA6F82}" = BigOven

"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01

"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager

"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series

"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3

"{E7D576EC-A0CB-4321-B8A3-558B6D590013}" = Casino Verite Blackjack V5

"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler

"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial

"{EF3F9770-CA7B-4c5d-8A98-49AB97216546}" = C8100

"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy

"{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}" = Omron Health Management Software

"{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote

"{FCADA4FF-142C-42A8-B73C-0A54A7F83345}" = Genuine Fractals 6.0.6 Professional Edition

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe SVG Viewer" = Adobe SVG Viewer 3.0

"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection

"AI RoboForm" = AI RoboForm (All Users)

"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.11 (Unicode)

"Auto-Do-It" = Auto-Do-It

"AutoFX PhotoGraphic Edges 6" = AutoFX PhotoGraphic Edges 6

"AutoFX Suites" = AutoFX Suites

"B91607F08995C3AE98F8399E915BD41AF388963E" = Windows Driver Package - Philips SPOT USB (03/30/2006 1.0.3.0)

"BarBack" = BarBack

"BarGenie_is1" = BarGenie 9.0

"BayGenie eBay Auction Sniper Pro Edition_is1" = BayGenie eBay Auction Sniper Pro Edition 3.3.1.8

"BeyondCompare3_is1" = Beyond Compare Version 3.1.11

"Bias Sound Soap 2 DX RTAS VST v2.01" = Bias Sound Soap 2 DX RTAS VST v2.01

"CalorieKing Nutrition and Exercise Manager" = CalorieKing Nutrition and Exercise Manager (remove only)

"Chapter Master_is1" = Chapter Master 1.2.4

"CHM To PDF PRO_is1" = CHM To PDF Converter PRO

"CollegeBAR_is1" = CollegeBAR 8.4

"CopyPod Suite" = CopyPod Suite (remove only)

"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows

"CP2101 USB to UART Bridge Controller" = CP2101 USB to UART Bridge Controller Driver Set

"CuteShield File Shredder_is1" = CuteShield File Shredder

"Daniusoft Media Converter Ultimate_is1" = Daniusoft Media Converter Ultimate(Build 2.5.1.4)

"Easy Video Joiner_is1" = Easy Video Joiner 5.21

"HP Imaging Device Functions" = HP Imaging Device Functions 10.0

"HP Photosmart Essential" = HP Photosmart Essential 3.5

"HP Smart Web Printing" = HP Smart Web Printing

"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0

"HPOCR" = OCR Software by I.R.I.S. 10.0

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"InstallShield_{1DA07BCA-FD11-406E-89A8-5B4496F43FC5}" = EZ Label Xpress Lite

"InstallShield_{3CBA0E30-6F54-47EF-910E-1D4D450AFE45}" = ATI Multimedia Center 9.14

"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"InstallShield_{AD6677B3-8585-4C2E-B2D1-EBB8127391F1}" = CoPilot Live - Laptop 10

"InstallShield_{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO

"Internet Download Manager" = Internet Download Manager

"InvelosDVDProfiler_is1" = DVD Profiler Version 3.6.1

"iPod PC Transfer Suit_is1" = iPod PC Transfer Suit 3.4

"Jobber Computer Plus" = Jobber Computer Plus

"LAME for Audacity_is1" = LAME v3.98.2 for Audacity

"LightZone 3.7" = LightZone 3.7

"Magic ISO Maker v5.4 (build 0245)" = Magic ISO Maker v5.4 (build 0245)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MarkAble2_is1" = MarkAble 2.2.7

"MediaMonkey_is1" = MediaMonkey 3.1

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)

"MP3 Splitter & Joiner Pro_is1" = MP3 Splitter & Joiner Pro 4.21

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NIS" = Norton Internet Security

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NSIS_oald8" = Oxford Advanced Learner's Dictionary - 8th Edition

"Portrait Professional Studio 9_is1" = Portrait Professional Studio 9.0

"ProChef Plus_is1" = ProChef Plus

"Professor PC - Typing Tutor_is1" = Professor PC - Typing Tutor v1.52

"PropertiesPlus" = PropertiesPlus (Remove Only)

"PROSet" = Intel® PRO Ethernet Adapter and Software

"Protected Music Converter_is1" = Protected Music Converter 1.0.0.9

"Rainbow Sentinel Driver" = Sentinel System Driver

"Recover My iPod_is1" = Recover My iPod

"Registry Clean Expert_is1" = Registry Clean Expert

"Tansee iPod Copy_is1" = Tansee iPod Copy v1.01

"The Ultimate Troubleshooter" = The Ultimate Troubleshooter

"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine

"Unlocker" = Unlocker 1.8.6

"V CAST Music with Rhapsody" = V CAST Music with Rhapsody

"VeryPDF PDF2HTML v2.0_is1" = VeryPDF PDF2HTML v2.0

"VeryPDF PDF2Word v3.0_is1" = VeryPDF PDF2Word v3.0

"Windows Media Encoder 9" = Windows Media Encoder 9 Series

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinISO_is1" = WinISO 5.3

"WinMerge_is1" = WinMerge 2.12.4

"WinRAR archiver" = WinRAR archiver

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1275210071-790525478-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Living Cookbook 2008" = Living Cookbook 2008

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 5/11/2010 8:14:26 AM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/12/2010 6:53:20 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/13/2010 8:23:33 AM | Computer Name = BOSS | Source = MsiInstaller | ID = 11722

Description = Product: PlayOn -- Error 1722.There is a problem with this Windows

Installer package. A program run as part of the setup did not finish as expected.

Contact your support personnel or package vendor. Action PrepInstall, location:

C:\WINDOWS\Installer\MSI18B.tmp, command: /prepinstall

Error - 5/13/2010 5:25:31 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/14/2010 4:56:53 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module unknown, version 0.0.0.0, fault address 0x0002003e.

Error - 5/14/2010 5:15:28 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/15/2010 8:38:26 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/16/2010 9:45:21 AM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/16/2010 3:11:26 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/16/2010 7:29:59 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

[ Application Events ]

Error - 5/11/2010 8:14:26 AM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/12/2010 6:53:20 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/13/2010 8:23:33 AM | Computer Name = BOSS | Source = MsiInstaller | ID = 11722

Description = Product: PlayOn -- Error 1722.There is a problem with this Windows

Installer package. A program run as part of the setup did not finish as expected.

Contact your support personnel or package vendor. Action PrepInstall, location:

C:\WINDOWS\Installer\MSI18B.tmp, command: /prepinstall

Error - 5/13/2010 5:25:31 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/14/2010 4:56:53 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module unknown, version 0.0.0.0, fault address 0x0002003e.

Error - 5/14/2010 5:15:28 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/15/2010 8:38:26 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/16/2010 9:45:21 AM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/16/2010 3:11:26 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

Error - 5/16/2010 7:29:59 PM | Computer Name = BOSS | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 6.0.2900.5512, fault address 0x00207ff2.

[ System Events ]

Error - 7/11/2010 8:34:14 AM | Computer Name = BOSS | Source = Service Control Manager | ID = 7000

Description = The IMAPI CD-Burning COM Service service failed to start due to the

following error: %%1053

Error - 7/12/2010 6:25:39 AM | Computer Name = BOSS | Source = sptd | ID = 262148

Description = Driver detected an internal error in its data structures for .

Error - 7/12/2010 6:25:39 AM | Computer Name = BOSS | Source = sptd | ID = 262148

Description = Driver detected an internal error in its data structures for .

Error - 7/12/2010 6:25:39 AM | Computer Name = BOSS | Source = Ftdisk | ID = 262189

Description = The system could not sucessfully load the crash dump driver.

Error - 7/12/2010 6:25:39 AM | Computer Name = BOSS | Source = Ftdisk | ID = 262193

Description = Configuring the Page file for crash dump failed. Make sure there is

a page file on the boot partition and that is large enough to contain all physical

memory.

Error - 7/12/2010 6:25:57 AM | Computer Name = BOSS | Source = Service Control Manager | ID = 7000

Description = The MCSTRM service failed to start due to the following error: %%2

Error - 7/12/2010 6:27:23 AM | Computer Name = BOSS | Source = Service Control Manager | ID = 7022

Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 7/12/2010 6:31:04 AM | Computer Name = BOSS | Source = Service Control Manager | ID = 7009

Description = Timeout (30000 milliseconds) waiting for the Windows Presentation

Foundation Font Cache 3.0.0.0 service to connect.

Error - 7/12/2010 6:31:04 AM | Computer Name = BOSS | Source = Service Control Manager | ID = 7000

Description = The Windows Presentation Foundation Font Cache 3.0.0.0 service failed

to start due to the following error: %%1053

Error - 7/12/2010 8:41:16 AM | Computer Name = BOSS | Source = Service Control Manager | ID = 7034

Description = The NitroPDFDriverCreatorReadSpool service terminated unexpectedly.

It has done this 1 time(s).

< End of report >

[Rich50]

Here is my GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-07-12 22:57:45

Windows 5.1.2600 Service Pack 3

Running: g0w7fpvv.exe; Driver: C:\DOCUME~1\Rich\LOCALS~1\Temp\pxtdqpog.sys

---- System - GMER 1.0.15 ----

SSDT 82438050 ZwAlertResumeThread

SSDT 822E6050 ZwAlertThread

SSDT 82B297F0 ZwAllocateVirtualMemory

SSDT 823A6050 ZwAssignProcessToJobObject

SSDT 831F60F8 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB2E20210]

SSDT 822FC918 ZwCreateMutant

SSDT 82AFC098 ZwCreateSymbolicLinkObject

SSDT 83A9E250 ZwCreateThread

SSDT 823BF050 ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB2E20490]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB2E209F0]

SSDT 82B298C8 ZwDuplicateObject

SSDT sptd.sys ZwEnumerateKey [0xF742CE2C]

SSDT sptd.sys ZwEnumerateValueKey [0xF742D1BA]

SSDT 822B3E68 ZwFreeVirtualMemory

SSDT 82426050 ZwImpersonateAnonymousToken

SSDT 8236E050 ZwImpersonateThread

SSDT 83017F98 ZwLoadDriver

SSDT 822FE380 ZwMapViewOfSection

SSDT 82318050 ZwOpenEvent

SSDT sptd.sys ZwOpenKey [0xF74270B0]

SSDT 82B4BB20 ZwOpenProcess

SSDT 8235E050 ZwOpenProcessToken

SSDT 82392050 ZwOpenSection

SSDT 822AA470 ZwOpenThread

SSDT 82AFC008 ZwProtectVirtualMemory

SSDT sptd.sys ZwQueryKey [0xF742D292]

SSDT sptd.sys ZwQueryValueKey [0xF742D112]

SSDT 82427050 ZwResumeThread

SSDT 8243B050 ZwSetContextThread

SSDT 82B27108 ZwSetInformationProcess

SSDT 82391050 ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB2E20C40]

SSDT 823A4050 ZwSuspendProcess

SSDT 82B04050 ZwSuspendThread

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2D34620]

SSDT 8236F050 ZwTerminateThread

SSDT 82316050 ZwUnmapViewOfSection

SSDT 822B3EF8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.

? SYMDS.SYS The system cannot find the file specified. !

? SYMEFA.SYS The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload F707C8AC 5 Bytes JMP 83B23780

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 3 Bytes JMP 0091000A

.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6D4 1 Byte [84]

.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0090000C

.text C:\WINDOWS\System32\svchost.exe[1100] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00D7000A

.text C:\WINDOWS\System32\svchost.exe[1100] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A

.text C:\WINDOWS\Explorer.EXE[1416] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[1416] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[1416] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F743D886] sptd.sys

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F743D832] sptd.sys

IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F745F892] sptd.sys

IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F743D886] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7427AD4] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7427C1A] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7427B9C] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7428748] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F742861E] sptd.sys

IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F743CACA] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 83BD21E8

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 83AF7390

Device \Driver\dmio \Device\DmControl\DmIoDaemon 83B681E8

Device \Driver\dmio \Device\DmControl\DmConfig 83B681E8

Device \Driver\dmio \Device\DmControl\DmPnP 83B681E8

Device \Driver\dmio \Device\DmControl\DmInfo 83B681E8

Device \Driver\usbuhci \Device\USBPDO-1 83AF7390

Device \Driver\usbuhci \Device\USBPDO-2 83AF7390

Device \Driver\usbehci \Device\USBPDO-3 83A89548

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 83BD41E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 83BD41E8

Device \Driver\Cdrom \Device\CdRom0 83B4F7A0

Device \Driver\Cdrom \Device\CdRom0 83AFA010

Device \Driver\Cdrom \Device\CdRom1 83B4F7A0

Device \Driver\Cdrom \Device\CdRom1 83AFA010

Device \Driver\atapi \Device\Ide\IdePort0 [F737BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort0 83A88720

Device \Driver\atapi \Device\Ide\IdePort1 [F737BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort1 83A88720

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F737BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 83A88720

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F737BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 83A88720

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F737BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 83A88720

Device \Driver\Cdrom \Device\CdRom2 83B4F7A0

Device \Driver\Cdrom \Device\CdRom2 83AFA010

Device \Driver\NetBT \Device\NetBt_Wins_Export 82B8C1E8

Device \Driver\NetBT \Device\NetbiosSmb 82B8C1E8

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 83AF7390

Device \Driver\usbuhci \Device\USBFDO-1 83AF7390

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82B3F1E8

Device \Driver\usbuhci \Device\USBFDO-2 83AF7390

Device \FileSystem\MRxSmb \Device\LanmanRedirector 82B3F1E8

Device \Driver\usbehci \Device\USBFDO-3 83A89548

Device \Driver\NetBT \Device\NetBT_Tcpip_{8C760377-2439-4B99-814E-A1E8958A88BE} 82B8C1E8

Device \Driver\Ftdisk \Device\FtControl 83BD41E8

Device \Driver\st3wolf \Device\Scsi\st3wolf1 839561E8

Device \Driver\st3wolf \Device\Scsi\st3wolf1Port2Path0Target0Lun0 839561E8

Device \FileSystem\Cdfs \Cdfs 822951E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001583f16f07 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001583f16f07@001fe3c3f127 0x1D 0x38 0x8C 0x19 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0xCF 0x08 0x58 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA1 0xF4 0xBA 0xA2 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0xC3 0xF8 0x70 ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001583f16f07 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001583f16f07@001fe3c3f127 0x1D 0x38 0x8C 0x19 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0xCF 0x08 0x58 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA1 0xF4 0xBA 0xA2 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0xC3 0xF8 0x70 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583f16f07

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583f16f07@001fe3c3f127 0x1D 0x38 0x8C 0x19 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x81 0xCF 0x08 0x58 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA1 0xF4 0xBA 0xA2 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0xC3 0xF8 0x70 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{62d5a59d-2aca-45eb-9a20-bd218585c959}@Model 173

Reg HKLM\SOFTWARE\Classes\CLSID\{62d5a59d-2aca-45eb-9a20-bd218585c959}@Therad 29

Reg HKLM\SOFTWARE\Classes\CLSID\{62d5a59d-2aca-45eb-9a20-bd218585c959}@MData 0x73 0xD5 0xCF 0xB8 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xBC 0xC7 0xDE 0xFB ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}@iaiflhnmbnlnbipfkc 0x69 0x61 0x63 0x6D ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}@hakfngedhbncfhpj 0x6A 0x61 0x63 0x6D ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}@gadgiafblhfkpm 0x61 0x63 0x6F 0x63 ...

---- Files - GMER 1.0.15 ----

File C:\WinTools\PhotoCalc\PhotoCalc.exe 954880 bytes

File C:\WinTools\PhotoCalc\photocalc.ini 1196 bytes

File C:\WinTools\PhotoCalc\PhotoCalc.zip 474269 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\accesschk.exe 313200 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\AccessEnum.exe 174968 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\AdExplorer.chm 50379 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\ADExplorer.exe 475024 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ADInsight.chm 401616 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\ADInsight.exe 1049640 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\adrestore.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Autologon.exe 154424 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\autoruns.chm 49244 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\autorunsc.exe 540560 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\Bginfo.exe 845696 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Cacheset.exe 154424 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Clockres.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Contig.exe 198184 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Coreinfo.exe 185896 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ctrl2cap.amd.sys 10104 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ctrl2cap.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ctrl2cap.nt4.sys 2864 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ctrl2cap.nt5.sys 2832 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\dbgview.chm 68539 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\Dbgview.exe 461680 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Desktops.exe 118824 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Diskmnt.exe 191288 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Diskmnt.hlp 9519 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\Diskmon.exe 224056 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\DISKMON.HLP 9519 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\DiskView.exe 236400 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\DMON.SYS 11728 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\du.exe 221040 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\efsdump.exe 146232 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Eula.txt 7005 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\Filemon.exe 748344 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\FILEMON.HLP 14619 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\handle.exe 417136 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\hex2dec.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\junction.exe 95616 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ldmdump.exe 154424 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Listdlls.exe 170808 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\livekd.exe 383800 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\LoadOrd.exe 154424 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\movefile.exe 146232 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\newsid.exe 228152 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ntfsinfo.exe 122680 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pagedfrg.exe 215928 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pagedfrg.hlp 8419 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\pdh.dll 155960 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pendmoves.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\PHYSMEM.EXE 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pipelist.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\PORTMON.CNT 422 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\portmon.exe 363320 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\PORTMON.HLP 43428 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\procexp.chm 72138 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\procexp.exe 3550592 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ProcFeatures.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Procmon.exe 2902376 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\psexec.exe 234536 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\psfile.exe 105264 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\psgetsid.exe 187184 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Psinfo.exe 243072 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pskill.exe 187184 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pslist.exe 125744 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\psloggedon.exe 105264 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\psloglist.exe 113456 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pspasswd.exe 105264 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\psservice.exe 107560 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\psshutdown.exe 207664 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\pssuspend.exe 187184 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\autoruns.exe 648064 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\diskext.exe 87424 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\logonsessions.exe 195384 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\procmon.chm 60772 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\Pstools.chm 64126 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\psversion.txt 39 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\RegDelNull.exe 162616 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Reghide.exe 146232 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\regjump.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Regmon.exe 707384 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\REGMON.HLP 15031 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\RootkitRevealer.chm 102160 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\RootkitRevealer.exe 334720 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\sdelete.exe 166712 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\ShareEnum.exe 260976 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\ShellRunas.exe 103464 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\sigcheck.exe 220560 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\streams.exe 87424 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\strings.exe 136592 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\sync.exe 150328 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Tcpvcon.exe 150888 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\tcpview.chm 40016 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\Tcpview.exe 198504 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\TCPVIEW.HLP 7983 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\Vmmap.chm 48521 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\vmmap.exe 542608 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Volumeid.exe 154424 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\whois.exe 158520 bytes executable

File C:\WinTools\Sysinternals Suite 04.22.09\Winobj.exe 207672 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\WINOBJ.HLP 7653 bytes

File C:\WinTools\Sysinternals Suite 04.22.09\ZoomIt.exe 252288 bytes executable

File C:\WinTools\The Font Thing\Collections 0 bytes

File C:\WinTools\The Font Thing\License.txt 2185 bytes

File C:\WinTools\The Font Thing\Notes 0 bytes

File C:\WinTools\The Font Thing\ReadMe.txt 6105 bytes

File C:\WinTools\The Font Thing\TFT.cnt 2181 bytes

File C:\WinTools\The Font Thing\TFT.exe 948736 bytes

File C:\WinTools\The Font Thing\TFT.GID 30363 bytes

File C:\WinTools\The Font Thing\TFT.HLP 107333 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\AuxSetup.exe 16384 bytes executable

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\aviproxy 0 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\aviproxy\proxyoff.reg 192 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\aviproxy\proxyon.reg 192 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\aviproxy\readme.txt 1076 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\AviSynthLexer.lexer 56832 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\Codecs.ini 19916 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\copying 18321 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\corona.dll 125440 bytes executable

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\license_corona.txt 860 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\ogg.dll 20992 bytes executable

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\plugins 0 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\plugins\readme.txt 88 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\readme_virtualdubmod_dlls.txt 1263 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\SciLexer.dll 146944 bytes executable

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\template 0 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\template\avisource.avst 40 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\template\default.avst 50 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\template\directshow.avst 54 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\template\mpeg2dec.avst 59 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\template\mpegdecoder.avst 48 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\vdicmdrv.dll 6656 bytes executable

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\vdremote.dll 7168 bytes executable

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\vdsvrlnk.dll 5120 bytes executable

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\VirtualDub.vdhelp 74186 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\VirtualDubMod.chm 210415 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\VirtualDubMod.exe 920064 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\VirtualDubMod.vdi 135143 bytes

File C:\WinTools\VirtualDubMod_1_5_10_1_All_inclusive\vorbis.dll 48640 bytes executable

File C:\WinTools\WIRING\Church.btu 2226 bytes

File C:\WinTools\WIRING\GALLERY 0 bytes

File C:\WinTools\WIRING\GALLERY\2RUN1SOR.BTG 895 bytes

File C:\WinTools\WIRING\GALLERY\3PLUS2.BTG 1276 bytes

File C:\WinTools\WIRING\GALLERY\3WAYREC.BTG 1465 bytes

File C:\WinTools\WIRING\GALLERY\3WAYSWBS.BTG 942 bytes

File C:\WinTools\WIRING\GALLERY\3WAYSWEC.BTG 901 bytes

File C:\WinTools\WIRING\GALLERY\4WAYSWEC.BTG 1275 bytes

File C:\WinTools\WIRING\GALLERY\DUBOXEOC.BTG 934 bytes

File C:\WinTools\WIRING\GALLERY\FIXBEG3P.BTG 1279 bytes

File C:\WinTools\WIRING\GALLERY\FIXCMO3P.BTG 1653 bytes

File C:\WinTools\WIRING\GALLERY\FIXEO3WY.BTG 944 bytes

File C:\WinTools\WIRING\GALLERY\FIXEORIS.BTG 311 bytes

File C:\WinTools\WIRING\GALLERY\FIXEORSC.BTG 593 bytes

File C:\WinTools\WIRING\GALLERY\INDEX.TXT 1499 bytes

File C:\WinTools\WIRING\GALLERY\LITEPARA.BTG 878 bytes

File C:\WinTools\WIRING\GALLERY\PIGTAIL.BTG 744 bytes

File C:\WinTools\WIRING\GALLERY\RECEOC1.BTG 1112 bytes

File C:\WinTools\WIRING\GALLERY\RECEOC3.BTG 337 bytes

File C:\WinTools\WIRING\GALLERY\RECMIDCR.BTG 687 bytes

File C:\WinTools\WIRING\GALLERY\SPLITREC.BTG 671 bytes

File C:\WinTools\WIRING\GALLERY\STACKSWI.BTG 944 bytes

File C:\WinTools\WIRING\GALLERY\SWBEGHOT.BTG 963 bytes

File C:\WinTools\WIRING\GALLERY\SWCONREC.BTG 580 bytes

File C:\WinTools\WIRING\GALLERY\SWEORFIX.BTG 580 bytes

File C:\WinTools\WIRING\GALLERY\SWFIXCOM.BTG 746 bytes

File C:\WinTools\WIRING\GALLERY\SWFIXMID.BTG 901 bytes

File C:\WinTools\WIRING\GETWIRED.HLP 127077 bytes

File C:\WinTools\WIRING\HELP.HLP 131883 bytes

File C:\WinTools\WIRING\rad.btu 681 bytes

File C:\WinTools\WIRING\SOUNDS 0 bytes

File C:\WinTools\WIRING\SOUNDS\ARROW.WAV 9862 bytes

File C:\WinTools\WIRING\SOUNDS\AUTO.WAV 9386 bytes

File C:\WinTools\WIRING\SOUNDS\BOINK.WAV 5388 bytes

File C:\WinTools\WIRING\SOUNDS\CHAIN.WAV 3724 bytes

File C:\WinTools\WIRING\SOUNDS\CUT.WAV 6030 bytes

File C:\WinTools\WIRING\SOUNDS\DEL.WAV 38120 bytes

File C:\WinTools\WIRING\SOUNDS\FISH.WAV 24554 bytes

File C:\WinTools\WIRING\SOUNDS\OUCH.WAV 2582 bytes

File C:\WinTools\WIRING\SOUNDS\SCREWIT.WAV 22318 bytes

File C:\WinTools\WIRING\SOUNDS\SHORT.WAV 18268 bytes

File C:\WinTools\WIRING\SOUNDS\SIM.WAV 34488 bytes

File C:\WinTools\WIRING\SOUNDS\SWITCH.WAV 1106 bytes

File C:\WinTools\WIRING\SOUNDS\TWANG.WAV 6766 bytes

File C:\WinTools\WIRING\SVB210.DLL 702448 bytes

File C:\WinTools\WIRING\TOOLB210.DLL 235974 bytes

File C:\WinTools\WIRING\WIRESIM.EXE 1133986 bytes

File C:\WinTools\DVD 2 AVI v1.86\COPYING.txt 18332 bytes

File C:\WinTools\DVD 2 AVI v1.86\DVD2AVI.exe 266240 bytes executable

File C:\WinTools\DVD 2 AVI v1.86\DVD2AVI.ini 351 bytes

File C:\WinTools\DVD 2 AVI v1.86\DVD2AVI.VFP 126976 bytes executable

File C:\WinTools\DVD 2 AVI v1.86\lame_enc.dll 135168 bytes executable

File C:\WinTools\DVD 2 AVI v1.86\README.txt 4849 bytes

File C:\WinTools\fcalc-setup\AdvPack.DLL 88848 bytes executable

File C:\WinTools\fcalc-setup\FCALC.chm 29848 bytes

File C:\WinTools\fcalc-setup\fcalc.exe 231424 bytes executable

File C:\WinTools\fcalc-setup\FCALC.INF 4807 bytes

File C:\WinTools\fcalc-setup\W95Inf16.DLL 2272 bytes

File C:\WinTools\fcalc-setup\W95Inf32.DLL 4608 bytes executable

File C:\WinTools\Food Diary Full v1.3.3\AtkinsIntro.csv 14871 bytes

File C:\WinTools\Food Diary Full v1.3.3\FoodDiary.chm 473330 bytes

File C:\WinTools\Food Diary Full v1.3.3\FoodDiary.exe 5086720 bytes executable

File C:\WinTools\Food Diary Full v1.3.3\FoodDiary.exe.manifest 543 bytes

File C:\WinTools\Food Diary Full v1.3.3\fooddiary.jpg 65053 bytes

File C:\WinTools\Food Diary Full v1.3.3\Nutrients.csv 2777 bytes

File C:\WinTools\Food Diary Full v1.3.3\usda.dat 5683190 bytes

File C:\WinTools\Food Diary Full v1.3.3\USDA_RDA.csv 14965 bytes

File C:\WinTools\Food Diary Full v1.3.3\Vegan.csv 14804 bytes

File C:\WinTools\Food Diary Full v1.3.3\Vegitarian.csv 14641 bytes

File C:\WinTools\Food Diary Full v1.3.3\WWillett.csv 14948 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-109 38 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-215 40 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-256 38 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-343 34 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-350 37 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-358 39 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-465 37 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-482 41 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-498 34 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-681 41 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-714 39 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-834 37 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223717-923 39 bytes

File C:\WinTools\hijackthis v1.97\backup-20050207-223843-929 77 bytes

File C:\WinTools\hijackthis v1.97\HijackThis log tutorial.htm 20287 bytes

File C:\WinTools\hijackthis v1.97\HijackThis.exe 158208 bytes executable

File C:\WinTools\jsittarh 091004\jsiread.txt 1908 bytes

File C:\WinTools\jsittarh 091004\Jsittarh.exe 28969552 bytes executable

File C:\WinTools\jsittarh 091004\jsittarh.reg 517 bytes

File C:\WinTools\jsittarh 091004\Register.bat 1337 bytes

File C:\WinTools\jsittarh 091004\Shortcut to Jsittarh.lnk 616 bytes

181248 bytes

File C:\Work\OCR Sample Metadata.txt 1515 bytes

File C:\Work\OCR Sample Metadata.xls 22016 bytes

File C:\Work\Spicy Oatmeal Crisps.jpg 41232 bytes

File C:\Work\Sun-dried Tomato Tapenade With Crostini.jpg 73612 bytes

File C:\Work\Thumbs.db 18432 bytes

File C:\Work\Two-Layer Caramel-Pecan Bars.jpg 107742 bytes

File C:\Work\Antipasto Bowl.jpg 75541 bytes

File C:\Work\Baked Potato-and-Bacon Soup.jpg 38159 bytes

File C:\Work\Fort Davis Apple Cake.jpg 61489 bytes

File C:\Work\FortDavisAppleCake.jpg 61489 bytes

File C:\Work\OCR Sample After RecipeClips.txt 14671 bytes

File C:\Work\OCR Sample Before RecipeClips.txt 13529 bytes

0 bytes

---- EOF - GMER 1.0.15 ----

[Elise]

Hello again,

First of all, please reset your router (it should have a button on the backside to do so).

When done, please proceed with the steps below.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Rich50]

Heres is my ComboFix log: I am concerned with Combofix deleting the Protrait Professional exe's and the damon dll. It left my 2 programs unuseable. should I reinstall them?

ComboFix 10-07-12.05 - Rich 07/13/2010 8:15.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.409 [GMT -4:00]

Running from: c:\documents and settings\Rich\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Rich\Application Data\PortraitProfessionalSetup.exe

c:\documents and settings\Rich\Application Data\PortraitProfessionalStudio.exe

c:\windows\daemon.dll

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FILEMON

((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))

.

2010-07-11 16:20 . 2010-07-11 16:20 -------- d-----w- c:\documents and settings\Rich\Application Data\Scooter Software

2010-07-11 16:13 . 2010-07-11 16:21 -------- d-----w- c:\program files\Beyond Compare 3

2010-07-09 16:39 . 2010-07-09 16:41 -------- d-----w- C:\WinMerge v2.12.4

2010-07-01 12:15 . 2010-07-01 12:15 -------- d-----w- c:\windows\Cache

2010-07-01 12:15 . 2010-07-01 12:17 -------- d-----w- c:\program files\Coupons

2010-06-26 13:11 . 2010-06-26 13:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\NoteTab Pro

2010-06-24 16:15 . 2010-06-24 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Fighters

2010-06-23 21:32 . 2010-06-23 22:13 -------- d-----w- c:\documents and settings\Rich\Application Data\GetRightToGo

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\Rich\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-22 16:50 . 2010-04-29 16:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-15 01:59 . 2010-07-13 12:05 1472344 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-13 12:32 . 2010-02-23 13:58 -------- d-----w- c:\documents and settings\Rich\Application Data\WhiteSmoke

2010-07-13 11:15 . 2010-02-21 13:44 -------- d-----w- c:\documents and settings\Rich\Application Data\HPAppData

2010-07-12 16:30 . 2010-02-12 04:16 -------- d-----w- c:\program files\FlashFXP

2010-07-12 14:58 . 2010-02-12 14:07 -------- d-----w- c:\program files\Registry Clean Expert

2010-07-12 13:30 . 2010-02-15 17:24 -------- d-----w- c:\program files\VeryPDF PDF2HTML v2.0

2010-07-12 12:39 . 2010-03-21 01:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-12 00:26 . 2010-02-14 16:24 -------- d-----w- c:\documents and settings\Rich\Application Data\DMCache

2010-07-11 16:27 . 2010-02-23 23:25 -------- d-----w- c:\program files\NoteTab Pro 6

2010-07-07 15:26 . 2010-04-11 15:15 -------- d-----w- c:\program files\Portrait Professional Studio 9

2010-07-07 02:02 . 2010-02-10 14:02 -------- d-----w- c:\documents and settings\Rich\Application Data\U3

2010-07-02 10:36 . 2010-02-12 05:24 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-01 01:42 . 2010-02-10 21:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-25 13:46 . 2010-02-23 23:24 -------- d-----w- c:\documents and settings\Rich\Application Data\NoteTab Pro

2010-06-25 12:49 . 2010-02-12 20:23 8456 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-06-12 00:51 . 2010-04-22 19:11 -------- d-----w- c:\documents and settings\Rich\Application Data\Nitro PDF

2010-06-09 17:15 . 2010-06-09 17:15 -------- d-----w- c:\program files\MasterCook 11

2010-06-09 17:15 . 2010-02-10 13:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-09 14:25 . 2010-03-11 02:07 -------- d-----w- c:\documents and settings\Rich\Application Data\Obsidium

2010-06-08 23:58 . 2010-02-12 04:31 -------- d-----w- c:\program files\Quicken

2010-06-08 23:48 . 2010-02-10 21:54 57336 ----a-w- c:\documents and settings\Rich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-08 20:56 . 2010-03-19 16:54 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-06-08 20:49 . 2010-03-19 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-06-08 20:49 . 2010-02-12 16:27 -------- d-----w- c:\program files\Windows Sidebar

2010-06-08 20:37 . 2010-03-19 18:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2010-06-08 20:23 . 2010-03-19 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2010-06-08 20:18 . 2010-06-08 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-06-08 20:12 . 2010-02-10 13:44 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-06 20:59 . 2010-06-06 19:13 -------- d-----w- c:\documents and settings\Rich\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\program files\onOne Software

2010-06-06 19:39 . 2010-06-06 19:39 -------- d-----w- c:\program files\Common Files\onOne Software Shared

2010-06-06 17:32 . 2010-06-06 17:32 -------- d-----w- c:\documents and settings\Rich\Application Data\oald8

2010-06-06 17:29 . 2010-06-06 17:29 -------- d-----w- c:\program files\Oxford

2010-06-02 22:48 . 2010-02-10 12:09 -------- d-----w- c:\program files\CalorieKing Nutrition and Exercise Manager for Windows

2010-06-01 01:26 . 2010-06-06 19:39 227840 ------w- c:\windows\system32\Deco_32.dll

2010-06-01 01:26 . 2010-02-14 19:28 61440 ------w- c:\windows\system32\nlssrv32.exe

2010-06-01 01:26 . 2010-02-14 19:28 57344 ------w- c:\windows\system32\ASTSRV.EXE

2010-05-19 11:19 . 2010-06-22 16:31 172274 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-05-18 00:57 . 2010-05-18 00:57 -------- d-----w- c:\program files\Evernote

2010-05-10 12:19 . 2010-03-12 20:45 55436 ------w- c:\windows\system32\mlfcache.dat

2010-05-06 04:01 . 2010-05-21 10:43 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-04-29 05:03 . 2010-05-21 10:43 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys

2010-04-22 03:02 . 2010-05-21 10:43 173104 ----a-w- c:\windows\system32\drivers\symefa.sys

2010-04-22 02:29 . 2010-05-21 10:43 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-04-06 57344]

"ADIReminder"="c:\program files\Auto-Do-It\notify.exe" [2000-05-03 102400]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-12 16184]

"RegClean Expert Scheduler"="c:\program files\Registry Clean Expert\RCHelper.exe" [2008-10-25 605944]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]

"Evernote"="c:\program files\Evernote\Evernote3.5\evernote.exe" [2010-06-02 4005312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Launch WhiteSmoke.lnk - c:\program files\WhiteSmoke\WSEnrichment.exe [2010-2-23 1241088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-02-12 11:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [4/27/2003 1:39 PM 8704]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/21/2010 6:43 AM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/21/2010 6:43 AM 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/13/2010 7:15 AM 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/21/2010 6:43 AM 501888]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 67656]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/21/2010 6:43 AM 116784]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/22/2010 12:50 PM 304464]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/21/2010 6:43 AM 126392]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 10:09 AM 188736]

R2 nlsX86cc;NLS Service;c:\windows\system32\nlssrv32.exe [2/14/2010 3:28 PM 61440]

R2 SpotGPSMaxim;Spot GPS Maxim;c:\program files\CoPilot\Laptop10\App\Spot2741.exe [3/30/2006 11:44 PM 651385]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2010 3:17 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100712.001\IDSXpx86.sys [7/13/2010 7:15 AM 331640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/22/2010 12:50 PM 20952]

R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [4/27/2003 12:43 PM 99360]

R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2/14/2010 2:43 PM 35107]

R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [3/19/2010 8:16 AM 25704]

R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [3/19/2010 8:17 AM 25704]

R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [3/19/2010 8:18 AM 25704]

R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [3/19/2010 8:19 AM 25704]

R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [3/19/2010 8:20 AM 25704]

S0 akqim;akqim; [x]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/12/2010 2:47 PM 27064]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 12872]

S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [2/12/2010 11:09 AM 74392]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2010 1:17 PM 682232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: MasterCook: Select Image - c:\documents and settings\Rich\Local Settings\Application Data\MasterCook Web Import\MCIEContext.hta

IE: Open Selected URL - c:\program files\RightClick GoogleSearch & OpenSelectedURL\openselectedurl.htm

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Search &Google - c:\program files\RightClick GoogleSearch & OpenSelectedURL\google.htm

IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\kghxyr0w.default\

FF - prefs.js: browser.search.selectedEngine - eBay

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\Rich\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-13 08:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83502388]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf75aef28

\Driver\ACPI -> ACPI.sys @ 0xf7521cb8

\Driver\atapi -> 0x83502388

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf733cbb0

PacketIndicateHandler -> NDIS.sys @ 0xf7349a21

SendHandler -> NDIS.sys @ 0xf732787b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-790525478-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaiflhnmbnlnbipfkc"=hex:69,61,63,6d,69,63,69,61,66,69,64,69,64,6f,6a,66,6b,6f,

00,00

"hakfngedhbncfhpj"=hex:6a,61,63,6d,69,63,64,68,63,6c,68,6a,67,6e,6a,68,6a,63,

6a,69,00,f2

"gadgiafblhfkpm"=hex:61,63,6f,63,69,66,69,64,61,65,69,6d,70,68,62,6c,64,6f,6a,

6d,69,65,62,69,61,69,64,6d,6e,64,6a,69,6e,62,66,6a,70,68,68,6a,6d,6a,69,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{62d5a59d-2aca-45eb-9a20-bd218585c959}]

@Denied: (Full) (Everyone)

"Model"=dword:000000ad

"Therad"=dword:0000001d

"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,

1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):bc,c7,de,fb,19,b5,e2,71,77,56,ec,39,0d,17,f6,df,a9,98,c9,ea,ea,

b1,a6,ae,84,dc,a1,26,0b,12,e2,43,3f,5a,86,cf,6d,89,5e,21,00,00,00,00,00,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'explorer.exe'(1984)

c:\program files\WhiteSmoke\WHook.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\astsrv.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Power Translator 12\LogoMedia TranslateDotNet Server.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

.

**************************************************************************

.

Completion time: 2010-07-13 08:47:27 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-13 12:47

Pre-Run: 59,212,136,448 bytes free

Post-Run: 59,216,699,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - CD3B8AFED60894D902342C34A219939F

[Elise]

Hi, we can restore these files if they are needed. please let me know exactly which files this concerns (only the three you mentioned?).

• Please download TDSSKiller.zip and save it to your desktop.
  
• Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do NOT run the file yet!
  
• Click Start > Run and copy paste the following bolded text in the run box
  "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  
• When it finished press any key to continue.
  
• If needed reboot the computer.
  

A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

[Rich50]

Elsie,

Yes, I do need the Protrait Professional setup.exe, Protrait Professional Studio exe and the damen.dll restored.

Here it the report.txt log.

10:54:36:078 2516 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49

10:54:36:078 2516 ================================================================================

10:54:36:078 2516 SystemInfo:

10:54:36:078 2516 OS Version: 5.1.2600 ServicePack: 3.0

10:54:36:078 2516 Product type: Workstation

10:54:36:078 2516 ComputerName: BOSS

10:54:36:078 2516 UserName: Rich

10:54:36:078 2516 Windows directory: C:\WINDOWS

10:54:36:078 2516 System windows directory: C:\WINDOWS

10:54:36:078 2516 Processor architecture: Intel x86

10:54:36:078 2516 Number of processors: 1

10:54:36:078 2516 Page size: 0x1000

10:54:36:093 2516 Boot type: Normal boot

10:54:36:093 2516 ================================================================================

10:54:38:750 2516 Initialize success

10:54:38:750 2516

10:54:38:750 2516 Scanning Services ...

10:54:39:312 2516 Raw services enum returned 392 services

10:54:39:312 2516

10:54:39:312 2516 Scanning Drivers ...

10:54:40:171 2516 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

10:54:40:343 2516 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

10:54:40:609 2516 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

10:54:40:703 2516 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys

10:54:40:828 2516 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

10:54:41:218 2516 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

10:54:41:343 2516 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

10:54:41:484 2516 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

10:54:41:734 2516 atinrvxx (a7a01b907db63898d40b0a14248ff9a2) C:\WINDOWS\system32\DRIVERS\atinrvxx.sys

10:54:41:859 2516 ATITUNEP (edd66332608d27f4fd5069bcd0bc5164) C:\WINDOWS\system32\DRIVERS\atintuxx.sys

10:54:42:031 2516 ativraxx (da36687d701c833430605a298731410b) C:\WINDOWS\system32\DRIVERS\atinraxx.sys

10:54:42:187 2516 ATIXSAudio (77b575d7aab35d5908ae6ce681608d62) C:\WINDOWS\system32\DRIVERS\atinxsxx.sys

10:54:42:343 2516 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

10:54:42:453 2516 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

10:54:42:609 2516 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

10:54:43:171 2516 BHDrvx86 (87c00decc19bd995217a4a5fdd4d638c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100709.001\BHDrvx86.sys

10:54:43:625 2516 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys

10:54:43:687 2516 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys

10:54:43:781 2516 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys

10:54:43:812 2516 BTHPORT (10b85171b90c449f8da71c2640b797e9) C:\WINDOWS\system32\Drivers\BTHport.sys

10:54:43:843 2516 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys

10:54:43:921 2516 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

10:54:44:000 2516 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

10:54:44:125 2516 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys

10:54:44:203 2516 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

10:54:44:265 2516 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

10:54:44:359 2516 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

10:54:44:484 2516 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys

10:54:44:546 2516 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

10:54:44:625 2516 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

10:54:44:703 2516 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

10:54:44:750 2516 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

10:54:44:796 2516 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

10:54:44:843 2516 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

10:54:44:921 2516 E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys

10:54:45:031 2516 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

10:54:45:125 2516 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

10:54:45:171 2516 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

10:54:45:234 2516 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

10:54:45:281 2516 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

10:54:45:328 2516 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

10:54:45:421 2516 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

10:54:45:500 2516 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

10:54:45:546 2516 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

10:54:45:609 2516 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

10:54:45:640 2516 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

10:54:45:687 2516 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

10:54:45:718 2516 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

10:54:45:796 2516 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

10:54:45:828 2516 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

10:54:45:937 2516 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

10:54:46:000 2516 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

10:54:46:078 2516 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

10:54:46:203 2516 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100712.001\IDSxpx86.sys

10:54:46:265 2516 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

10:54:46:328 2516 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

10:54:46:406 2516 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

10:54:46:453 2516 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

10:54:46:484 2516 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

10:54:46:515 2516 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

10:54:46:546 2516 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

10:54:46:578 2516 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

10:54:46:625 2516 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

10:54:46:656 2516 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

10:54:46:703 2516 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

10:54:46:765 2516 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

10:54:46:812 2516 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys

10:54:46:859 2516 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

10:54:46:921 2516 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

10:54:46:953 2516 MBAMProtector (a02c631493ab553a1112a6b699fe61b3) C:\WINDOWS\system32\drivers\mbam.sys

10:54:47:015 2516 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

10:54:47:046 2516 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

10:54:47:093 2516 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

10:54:47:156 2516 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

10:54:47:187 2516 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

10:54:47:218 2516 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

10:54:47:265 2516 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

10:54:47:312 2516 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

10:54:47:328 2516 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

10:54:47:359 2516 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

10:54:47:375 2516 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

10:54:47:406 2516 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

10:54:47:421 2516 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

10:54:47:437 2516 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

10:54:47:468 2516 MVDCODEC (ed4c2bf8403f4437987c0ba09cf48716) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys

10:54:47:484 2516 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

10:54:47:578 2516 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100712.051\NAVENG.SYS

10:54:47:656 2516 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100712.051\NAVEX15.SYS

10:54:47:718 2516 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

10:54:47:750 2516 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

10:54:47:765 2516 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

10:54:47:812 2516 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

10:54:47:828 2516 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

10:54:47:859 2516 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

10:54:47:937 2516 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

10:54:48:000 2516 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

10:54:48:062 2516 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

10:54:48:093 2516 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

10:54:48:140 2516 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

10:54:48:156 2516 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

10:54:48:187 2516 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

10:54:48:218 2516 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys

10:54:48:296 2516 P16X (f051107ff80f132882e71e3a5d302ec1) C:\WINDOWS\system32\drivers\P16X.sys

10:54:48:359 2516 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

10:54:48:375 2516 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

10:54:48:406 2516 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

10:54:48:421 2516 PCDCODEC (e90ac2b14e98f1a4372e5891b4278784) C:\WINDOWS\system32\DRIVERS\atinpdxx.sys

10:54:48:468 2516 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

10:54:48:515 2516 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

10:54:48:546 2516 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

10:54:48:656 2516 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\System32\drivers\PfModNT.sys

10:54:49:000 2516 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

10:54:49:015 2516 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

10:54:49:046 2516 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

10:54:49:093 2516 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

10:54:49:125 2516 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys

10:54:49:250 2516 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

10:54:49:281 2516 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

10:54:49:312 2516 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

10:54:49:328 2516 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

10:54:49:375 2516 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

10:54:49:421 2516 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

10:54:49:484 2516 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

10:54:49:515 2516 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

10:54:49:562 2516 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

10:54:49:609 2516 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys

10:54:49:718 2516 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys

10:54:49:812 2516 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

10:54:49:843 2516 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

10:54:49:875 2516 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

10:54:49:921 2516 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

10:54:49:953 2516 Sentinel (aebba7428a6c40cce3c5abde45190b24) C:\WINDOWS\System32\Drivers\SENTINEL.SYS

10:54:49:984 2516 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

10:54:50:031 2516 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

10:54:50:109 2516 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

10:54:50:140 2516 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

10:54:50:203 2516 Sntnlusb (a1ff7d99b199cea1f3df371ba70d2780) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS

10:54:50:250 2516 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

10:54:50:312 2516 sptd (4f576e516cc76ec50a244586bcfa1c78) C:\WINDOWS\system32\Drivers\sptd.sys

10:54:50:312 2516 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 4f576e516cc76ec50a244586bcfa1c78

10:54:50:343 2516 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

10:54:50:453 2516 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS

10:54:50:515 2516 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS

10:54:50:546 2516 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys

10:54:50:609 2516 st3wolf (1e9a652d898cc96038e5e5554f79c49f) C:\WINDOWS\system32\DRIVERS\st3wolf.sys

10:54:50:640 2516 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

10:54:50:656 2516 stwlfbus (24e09d134304fbc605626fced3e4cb50) C:\WINDOWS\system32\DRIVERS\stwlfbus.sys

10:54:50:703 2516 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

10:54:50:734 2516 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

10:54:50:796 2516 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMDS.SYS

10:54:50:843 2516 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMEFA.SYS

10:54:50:953 2516 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

10:54:51:000 2516 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS

10:54:51:031 2516 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS

10:54:51:109 2516 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

10:54:51:187 2516 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys

10:54:51:234 2516 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

10:54:51:265 2516 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

10:54:51:312 2516 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

10:54:51:375 2516 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

10:54:51:437 2516 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

10:54:51:515 2516 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys

10:54:51:562 2516 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

10:54:51:593 2516 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

10:54:51:609 2516 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

10:54:51:625 2516 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

10:54:51:656 2516 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

10:54:51:718 2516 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

10:54:51:765 2516 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

10:54:51:812 2516 vdiskbus (d1528fa039ff71779a3ea6296f746a23) C:\WINDOWS\system32\DRIVERS\vdiskbus.sys

10:54:51:875 2516 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

10:54:51:921 2516 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

10:54:51:968 2516 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

10:54:52:078 2516 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

10:54:52:125 2516 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys

10:54:52:203 2516 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys

10:54:52:250 2516 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys

10:54:52:296 2516 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys

10:54:52:343 2516 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys

10:54:52:375 2516 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

10:54:52:406 2516 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

10:54:52:453 2516 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

10:54:52:453 2516

10:54:52:468 2516 Completed

10:54:52:468 2516

10:54:52:468 2516 Results:

10:54:52:468 2516 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

10:54:52:468 2516 File objects infected / cured / cured on reboot: 0 / 0 / 0

10:54:52:468 2516

10:54:52:625 2516 KLMD(ARK) unloaded successfully

[Elise]

Hello again, how is everything running now?

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
  

DeQuarantine::
c:\qoobox\quarantine\c\documents and settings\Rich\Application Data\PortraitProfessionalSetup.exe
c:\qoobox\quarantine\c\documents and settings\Rich\Application Data\PortraitProfessionalStudio.exe
c:\qoobox\quarantine\c\windows\daemon.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Rich50]

Here is my new Combofix log. I ran the script as instructed. Combofix had to reboot as it said it found rootkit infection. The computer frooze and I had to manually restart it. The 2 programs are still not working. I think they were deleted again?

ComboFix 10-07-12.05 - Rich 07/13/2010 11:54:26.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.411 [GMT -4:00]

Running from: c:\documents and settings\Rich\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rich\Desktop\CFScript.txt

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))

.

2010-07-11 16:20 . 2010-07-11 16:20 -------- d-----w- c:\documents and settings\Rich\Application Data\Scooter Software

2010-07-11 16:13 . 2010-07-11 16:21 -------- d-----w- c:\program files\Beyond Compare 3

2010-07-09 16:39 . 2010-07-09 16:41 -------- d-----w- C:\WinMerge v2.12.4

2010-07-01 12:15 . 2010-07-01 12:15 -------- d-----w- c:\windows\Cache

2010-07-01 12:15 . 2010-07-01 12:17 -------- d-----w- c:\program files\Coupons

2010-06-26 13:11 . 2010-06-26 13:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\NoteTab Pro

2010-06-24 16:15 . 2010-06-24 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Fighters

2010-06-23 21:32 . 2010-06-23 22:13 -------- d-----w- c:\documents and settings\Rich\Application Data\GetRightToGo

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\Rich\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-22 16:50 . 2010-04-29 16:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-15 01:59 . 2010-07-13 15:32 1472344 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-13 15:42 . 2010-02-21 13:44 -------- d-----w- c:\documents and settings\Rich\Application Data\HPAppData

2010-07-13 15:36 . 2010-02-23 13:58 -------- d-----w- c:\documents and settings\Rich\Application Data\WhiteSmoke

2010-07-13 15:09 . 2010-03-21 01:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-12 19:19 . 2010-04-23 14:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF

2010-07-12 16:30 . 2010-02-12 04:16 -------- d-----w- c:\program files\FlashFXP

2010-07-12 14:58 . 2010-02-12 14:07 -------- d-----w- c:\program files\Registry Clean Expert

2010-07-12 13:30 . 2010-02-15 17:24 -------- d-----w- c:\program files\VeryPDF PDF2HTML v2.0

2010-07-12 00:26 . 2010-02-14 16:24 -------- d-----w- c:\documents and settings\Rich\Application Data\DMCache

2010-07-11 16:27 . 2010-02-23 23:25 -------- d-----w- c:\program files\NoteTab Pro 6

2010-07-07 15:26 . 2010-04-11 15:15 -------- d-----w- c:\program files\Portrait Professional Studio 9

2010-07-07 02:02 . 2010-02-10 14:02 -------- d-----w- c:\documents and settings\Rich\Application Data\U3

2010-07-02 10:36 . 2010-02-12 05:24 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-01 01:42 . 2010-02-10 21:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-25 13:46 . 2010-02-23 23:24 -------- d-----w- c:\documents and settings\Rich\Application Data\NoteTab Pro

2010-06-25 12:49 . 2010-02-12 20:23 8456 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-06-25 12:49 . 2010-02-12 20:23 8456 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-06-12 00:51 . 2010-04-22 19:11 -------- d-----w- c:\documents and settings\Rich\Application Data\Nitro PDF

2010-06-09 17:15 . 2010-06-09 17:15 -------- d-----w- c:\program files\MasterCook 11

2010-06-09 17:15 . 2010-02-10 13:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-09 14:25 . 2010-03-11 02:07 -------- d-----w- c:\documents and settings\Rich\Application Data\Obsidium

2010-06-08 23:58 . 2010-02-12 04:31 -------- d-----w- c:\program files\Quicken

2010-06-08 23:57 . 2010-06-08 23:57 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll

2010-06-08 23:57 . 2010-04-24 13:55 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE

2010-06-08 23:48 . 2010-02-10 21:54 57336 ----a-w- c:\documents and settings\Rich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-08 20:56 . 2010-03-19 16:54 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-06-08 20:49 . 2010-03-19 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-06-08 20:49 . 2010-02-12 16:27 -------- d-----w- c:\program files\Windows Sidebar

2010-06-08 20:37 . 2010-03-19 18:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2010-06-08 20:23 . 2010-03-19 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2010-06-08 20:18 . 2010-06-08 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-06-08 20:12 . 2010-02-10 13:44 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-06 20:59 . 2010-06-06 19:13 -------- d-----w- c:\documents and settings\Rich\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\program files\onOne Software

2010-06-01 01:26 . 2010-02-14 19:28 61440 ------w- c:\windows\system32\nlssrv32.exe

2010-06-01 01:26 . 2010-02-14 19:28 57344 ------w- c:\windows\system32\ASTSRV.EXE

2010-05-19 11:19 . 2010-06-22 16:31 172274 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-05-18 00:57 . 2010-05-18 00:57 -------- d-----w- c:\program files\Evernote

2010-05-10 12:19 . 2010-03-12 20:45 55436 ------w- c:\windows\system32\mlfcache.dat

2010-05-06 04:01 . 2010-05-21 10:43 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-05-04 18:22 . 2010-04-30 18:36 63488 ----a-w- c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-04-29 05:03 . 2010-05-21 10:43 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys

2010-04-24 13:57 . 2010-04-24 13:57 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll

2010-04-24 13:56 . 2010-04-24 13:56 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll

2010-04-24 13:55 . 2010-04-24 13:55 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll

2010-04-24 13:55 . 2010-04-24 13:55 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll

2010-04-24 13:55 . 2010-04-24 13:55 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll

2010-04-24 13:55 . 2010-04-24 13:55 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll

2010-04-24 13:54 . 2010-04-24 13:54 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll

2010-04-24 13:53 . 2010-04-24 13:53 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll

2010-04-24 13:53 . 2010-04-24 13:53 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd

2010-04-22 03:02 . 2010-05-21 10:43 173104 ----a-w- c:\windows\system32\drivers\symefa.sys

2010-04-22 02:29 . 2010-05-21 10:43 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-07-13_12.35.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-13 15:54 . 2010-07-13 15:54 16384 c:\windows\Temp\Perflib_Perfdata_dc.dat

+ 2010-07-13 15:52 . 2010-07-13 15:52 16384 c:\windows\Temp\Perflib_Perfdata_6fc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-04-06 57344]

"ADIReminder"="c:\program files\Auto-Do-It\notify.exe" [2000-05-03 102400]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-12 16184]

"RegClean Expert Scheduler"="c:\program files\Registry Clean Expert\RCHelper.exe" [2008-10-25 605944]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-02-12 11:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [4/27/2003 1:39 PM 8704]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/21/2010 6:43 AM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/21/2010 6:43 AM 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/13/2010 7:15 AM 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/21/2010 6:43 AM 501888]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 67656]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/21/2010 6:43 AM 116784]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/22/2010 12:50 PM 304464]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/21/2010 6:43 AM 126392]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 10:09 AM 188736]

R2 nlsX86cc;NLS Service;c:\windows\system32\nlssrv32.exe [2/14/2010 3:28 PM 61440]

R2 SpotGPSMaxim;Spot GPS Maxim;c:\program files\CoPilot\Laptop10\App\Spot2741.exe [3/30/2006 11:44 PM 651385]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2010 3:17 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100712.001\IDSXpx86.sys [7/13/2010 7:15 AM 331640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/22/2010 12:50 PM 20952]

R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [4/27/2003 12:43 PM 99360]

R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2/14/2010 2:43 PM 35107]

R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [3/19/2010 8:16 AM 25704]

R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [3/19/2010 8:17 AM 25704]

R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [3/19/2010 8:18 AM 25704]

R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [3/19/2010 8:19 AM 25704]

R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [3/19/2010 8:20 AM 25704]

S0 akqim;akqim; [x]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/12/2010 2:47 PM 27064]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 12872]

S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [2/12/2010 11:09 AM 74392]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2010 1:17 PM 682232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: MasterCook: Select Image - c:\documents and settings\Rich\Local Settings\Application Data\MasterCook Web Import\MCIEContext.hta

IE: Open Selected URL - c:\program files\RightClick GoogleSearch & OpenSelectedURL\openselectedurl.htm

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Search &Google - c:\program files\RightClick GoogleSearch & OpenSelectedURL\google.htm

IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\kghxyr0w.default\

FF - prefs.js: browser.search.selectedEngine - eBay

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\Rich\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-13 12:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8326A6B8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7573f28

\Driver\ACPI -> ACPI.sys @ 0xf74e6cb8

\Driver\atapi -> 0x8326a6b8

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7301bb0

PacketIndicateHandler -> NDIS.sys @ 0xf730ea21

SendHandler -> NDIS.sys @ 0xf72ec87b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-790525478-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaiflhnmbnlnbipfkc"=hex:69,61,63,6d,69,63,69,61,66,69,64,69,64,6f,6a,66,6b,6f,

00,00

"hakfngedhbncfhpj"=hex:6a,61,63,6d,69,63,64,68,63,6c,68,6a,67,6e,6a,68,6a,63,

6a,69,00,f2

"gadgiafblhfkpm"=hex:61,63,6f,63,69,66,69,64,61,65,69,6d,70,68,62,6c,64,6f,6a,

6d,69,65,62,69,61,69,64,6d,6e,64,6a,69,6e,62,66,6a,70,68,68,6a,6d,6a,69,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{62d5a59d-2aca-45eb-9a20-bd218585c959}]

@Denied: (Full) (Everyone)

"Model"=dword:000000ad

"Therad"=dword:0000001d

"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,

1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):bc,c7,de,fb,19,b5,e2,71,77,56,ec,39,0d,17,f6,df,a9,98,c9,ea,ea,

b1,a6,ae,84,dc,a1,26,0b,12,e2,43,3f,5a,86,cf,6d,89,5e,21,00,00,00,00,00,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

.

Completion time: 2010-07-13 12:12:17

ComboFix-quarantined-files.txt 2010-07-13 16:12

Pre-Run: 59,156,873,216 bytes free

Post-Run: 59,165,073,408 bytes free

- - End Of File - - CD63214AC2239D2C84AD2E9ACF863792

[Elise]

The script did not work. Lets find out why not.

Please post me the contents of c:\qoobox\quarantine\combofix-quarantined-files.txt

Did you run Defogger as instructed?

[Rich50]

Yes, I did run the Defogger, it never asked to reboot. I assumed it went well.

ComboFix-quarantined-files log

2010-07-13 15:54:18 . 2010-07-13 15:54:18 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt

2010-07-13 12:24:10 . 2010-07-13 12:24:10 798 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_FILEMON.reg.dat

2010-07-13 12:23:47 . 2010-07-13 16:02:49 7,005 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-07-13 11:38:01 . 2010-07-13 15:52:58 306 ----a-w- C:\Qoobox\Quarantine\catchme.log

2010-03-19 17:17:50 . 2010-06-08 20:22:26 1,087 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir

2010-01-08 14:45:22 . 2010-01-08 14:45:22 6,932,992 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalStudio.exe.vir

2009-12-13 10:36:52 . 2009-12-13 10:36:52 32,318,978 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalSetup.exe.vir

2003-04-27 17:38:56 . 2003-04-27 17:38:56 54,784 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\daemon.dll.vir

[Elise]

Ouch, sorry, I now see why the script didn't work, my bad.

Please run the following as a CFScript:

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalStudio.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalSetup.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\daemon.dll.vir

If you didn't do so already, please run DeFogger before running Combofix!!

[Rich50]

Looks like combofix took the 3 files back out. I could probably just reneme them and move then in the correct directories?

My new combofix log:

ComboFix 10-07-12.06 - Rich 07/13/2010 14:44:29.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.413 [GMT -4:00]

Running from: c:\documents and settings\Rich\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rich\Desktop\CFScript.txt

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Rich\Application Data\PortraitProfessionalSetup.exe

c:\documents and settings\Rich\Application Data\PortraitProfessionalStudio.exe

c:\windows\daemon.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))

.

2010-07-11 16:20 . 2010-07-11 16:20 -------- d-----w- c:\documents and settings\Rich\Application Data\Scooter Software

2010-07-11 16:13 . 2010-07-11 16:21 -------- d-----w- c:\program files\Beyond Compare 3

2010-07-09 16:39 . 2010-07-09 16:41 -------- d-----w- C:\WinMerge v2.12.4

2010-07-01 12:15 . 2010-07-01 12:15 -------- d-----w- c:\windows\Cache

2010-07-01 12:15 . 2010-07-01 12:17 -------- d-----w- c:\program files\Coupons

2010-06-26 13:11 . 2010-06-26 13:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\NoteTab Pro

2010-06-24 16:15 . 2010-06-24 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Fighters

2010-06-23 21:32 . 2010-06-23 22:13 -------- d-----w- c:\documents and settings\Rich\Application Data\GetRightToGo

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\Rich\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-22 16:50 . 2010-04-29 16:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-15 01:59 . 2010-07-13 15:32 1472344 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-13 17:20 . 2010-02-21 13:44 -------- d-----w- c:\documents and settings\Rich\Application Data\HPAppData

2010-07-13 15:36 . 2010-02-23 13:58 -------- d-----w- c:\documents and settings\Rich\Application Data\WhiteSmoke

2010-07-13 15:09 . 2010-03-21 01:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-12 19:19 . 2010-04-23 14:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF

2010-07-12 16:30 . 2010-02-12 04:16 -------- d-----w- c:\program files\FlashFXP

2010-07-12 14:58 . 2010-02-12 14:07 -------- d-----w- c:\program files\Registry Clean Expert

2010-07-12 13:30 . 2010-02-15 17:24 -------- d-----w- c:\program files\VeryPDF PDF2HTML v2.0

2010-07-12 00:26 . 2010-02-14 16:24 -------- d-----w- c:\documents and settings\Rich\Application Data\DMCache

2010-07-11 16:27 . 2010-02-23 23:25 -------- d-----w- c:\program files\NoteTab Pro 6

2010-07-07 15:26 . 2010-04-11 15:15 -------- d-----w- c:\program files\Portrait Professional Studio 9

2010-07-07 02:02 . 2010-02-10 14:02 -------- d-----w- c:\documents and settings\Rich\Application Data\U3

2010-07-02 10:36 . 2010-02-12 05:24 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-01 01:42 . 2010-02-10 21:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-25 13:46 . 2010-02-23 23:24 -------- d-----w- c:\documents and settings\Rich\Application Data\NoteTab Pro

2010-06-25 12:49 . 2010-02-12 20:23 8456 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-06-25 12:49 . 2010-02-12 20:23 8456 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-06-12 00:51 . 2010-04-22 19:11 -------- d-----w- c:\documents and settings\Rich\Application Data\Nitro PDF

2010-06-09 17:15 . 2010-06-09 17:15 -------- d-----w- c:\program files\MasterCook 11

2010-06-09 17:15 . 2010-02-10 13:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-09 14:25 . 2010-03-11 02:07 -------- d-----w- c:\documents and settings\Rich\Application Data\Obsidium

2010-06-08 23:58 . 2010-02-12 04:31 -------- d-----w- c:\program files\Quicken

2010-06-08 23:57 . 2010-06-08 23:57 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll

2010-06-08 23:57 . 2010-04-24 13:55 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE

2010-06-08 23:48 . 2010-02-10 21:54 57336 ----a-w- c:\documents and settings\Rich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-08 20:56 . 2010-03-19 16:54 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-06-08 20:49 . 2010-03-19 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-06-08 20:49 . 2010-02-12 16:27 -------- d-----w- c:\program files\Windows Sidebar

2010-06-08 20:37 . 2010-03-19 18:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2010-06-08 20:23 . 2010-03-19 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2010-06-08 20:18 . 2010-06-08 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-06-08 20:12 . 2010-02-10 13:44 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-06 20:59 . 2010-06-06 19:13 -------- d-----w- c:\documents and settings\Rich\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\program files\onOne Software

2010-06-01 01:26 . 2010-02-14 19:28 61440 ------w- c:\windows\system32\nlssrv32.exe

2010-06-01 01:26 . 2010-02-14 19:28 57344 ------w- c:\windows\system32\ASTSRV.EXE

2010-05-19 11:19 . 2010-06-22 16:31 172274 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-05-18 00:57 . 2010-05-18 00:57 -------- d-----w- c:\program files\Evernote

2010-05-10 12:19 . 2010-03-12 20:45 55436 ------w- c:\windows\system32\mlfcache.dat

2010-05-06 04:01 . 2010-05-21 10:43 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-05-04 18:22 . 2010-04-30 18:36 63488 ----a-w- c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-04-29 05:03 . 2010-05-21 10:43 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys

2010-04-24 13:57 . 2010-04-24 13:57 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll

2010-04-24 13:56 . 2010-04-24 13:56 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll

2010-04-24 13:55 . 2010-04-24 13:55 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll

2010-04-24 13:55 . 2010-04-24 13:55 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll

2010-04-24 13:55 . 2010-04-24 13:55 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll

2010-04-24 13:55 . 2010-04-24 13:55 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll

2010-04-24 13:54 . 2010-04-24 13:54 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll

2010-04-24 13:53 . 2010-04-24 13:53 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll

2010-04-24 13:53 . 2010-04-24 13:53 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd

2010-04-22 03:02 . 2010-05-21 10:43 173104 ----a-w- c:\windows\system32\drivers\symefa.sys

2010-04-22 02:29 . 2010-05-21 10:43 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-07-13_12.35.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-13 19:00 . 2010-07-13 19:00 16384 c:\windows\Temp\Perflib_Perfdata_e0.dat

+ 2010-07-13 18:58 . 2010-07-13 18:58 16384 c:\windows\Temp\Perflib_Perfdata_6fc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-04-06 57344]

"ADIReminder"="c:\program files\Auto-Do-It\notify.exe" [2000-05-03 102400]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-12 16184]

"RegClean Expert Scheduler"="c:\program files\Registry Clean Expert\RCHelper.exe" [2008-10-25 605944]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-02-12 11:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [4/27/2003 1:39 PM 8704]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/21/2010 6:43 AM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/21/2010 6:43 AM 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/13/2010 7:15 AM 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/21/2010 6:43 AM 501888]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 67656]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/21/2010 6:43 AM 116784]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/22/2010 12:50 PM 304464]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/21/2010 6:43 AM 126392]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 10:09 AM 188736]

R2 nlsX86cc;NLS Service;c:\windows\system32\nlssrv32.exe [2/14/2010 3:28 PM 61440]

R2 SpotGPSMaxim;Spot GPS Maxim;c:\program files\CoPilot\Laptop10\App\Spot2741.exe [3/30/2006 11:44 PM 651385]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2010 3:17 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100712.001\IDSXpx86.sys [7/13/2010 7:15 AM 331640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/22/2010 12:50 PM 20952]

R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [4/27/2003 12:43 PM 99360]

R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2/14/2010 2:43 PM 35107]

R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [3/19/2010 8:16 AM 25704]

R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [3/19/2010 8:17 AM 25704]

R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [3/19/2010 8:18 AM 25704]

R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [3/19/2010 8:19 AM 25704]

R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [3/19/2010 8:20 AM 25704]

S0 akqim;akqim; [x]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/12/2010 2:47 PM 27064]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 12872]

S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [2/12/2010 11:09 AM 74392]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2010 1:17 PM 682232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: MasterCook: Select Image - c:\documents and settings\Rich\Local Settings\Application Data\MasterCook Web Import\MCIEContext.hta

IE: Open Selected URL - c:\program files\RightClick GoogleSearch & OpenSelectedURL\openselectedurl.htm

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Search &Google - c:\program files\RightClick GoogleSearch & OpenSelectedURL\google.htm

IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\kghxyr0w.default\

FF - prefs.js: browser.search.selectedEngine - eBay

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\Rich\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-13 15:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x838A7CF0]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7573f28

\Driver\ACPI -> ACPI.sys @ 0xf74e6cb8

\Driver\atapi -> 0x838a7cf0

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7301bb0

PacketIndicateHandler -> NDIS.sys @ 0xf730ea21

SendHandler -> NDIS.sys @ 0xf72ec87b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-790525478-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaiflhnmbnlnbipfkc"=hex:69,61,63,6d,69,63,69,61,66,69,64,69,64,6f,6a,66,6b,6f,

00,00

"hakfngedhbncfhpj"=hex:6a,61,63,6d,69,63,64,68,63,6c,68,6a,67,6e,6a,68,6a,63,

6a,69,00,f2

"gadgiafblhfkpm"=hex:61,63,6f,63,69,66,69,64,61,65,69,6d,70,68,62,6c,64,6f,6a,

6d,69,65,62,69,61,69,64,6d,6e,64,6a,69,6e,62,66,6a,70,68,68,6a,6d,6a,69,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{62d5a59d-2aca-45eb-9a20-bd218585c959}]

@Denied: (Full) (Everyone)

"Model"=dword:000000ad

"Therad"=dword:0000001d

"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,

1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):bc,c7,de,fb,19,b5,e2,71,77,56,ec,39,0d,17,f6,df,a9,98,c9,ea,ea,

b1,a6,ae,84,dc,a1,26,0b,12,e2,43,3f,5a,86,cf,6d,89,5e,21,00,00,00,00,00,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'explorer.exe'(2188)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\astsrv.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Power Translator 12\LogoMedia TranslateDotNet Server.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2010-07-13 15:14:20 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-13 19:14

ComboFix2.txt 2010-07-13 16:12

C:\DeQuarantine.txt

Pre-Run: 59,159,769,088 bytes free

Post-Run: 59,146,551,296 bytes free

- - End Of File - - C790F6CD203EAFB9EB36FD5282235F77

[Elise]

Could you please run Defogger?? I asked two times so far, but I see no evidence you actually ran it. Its imperative we run it, since your log shows a possible rootkit infection. Without running Defogger there is no way to say if we are dealing with a rootkit or with a false positive detection.

If this tool causes trouble, just let me know.

After Defogger has succesfully disabled any cd emulators, we will dequarantine these 3 files properly.

[Rich50]

I did run it the first time. Should I run it again?

Heres the log.

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 11:31 on 13/07/2010 (Rich)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Unable to read sptd.sys

SPTD -> Disabled (Service running -> reboot required)

-=E.O.F=-

[Rich50]

I ran defogger again, did not get a log this time. Again when combofix runs a bit it pops up saying there is rootkit infection and needs to reboot. The computer just sits there and I have to turn power off to reboot.

Conbofix log:

ComboFix 10-07-12.06 - Rich 07/13/2010 19:03:43.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.407 [GMT -4:00]

Running from: c:\documents and settings\Rich\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rich\Desktop\CFScript.txt

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Rich\Application Data\PortraitProfessionalSetup.exe

c:\documents and settings\Rich\Application Data\PortraitProfessionalStudio.exe

c:\windows\daemon.dll

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\atapi.sys

.

((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))

.

2010-07-11 16:20 . 2010-07-11 16:20 -------- d-----w- c:\documents and settings\Rich\Application Data\Scooter Software

2010-07-11 16:13 . 2010-07-11 16:21 -------- d-----w- c:\program files\Beyond Compare 3

2010-07-09 16:39 . 2010-07-09 16:41 -------- d-----w- C:\WinMerge v2.12.4

2010-07-01 12:15 . 2010-07-01 12:15 -------- d-----w- c:\windows\Cache

2010-07-01 12:15 . 2010-07-01 12:17 -------- d-----w- c:\program files\Coupons

2010-06-26 13:11 . 2010-06-26 13:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\NoteTab Pro

2010-06-24 16:15 . 2010-06-24 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Fighters

2010-06-23 21:32 . 2010-06-23 22:13 -------- d-----w- c:\documents and settings\Rich\Application Data\GetRightToGo

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\Rich\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-22 16:50 . 2010-06-22 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-22 16:50 . 2010-04-29 16:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-15 01:59 . 2010-07-13 15:32 1472344 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-13 22:37 . 2010-02-21 13:44 -------- d-----w- c:\documents and settings\Rich\Application Data\HPAppData

2010-07-13 19:46 . 2010-04-23 14:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF

2010-07-13 15:36 . 2010-02-23 13:58 -------- d-----w- c:\documents and settings\Rich\Application Data\WhiteSmoke

2010-07-13 15:09 . 2010-03-21 01:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-12 16:30 . 2010-02-12 04:16 -------- d-----w- c:\program files\FlashFXP

2010-07-12 14:58 . 2010-02-12 14:07 -------- d-----w- c:\program files\Registry Clean Expert

2010-07-12 13:30 . 2010-02-15 17:24 -------- d-----w- c:\program files\VeryPDF PDF2HTML v2.0

2010-07-12 00:26 . 2010-02-14 16:24 -------- d-----w- c:\documents and settings\Rich\Application Data\DMCache

2010-07-11 16:27 . 2010-02-23 23:25 -------- d-----w- c:\program files\NoteTab Pro 6

2010-07-07 15:26 . 2010-04-11 15:15 -------- d-----w- c:\program files\Portrait Professional Studio 9

2010-07-07 02:02 . 2010-02-10 14:02 -------- d-----w- c:\documents and settings\Rich\Application Data\U3

2010-07-02 10:36 . 2010-02-12 05:24 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-01 01:42 . 2010-02-10 21:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-25 13:46 . 2010-02-23 23:24 -------- d-----w- c:\documents and settings\Rich\Application Data\NoteTab Pro

2010-06-25 12:49 . 2010-02-12 20:23 8456 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-06-12 00:51 . 2010-04-22 19:11 -------- d-----w- c:\documents and settings\Rich\Application Data\Nitro PDF

2010-06-09 17:15 . 2010-06-09 17:15 -------- d-----w- c:\program files\MasterCook 11

2010-06-09 17:15 . 2010-02-10 13:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-09 14:25 . 2010-03-11 02:07 -------- d-----w- c:\documents and settings\Rich\Application Data\Obsidium

2010-06-08 23:58 . 2010-02-12 04:31 -------- d-----w- c:\program files\Quicken

2010-06-08 23:48 . 2010-02-10 21:54 57336 ----a-w- c:\documents and settings\Rich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-08 20:56 . 2010-03-19 16:54 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-06-08 20:49 . 2010-03-19 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-06-08 20:49 . 2010-02-12 16:27 -------- d-----w- c:\program files\Windows Sidebar

2010-06-08 20:37 . 2010-03-19 18:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2010-06-08 20:23 . 2010-03-19 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2010-06-08 20:18 . 2010-06-08 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-06-08 20:12 . 2010-02-10 13:44 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-06 20:59 . 2010-06-06 19:13 -------- d-----w- c:\documents and settings\Rich\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software

2010-06-06 20:53 . 2010-06-06 19:39 -------- d-----w- c:\program files\onOne Software

2010-06-06 19:39 . 2010-06-06 19:39 -------- d-----w- c:\program files\Common Files\onOne Software Shared

2010-06-06 17:32 . 2010-06-06 17:32 -------- d-----w- c:\documents and settings\Rich\Application Data\oald8

2010-06-06 17:29 . 2010-06-06 17:29 -------- d-----w- c:\program files\Oxford

2010-06-02 22:48 . 2010-02-10 12:09 -------- d-----w- c:\program files\CalorieKing Nutrition and Exercise Manager for Windows

2010-06-01 01:26 . 2010-06-06 19:39 227840 ------w- c:\windows\system32\Deco_32.dll

2010-06-01 01:26 . 2010-02-14 19:28 61440 ------w- c:\windows\system32\nlssrv32.exe

2010-06-01 01:26 . 2010-02-14 19:28 57344 ------w- c:\windows\system32\ASTSRV.EXE

2010-05-19 11:19 . 2010-06-22 16:31 172274 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-05-18 00:57 . 2010-05-18 00:57 -------- d-----w- c:\program files\Evernote

2010-05-10 12:19 . 2010-03-12 20:45 55436 ------w- c:\windows\system32\mlfcache.dat

2010-05-06 04:01 . 2010-05-21 10:43 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-04-29 05:03 . 2010-05-21 10:43 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys

2010-04-22 03:02 . 2010-05-21 10:43 173104 ----a-w- c:\windows\system32\drivers\symefa.sys

2010-04-22 02:29 . 2010-05-21 10:43 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-07-13_12.35.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-13 23:19 . 2010-07-13 23:19 16384 c:\windows\Temp\Perflib_Perfdata_e0.dat

+ 2010-07-13 23:17 . 2010-07-13 23:17 16384 c:\windows\Temp\Perflib_Perfdata_700.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-04-06 57344]

"ADIReminder"="c:\program files\Auto-Do-It\notify.exe" [2000-05-03 102400]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-12 16184]

"RegClean Expert Scheduler"="c:\program files\Registry Clean Expert\RCHelper.exe" [2008-10-25 605944]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-02-12 11:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [4/27/2003 1:39 PM 8704]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/21/2010 6:43 AM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/21/2010 6:43 AM 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/13/2010 7:15 AM 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/21/2010 6:43 AM 501888]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 67656]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/21/2010 6:43 AM 116784]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/22/2010 12:50 PM 304464]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/21/2010 6:43 AM 126392]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 10:09 AM 188736]

R2 nlsX86cc;NLS Service;c:\windows\system32\nlssrv32.exe [2/14/2010 3:28 PM 61440]

R2 SpotGPSMaxim;Spot GPS Maxim;c:\program files\CoPilot\Laptop10\App\Spot2741.exe [3/30/2006 11:44 PM 651385]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2010 3:17 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100712.001\IDSXpx86.sys [7/13/2010 7:15 AM 331640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/22/2010 12:50 PM 20952]

R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [4/27/2003 12:43 PM 99360]

R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2/14/2010 2:43 PM 35107]

R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [3/19/2010 8:16 AM 25704]

R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [3/19/2010 8:17 AM 25704]

R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [3/19/2010 8:18 AM 25704]

R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [3/19/2010 8:19 AM 25704]

R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [3/19/2010 8:20 AM 25704]

S0 akqim;akqim; [x]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/12/2010 2:47 PM 27064]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 12872]

S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [2/12/2010 11:09 AM 74392]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2010 1:17 PM 682232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: MasterCook: Select Image - c:\documents and settings\Rich\Local Settings\Application Data\MasterCook Web Import\MCIEContext.hta

IE: Open Selected URL - c:\program files\RightClick GoogleSearch & OpenSelectedURL\openselectedurl.htm

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Search &Google - c:\program files\RightClick GoogleSearch & OpenSelectedURL\google.htm

IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\kghxyr0w.default\

FF - prefs.js: browser.search.selectedEngine - eBay

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\Rich\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-13 19:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83864A98]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7573f28

\Driver\ACPI -> ACPI.sys @ 0xf74e6cb8

\Driver\atapi -> 0x83864a98

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7301bb0

PacketIndicateHandler -> NDIS.sys @ 0xf730ea21

SendHandler -> NDIS.sys @ 0xf72ec87b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-790525478-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4D73FF7-2501-12B7-E97C-16D75FE72D4E}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaiflhnmbnlnbipfkc"=hex:69,61,63,6d,69,63,69,61,66,69,64,69,64,6f,6a,66,6b,6f,

00,00

"hakfngedhbncfhpj"=hex:6a,61,63,6d,69,63,64,68,63,6c,68,6a,67,6e,6a,68,6a,63,

6a,69,00,f2

"gadgiafblhfkpm"=hex:61,63,6f,63,69,66,69,64,61,65,69,6d,70,68,62,6c,64,6f,6a,

6d,69,65,62,69,61,69,64,6d,6e,64,6a,69,6e,62,66,6a,70,68,68,6a,6d,6a,69,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{62d5a59d-2aca-45eb-9a20-bd218585c959}]

@Denied: (Full) (Everyone)

"Model"=dword:000000ad

"Therad"=dword:0000001d

"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,

1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):bc,c7,de,fb,19,b5,e2,71,77,56,ec,39,0d,17,f6,df,a9,98,c9,ea,ea,

b1,a6,ae,84,dc,a1,26,0b,12,e2,43,3f,5a,86,cf,6d,89,5e,21,00,00,00,00,00,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\Rich\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'explorer.exe'(3948)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\astsrv.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Power Translator 12\LogoMedia TranslateDotNet Server.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2010-07-13 19:32:01 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-13 23:31

ComboFix2.txt 2010-07-13 19:14

ComboFix3.txt 2010-07-13 16:12

C:\DeQuarantine.txt

Pre-Run: 59,108,597,760 bytes free

Post-Run: 59,097,542,656 bytes free

- - End Of File - - 1F7DB08A4275C6ED06441E7D4699BDA8

DeQuarantine.txt

C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalSetup.exe.vir -> C:\Documents and Settings\Rich\Application Data\PortraitProfessionalSetup.exe ( 32318978 bytes )

C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalStudio.exe.vir -> C:\Documents and Settings\Rich\Application Data\PortraitProfessionalStudio.exe ( 6932992 bytes )

C:\Qoobox\Quarantine\C\WINDOWS\daemon.dll.vir -> C:\WINDOWS\daemon.dll ( 54784 bytes )

[Elise]

Thank you for confirming you ran Defogger. It appears there is indeed a rootkit, but somehow combofix doesn't see it right. Lets hope the following steps will.

• Please download TDSSKiller.zip and save it to your desktop.
  
• Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do NOT run the file yet!
  
• Click Start > Run and copy paste the following bolded text in the run box
  "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  
• When it finished press any key to continue.
  
• If needed reboot the computer.
  

A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

When done, run the following as a CFScript, this should restore the 3 files without doing a regular run, so they won't get deleted again.

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalStudio.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rich\Application Data\PortraitProfessionalSetup.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\daemon.dll.vir
Quit::

[Rich50]

The 3 files were put back this time. However the Portrait Professional fails to run. I have uninstalled this program and will reinstall it when needed. The other program works fine.

Here is the report log:

07:13:09:046 3360 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49

07:13:09:046 3360 ================================================================================

07:13:09:046 3360 SystemInfo:

07:13:09:046 3360 OS Version: 5.1.2600 ServicePack: 3.0

07:13:09:046 3360 Product type: Workstation

07:13:09:046 3360 ComputerName: BOSS

07:13:09:046 3360 UserName: Rich

07:13:09:046 3360 Windows directory: C:\WINDOWS

07:13:09:046 3360 System windows directory: C:\WINDOWS

07:13:09:046 3360 Processor architecture: Intel x86

07:13:09:046 3360 Number of processors: 1

07:13:09:046 3360 Page size: 0x1000

07:13:09:062 3360 Boot type: Normal boot

07:13:09:062 3360 ================================================================================

07:13:09:937 3360 Initialize success

07:13:09:937 3360

07:13:09:937 3360 Scanning Services ...

07:13:10:296 3360 Raw services enum returned 392 services

07:13:10:312 3360

07:13:10:312 3360 Scanning Drivers ...

07:13:10:937 3360 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

07:13:10:968 3360 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

07:13:11:015 3360 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

07:13:11:078 3360 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys

07:13:11:109 3360 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

07:13:11:234 3360 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

07:13:11:250 3360 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

07:13:11:296 3360 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

07:13:11:328 3360 atinrvxx (a7a01b907db63898d40b0a14248ff9a2) C:\WINDOWS\system32\DRIVERS\atinrvxx.sys

07:13:11:359 3360 ATITUNEP (edd66332608d27f4fd5069bcd0bc5164) C:\WINDOWS\system32\DRIVERS\atintuxx.sys

07:13:11:390 3360 ativraxx (da36687d701c833430605a298731410b) C:\WINDOWS\system32\DRIVERS\atinraxx.sys

07:13:11:406 3360 ATIXSAudio (77b575d7aab35d5908ae6ce681608d62) C:\WINDOWS\system32\DRIVERS\atinxsxx.sys

07:13:11:437 3360 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

07:13:11:468 3360 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

07:13:11:500 3360 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

07:13:11:625 3360 BHDrvx86 (87c00decc19bd995217a4a5fdd4d638c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100709.001\BHDrvx86.sys

07:13:11:671 3360 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys

07:13:11:703 3360 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys

07:13:11:718 3360 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys

07:13:11:781 3360 BTHPORT (10b85171b90c449f8da71c2640b797e9) C:\WINDOWS\system32\Drivers\BTHport.sys

07:13:11:796 3360 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys

07:13:11:859 3360 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

07:13:11:890 3360 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

07:13:11:953 3360 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys

07:13:12:000 3360 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

07:13:12:031 3360 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

07:13:12:078 3360 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

07:13:12:156 3360 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys

07:13:12:218 3360 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

07:13:12:265 3360 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

07:13:12:343 3360 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

07:13:12:375 3360 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

07:13:12:421 3360 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

07:13:12:468 3360 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

07:13:12:500 3360 E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys

07:13:12:609 3360 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

07:13:12:640 3360 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

07:13:12:656 3360 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

07:13:12:687 3360 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

07:13:12:703 3360 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

07:13:12:718 3360 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

07:13:12:812 3360 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

07:13:12:859 3360 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

07:13:12:906 3360 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

07:13:12:921 3360 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

07:13:12:953 3360 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

07:13:12:968 3360 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

07:13:13:000 3360 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

07:13:13:031 3360 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

07:13:13:046 3360 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

07:13:13:078 3360 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

07:13:13:125 3360 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

07:13:13:187 3360 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

07:13:13:296 3360 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100713.001\IDSxpx86.sys

07:13:13:359 3360 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

07:13:13:390 3360 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

07:13:13:421 3360 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

07:13:13:437 3360 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

07:13:13:484 3360 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

07:13:13:515 3360 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

07:13:13:546 3360 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

07:13:13:578 3360 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

07:13:13:609 3360 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

07:13:13:640 3360 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

07:13:13:671 3360 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

07:13:13:703 3360 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

07:13:13:734 3360 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys

07:13:13:796 3360 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

07:13:13:828 3360 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

07:13:13:875 3360 MBAMProtector (a02c631493ab553a1112a6b699fe61b3) C:\WINDOWS\system32\drivers\mbam.sys

07:13:13:906 3360 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

07:13:13:921 3360 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

07:13:13:968 3360 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

07:13:13:984 3360 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

07:13:14:000 3360 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

07:13:14:031 3360 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

07:13:14:093 3360 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

07:13:14:140 3360 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

07:13:14:156 3360 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

07:13:14:171 3360 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

07:13:14:203 3360 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

07:13:14:218 3360 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

07:13:14:250 3360 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

07:13:14:265 3360 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

07:13:14:296 3360 MVDCODEC (ed4c2bf8403f4437987c0ba09cf48716) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys

07:13:14:312 3360 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

07:13:14:437 3360 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100713.040\NAVENG.SYS

07:13:14:656 3360 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100713.040\NAVEX15.SYS

07:13:14:734 3360 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

07:13:14:781 3360 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

07:13:14:796 3360 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

07:13:14:812 3360 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

07:13:14:843 3360 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

07:13:14:875 3360 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

07:13:14:906 3360 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

07:13:14:953 3360 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

07:13:14:984 3360 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

07:13:15:015 3360 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

07:13:15:062 3360 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

07:13:15:093 3360 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

07:13:15:109 3360 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

07:13:15:140 3360 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys

07:13:15:203 3360 P16X (f051107ff80f132882e71e3a5d302ec1) C:\WINDOWS\system32\drivers\P16X.sys

07:13:15:281 3360 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

07:13:15:296 3360 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

07:13:15:312 3360 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

07:13:15:343 3360 PCDCODEC (e90ac2b14e98f1a4372e5891b4278784) C:\WINDOWS\system32\DRIVERS\atinpdxx.sys

07:13:15:406 3360 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

07:13:15:453 3360 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

07:13:15:468 3360 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

07:13:15:578 3360 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\System32\drivers\PfModNT.sys

07:13:15:609 3360 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

07:13:15:625 3360 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

07:13:15:656 3360 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

07:13:15:687 3360 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

07:13:15:734 3360 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys

07:13:15:828 3360 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

07:13:15:843 3360 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

07:13:15:875 3360 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

07:13:15:890 3360 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

07:13:15:937 3360 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

07:13:15:968 3360 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

07:13:16:000 3360 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

07:13:16:015 3360 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

07:13:16:062 3360 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

07:13:16:093 3360 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys

07:13:16:125 3360 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys

07:13:16:218 3360 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

07:13:16:250 3360 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

07:13:16:281 3360 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

07:13:16:312 3360 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

07:13:16:359 3360 Sentinel (aebba7428a6c40cce3c5abde45190b24) C:\WINDOWS\System32\Drivers\SENTINEL.SYS

07:13:16:375 3360 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

07:13:16:421 3360 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

07:13:16:437 3360 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

07:13:16:468 3360 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

07:13:16:500 3360 Sntnlusb (a1ff7d99b199cea1f3df371ba70d2780) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS

07:13:16:546 3360 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

07:13:16:609 3360 sptd (4f576e516cc76ec50a244586bcfa1c78) C:\WINDOWS\System32\Drivers\sptd.sys

07:13:16:656 3360 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

07:13:16:750 3360 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS

07:13:16:781 3360 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS

07:13:16:828 3360 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys

07:13:16:906 3360 st3wolf (1e9a652d898cc96038e5e5554f79c49f) C:\WINDOWS\system32\DRIVERS\st3wolf.sys

07:13:16:953 3360 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

07:13:16:984 3360 stwlfbus (24e09d134304fbc605626fced3e4cb50) C:\WINDOWS\system32\DRIVERS\stwlfbus.sys

07:13:17:046 3360 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

07:13:17:093 3360 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

07:13:17:156 3360 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMDS.SYS

07:13:17:187 3360 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMEFA.SYS

07:13:17:218 3360 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

07:13:17:250 3360 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS

07:13:17:281 3360 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS

07:13:17:359 3360 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

07:13:17:437 3360 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys

07:13:17:468 3360 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

07:13:17:500 3360 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

07:13:17:546 3360 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

07:13:17:593 3360 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

07:13:17:656 3360 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

07:13:17:703 3360 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys

07:13:17:750 3360 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

07:13:17:796 3360 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

07:13:17:859 3360 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

07:13:17:906 3360 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

07:13:17:968 3360 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

07:13:18:000 3360 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

07:13:18:031 3360 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

07:13:18:078 3360 vdiskbus (d1528fa039ff71779a3ea6296f746a23) C:\WINDOWS\system32\DRIVERS\vdiskbus.sys

07:13:18:109 3360 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

07:13:18:156 3360 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

07:13:18:203 3360 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

07:13:18:250 3360 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

07:13:18:296 3360 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys

07:13:18:328 3360 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys

07:13:18:343 3360 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys

07:13:18:359 3360 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys

07:13:18:390 3360 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys

07:13:18:421 3360 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

07:13:18:468 3360 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

07:13:18:500 3360 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

07:13:18:500 3360

07:13:18:500 3360 Completed

07:13:18:500 3360

07:13:18:500 3360 Results:

07:13:18:500 3360 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

07:13:18:500 3360 File objects infected / cured / cured on reboot: 0 / 0 / 0

07:13:18:500 3360

07:13:18:625 3360 KLMD(ARK) unloaded successfully

[Elise]

Yes, it would be best to reinstall that program if it still doesn't work properly.

How are things running now? What problems do you still have left?

[Rich50]

Running a lot better.Malwarebytes still blocked the following today:

08:30:23 Rich IP-BLOCK 208.94.233.132

08:30:26 Rich IP-BLOCK 208.94.233.132

08:30:32 Rich IP-BLOCK 208.94.233.132

[Elise]

Lets see if we can find out what is causing this.

If you connect to the internet using a router, please reset it.

Please click Start > Run, type cmd and press enter.

Type ipconfig /flushdns and press enter.

Please let me know if after these steps you still get IP blocks.

Also launch MBAM, update it and run a full scan. Post me the resulting log.

[Rich50]

I did the, ipconfig /flushdns

Running the full MBAM system scan now. Probably be a couple hours.

What was in infection I had? Am I still secure?

Thanks

[Rich50]

Malwarebytes is still scanning. While it was scanning it did trigger Nortons with the threat: Backdoor.Tidserv!inf in system restore. See pic.

Should I still have Nortons disabled. Is it true when system restore points are infected it is best to just turn them off to wipe them out and then turn them back on? I have done that in the past with success.

[Elise]

Norton detects that MBAM is scanning an infected file in System Restore. This is nothing to worry about.

When you are all cleaned up, we will do some last steps that will reset also system restore. Its not a good idea to do that now, because who knows, something might go wrong and you end up with no restore points to fall back on.