Jump to content

From: antimalware doctor


Dziner

Recommended Posts

About 3 hours ago I became infected with the Antimalware Doctor Rogue. I have followed reviewed just about all of the information I have been able to easily locate while borrowing someone elses computer and performing google searches. I followed instructions on www.bleepingcomputer.com

I can only run Malwarebytes while in safe mode, but then upon reentering normal mode Antimalware Doctor is back in full form, even though in safe mode Malwarebytes claimed to have removed numerous files (some named Rogue.Antimalware)

THe current Malwarebytes full scan is turning up zero objects, yet once in normal mode I am not allowed to activate ANY programs on the computer. I have tried renaming mbam.exe explorer.exe, i have run rkill.com which is supposedly intended to cancel any malware background processes. I cannot access task manager, mbam.exe (even after renaming it explorer), I cannot access internet, i cannot access control panel, i cannot access cmd.exe, you get the idea. The infection has effectively locked me out of my system.

I need HELP. I use this system to log in to my work vpn, and if I cannot resolve this soon it may cost me my job!

Link to post
Share on other sites

Hello ,

And ;) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

I ran OTL sucessfully in safe mode. However, RKUnhookerLE would not run. I got the message you described about the "parasite inside itself" I ignored it as instructed and an "Error" window popped up stating "Program integrity damaged!"

OTL logfile created on: 9/3/2010 11:00:22 AM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 98.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 99.41 Gb Free Space | 66.71% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

Drive H: | 7.47 Gb Total Space | 4.19 Gb Free Space | 56.10% Space Free | Partition Type: FAT32

I: Drive not present or media not loaded

Computer Name: DZINER

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/28 14:31:28 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/09/02 20:10:30 | 000,030,000 | ---- | M] () -- C:\WINDOWS\system32\yw5giy0.dll

MOD - [2010/08/28 14:31:28 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/04/01 17:41:24 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/06/17 13:49:44 | 000,616,408 | ---- | M] () [Auto | Stopped] -- C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe -- (AntiSpywareService)

SRV - [2009/03/16 21:57:26 | 000,254,034 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- c:\drivers\audio\R213367\stacsv.exe -- (STacSV)

SRV - [2009/03/05 23:57:56 | 000,227,352 | ---- | M] (SonicWALL, Inc.) [Auto | Stopped] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe -- (SWGVCSvc)

SRV - [2009/03/01 19:09:22 | 000,077,824 | ---- | M] (Smith Micro Software, Inc.) [Auto | Stopped] -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe -- (SMManager)

SRV - [2009/02/06 21:06:56 | 000,443,168 | ---- | M] (Dell Inc.) [Auto | Stopped] -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe -- (dcpsysmgrsvc)

SRV - [2009/01/14 11:23:50 | 000,991,232 | ---- | M] (Wave Systems Corp.) [Auto | Stopped] -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)

SRV - [2008/12/29 12:07:28 | 000,320,800 | ---- | M] (Dell Inc.) [Auto | Stopped] -- C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe -- (buttonsvc32)

SRV - [2008/12/12 10:54:00 | 000,638,976 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)

SRV - [2008/12/04 17:03:00 | 000,226,640 | ---- | M] (Microsoft Corp.) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)

SRV - [2008/11/12 14:25:48 | 001,273,856 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)

SRV - [2008/10/16 20:35:28 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)

SRV - [2008/07/24 18:46:10 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)

SRV - [2008/07/01 19:57:10 | 000,110,592 | ---- | M] (Broadcom Corporation) [Auto | Stopped] -- C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe -- (BrcmMgmtAgent)

SRV - [2008/06/27 14:47:22 | 001,664,248 | ---- | M] (AuthenTec, Inc.) [Auto | Stopped] -- C:\Program Files\Fingerprint Sensor\AtService.exe -- (ATService)

SRV - [2008/06/15 07:12:20 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)

SRV - [2008/04/14 08:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)

SRV - [2008/04/14 08:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)

SRV - [2007/09/26 13:55:04 | 000,283,912 | ---- | M] (CA, Inc.) [Auto | Stopped] -- C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe -- (ITMRTSVC)

SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)

SRV - [2006/03/17 06:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)

SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)

SRV - [2004/02/24 15:15:58 | 000,069,632 | ---- | M] (Panasonic) [Auto | Stopped] -- C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe -- (Panasonic Trap Monitor Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NvtSp50.sys -- (NvtSp50)

DRV - [2010/07/15 04:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100827.003\NAVEX15.SYS -- (NAVEX15)

DRV - [2010/07/15 04:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100827.003\NAVENG.SYS -- (NAVENG)

DRV - [2010/06/11 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2010/06/04 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2009/05/25 15:43:58 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)

DRV - [2009/05/05 07:02:01 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2009/03/16 21:57:30 | 001,545,795 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

DRV - [2009/03/16 21:57:12 | 000,112,512 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)

DRV - [2009/03/05 23:58:12 | 000,087,064 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SWIPsec.sys -- (SWIPsec)

DRV - [2009/03/04 18:03:32 | 000,021,016 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SWVNIC.sys -- (SWVNIC)

DRV - [2009/03/01 19:01:04 | 000,027,072 | R--- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)

DRV - [2009/02/26 17:08:52 | 000,109,568 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®

DRV - [2009/02/26 17:08:34 | 006,278,560 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2009/02/22 17:51:20 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)

DRV - [2009/01/16 17:41:06 | 000,208,824 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)

DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)

DRV - [2008/10/16 20:35:58 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)

DRV - [2008/09/10 18:18:18 | 000,176,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)

DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs)

DRV - [2008/07/24 18:46:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)

DRV - [2008/07/24 18:46:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)

DRV - [2008/07/24 18:45:20 | 000,012,192 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\radpms.sys -- (radpms)

DRV - [2008/07/12 14:58:08 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Stopped] -- C:\Program Files\Broadcom\MgmtAgent\BASFND.sys -- (BASFND)

DRV - [2008/07/02 17:54:04 | 000,318,488 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)

DRV - [2008/07/01 18:42:28 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)

DRV - [2008/06/06 10:15:40 | 000,098,816 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)

DRV - [2008/06/04 14:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)

DRV - [2008/04/14 08:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/14 08:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/07/23 16:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)

DRV - [2007/07/23 16:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)

DRV - [2007/07/23 16:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2007/07/23 16:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2007/07/23 16:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2007/07/23 16:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2007/07/23 16:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2007/07/23 16:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2007/07/23 15:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2007/07/23 15:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)

DRV - [2007/07/23 15:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2007/07/23 15:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2006/02/06 12:50:22 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2006/01/31 13:29:20 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)

DRV - [2006/01/24 20:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)

DRV - [2006/01/24 20:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)

DRV - [2005/12/19 20:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)

DRV - [2005/12/19 20:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)

DRV - [2004/12/06 14:26:16 | 000,423,454 | ---- | M] (Sony Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\sonypvt3.sys -- (sonypvt3)

DRV - [2004/11/15 13:55:14 | 000,619,390 | ---- | M] (Sony Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\sonypvf3.sys -- (sonypvf3)

DRV - [2004/09/22 11:55:38 | 000,018,110 | ---- | M] (Sony Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sonypvl3.sys -- (sonypvl3)

DRV - [2001/08/17 22:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)

DRV - [2001/08/17 22:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)

DRV - [2001/08/17 22:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)

DRV - [2001/08/17 22:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)

DRV - [2001/08/17 22:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)

DRV - [2001/08/17 21:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)

DRV - [2001/08/17 21:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)

DRV - [2001/08/17 21:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)

DRV - [2001/08/17 21:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)

DRV - [2001/08/17 21:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)

DRV - [2001/08/17 21:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)

DRV - [2001/08/17 21:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)

DRV - [2001/08/17 21:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)

DRV - [2001/08/17 21:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)

DRV - [2001/08/17 21:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

DRV - [2001/08/17 14:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USREL/1

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-139856410-250427278-393317549-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1

IE - HKU\S-1-5-21-139856410-250427278-393317549-500\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com

IE - HKU\S-1-5-21-139856410-250427278-393317549-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com

IE - HKU\S-1-5-21-139856410-250427278-393317549-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1

IE - HKU\S-1-5-21-139856410-250427278-393317549-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{37EFA6E0-27CD-4204-9064-50E6A62FC21F}: C:\Documents and Settings\Dan\Local Settings\Application Data\{37EFA6E0-27CD-4204-9064-50E6A62FC21F} [2010/09/02 20:12:08 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/04/01 17:39:55 | 000,000,767 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 activate.adobe.com

O2 - BHO: (C:\WINDOWS\system32\yw5giy0.dll) - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - C:\WINDOWS\system32\yw5giy0.dll ()

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Comcast Toolbar) - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll ()

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)

O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe (Wave Systems Corp.)

O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKLM..\Run: [DellConnectionManager] C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe (Smith Micro Software, Inc.)

O4 - HKLM..\Run: [DellControlPoint] C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell Inc.)

O4 - HKLM..\Run: [EmbassySecurityCheck] C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe (Wave Systems Corp.)

O4 - HKLM..\Run: [Fwehudajugabo] C:\WINDOWS\apukogevusukase.DLL ()

O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)

O4 - HKLM..\Run: [guittrov] C:\Documents and Settings\Dan\Local Settings\Application Data\rkdrvkqov\txpsrqwshdw.exe (Security Suites Corporation)

O4 - HKLM..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)

O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

O4 - HKLM..\Run: [secureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)

O4 - HKLM..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)

O4 - HKLM..\Run: [uSCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (Broadcom Corporation)

O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

O4 - HKLM..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Wave Systems Corp.)

O4 - HKLM..\Run: [zzzHPSETUP] File not found

O4 - HKU\S-1-5-21-139856410-250427278-393317549-500..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Job Status Utility.lnk = C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe (Panasonic Communications Co., Ltd.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-139856410-250427278-393317549-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1275093354458 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)

O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

O22 - SharedTaskScheduler: {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - hasf87hdfuidhfiudfhdiu - C:\WINDOWS\system32\yw5giy0.dll ()

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/10/25 01:26:52 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2008/05/06 08:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]

O33 - MountPoints2\E\Shell - "" = AutoRun

O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- [2007/10/23 03:45:39 | 001,336,632 | R--- | M] ()

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/03 10:59:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tdsskiller

[2010/09/03 10:59:23 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/09/03 10:59:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe

[2010/09/03 10:59:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe

[2010/09/03 08:19:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC

[2010/09/02 23:07:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

[2010/09/02 21:43:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt

[2010/09/02 21:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/09/02 21:13:12 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/09/02 21:13:11 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/09/02 21:13:11 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/09/02 21:13:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/08/25 21:51:48 | 000,087,064 | ---- | C] (SonicWALL, Inc.) -- C:\WINDOWS\System32\drivers\SWIPsec.sys

[2010/08/25 21:51:05 | 000,000,000 | ---D | C] -- C:\Program Files\SonicWALL

[2010/08/25 21:51:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Deterministic Networks

[2010/07/28 19:34:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WEngineLite

[2010/07/28 19:34:33 | 000,000,000 | ---D | C] -- C:\Program Files\Verizon Wireless

[2010/07/28 19:34:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Verizon Wireless

[2010/07/28 19:33:02 | 000,000,000 | ---D | C] -- C:\Program Files\HTC

[2010/07/16 22:03:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/03 10:59:21 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/09/03 10:55:50 | 000,570,276 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/09/03 10:55:50 | 000,475,998 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/09/03 10:55:50 | 000,082,508 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/09/03 10:51:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/09/03 10:44:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/09/03 10:43:52 | 000,001,553 | ---- | M] () -- C:\WINDOWS\lsrslt.ini

[2010/09/03 10:16:50 | 000,002,838 | ---- | M] () -- C:\WINDOWS\owufesufiy.dll

[2010/09/03 10:15:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/09/03 10:14:47 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/09/03 10:13:03 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/09/03 10:13:00 | 004,240,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/09/03 08:02:15 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/09/03 07:51:00 | 000,002,838 | ---- | M] () -- C:\WINDOWS\uzawiqul.dll

[2010/09/02 21:47:55 | 000,002,838 | ---- | M] () -- C:\WINDOWS\uxorivew.dll

[2010/09/02 21:06:38 | 000,002,838 | ---- | M] () -- C:\WINDOWS\ubamudutibofe.dll

[2010/09/02 20:56:27 | 000,791,552 | ---- | M] () -- C:\WINDOWS\System32\drivers\saqstqex.sys

[2010/09/02 20:10:30 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\yw5giy0.dll

[2010/09/02 20:10:30 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\hzegdi.dll

[2010/09/02 20:10:30 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\h3gckq.dll

[2010/08/29 18:34:11 | 000,000,165 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI

[2010/08/28 14:31:28 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2010/08/27 18:52:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/07/19 10:13:17 | 000,059,176 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/07/19 10:12:11 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/06/25 07:55:13 | 002,145,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/03 10:59:25 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RKUnhookerLE.EXE

[2010/09/03 10:16:50 | 000,002,838 | ---- | C] () -- C:\WINDOWS\owufesufiy.dll

[2010/09/03 07:51:00 | 000,002,838 | ---- | C] () -- C:\WINDOWS\uzawiqul.dll

[2010/09/02 22:25:07 | 000,001,553 | ---- | C] () -- C:\WINDOWS\lsrslt.ini

[2010/09/02 21:47:55 | 000,002,838 | ---- | C] () -- C:\WINDOWS\uxorivew.dll

[2010/09/02 21:06:38 | 000,002,838 | ---- | C] () -- C:\WINDOWS\ubamudutibofe.dll

[2010/09/02 20:10:34 | 000,791,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\saqstqex.sys

[2010/09/02 20:10:30 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\yw5giy0.dll

[2010/09/02 20:10:30 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\hzegdi.dll

[2010/09/02 20:10:30 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\h3gckq.dll

[2010/04/01 08:27:36 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini

[2010/04/01 08:27:35 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini

[2010/01/19 20:43:11 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2009/10/07 15:38:16 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2009/06/20 16:07:39 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2009/06/16 21:42:00 | 000,000,397 | ---- | C] () -- C:\WINDOWS\hpw9800k.ini

[2009/06/16 21:40:35 | 000,000,092 | ---- | C] () -- C:\WINDOWS\hpdj9800.ini

[2009/06/16 21:40:31 | 000,001,455 | ---- | C] () -- C:\WINDOWS\mariner.ini

[2009/05/14 08:55:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI

[2009/05/14 08:45:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/05/11 15:39:38 | 000,204,856 | ---- | C] () -- C:\WINDOWS\System32\instut32.dll

[2009/05/11 15:39:37 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UninsUsb.dll

[2009/05/11 15:39:30 | 000,315,248 | ---- | C] () -- C:\WINDOWS\System32\RPTlpr.dll

[2009/05/11 15:39:30 | 000,312,764 | ---- | C] () -- C:\WINDOWS\System32\LPRlpr.dll

[2009/05/11 15:39:28 | 000,000,212 | ---- | C] () -- C:\Program Files\Setup.log

[2009/05/11 15:39:24 | 000,000,132 | ---- | C] () -- C:\Program Files\PanaHDS.ini

[2009/05/05 09:37:45 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2009/05/05 07:10:49 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2009/05/05 07:10:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\WavXMapDrive.bat

[2009/05/05 07:05:25 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2009/05/05 07:02:09 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll

[2009/05/05 06:54:53 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll

[2009/03/01 19:01:02 | 000,143,360 | R--- | C] () -- C:\WINDOWS\System32\preflib.dll

[2008/12/22 13:13:54 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll

[2008/12/19 19:59:18 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_tr.dll

[2008/12/19 19:59:16 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ro.dll

[2008/12/19 19:59:16 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt-BR.dll

[2008/12/19 19:59:14 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_hu.dll

[2008/12/19 19:59:14 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_he.dll

[2008/12/19 19:59:12 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fi.dll

[2008/12/19 19:59:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_el.dll

[2008/12/19 19:59:10 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_cs.dll

[2008/12/19 19:59:08 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ar.dll

[2008/12/19 19:59:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll

[2008/12/19 19:59:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll

[2008/12/19 19:59:04 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_sv.dll

[2008/12/19 19:59:04 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll

[2008/12/19 19:59:02 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll

[2008/12/19 19:59:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pl.dll

[2008/12/19 19:59:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_no.dll

[2008/12/19 19:58:58 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_nl.dll

[2008/12/19 19:58:56 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll

[2008/12/19 19:58:56 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll

[2008/12/19 19:58:54 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll

[2008/12/19 19:58:54 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll

[2008/12/19 19:58:52 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll

[2008/12/19 19:58:50 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll

[2008/12/19 19:58:48 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_da.dll

[2008/12/11 16:51:36 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\Wavx_ESC_Logging.dll

[2008/12/11 13:59:48 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll

[2008/12/11 13:59:46 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll

[2008/12/11 13:59:46 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll

[2008/12/11 13:59:46 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll

[2008/12/11 13:59:44 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll

[2008/12/11 13:59:44 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll

[2008/12/11 13:59:42 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll

[2008/12/11 13:59:42 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll

[2008/12/11 13:59:40 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\AmRes_da.dll

[2008/12/11 13:59:40 | 000,479,232 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll

[2008/12/11 13:59:40 | 000,475,136 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll

[2008/12/11 13:59:38 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_nl.dll

[2008/12/11 13:59:38 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_no.dll

[2008/12/11 13:59:36 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pl.dll

[2008/12/11 13:59:36 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\AmRes_sv.dll

[2008/12/11 13:59:36 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ar.dll

[2008/12/11 13:59:34 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_el.dll

[2008/12/11 13:59:34 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\AmRes_cs.dll

[2008/12/11 13:59:34 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fi.dll

[2008/12/11 13:59:34 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\AmRes_he.dll

[2008/12/11 13:59:32 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-PT.dll

[2008/12/11 13:59:32 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\AmRes_hu.dll

[2008/12/11 13:59:30 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ro.dll

[2008/12/11 13:59:30 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\AmRes_tr.dll

[2008/12/11 13:56:30 | 000,544,768 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll

[2008/10/06 19:36:56 | 000,839,680 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll

[2008/04/25 17:42:40 | 000,064,200 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2008/04/25 17:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2008/04/25 12:16:27 | 000,266,240 | ---- | C] () -- C:\WINDOWS\apukogevusukase.dll

[2008/04/25 12:16:27 | 000,075,264 | ---- | C] () -- C:\WINDOWS\seyrapks.dll

[2008/03/25 10:46:00 | 000,077,536 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll

[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2007/08/06 11:07:30 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll

[2006/06/30 13:58:44 | 000,176,128 | R--- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll

[2006/06/30 13:58:44 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\bioapi100.dll

[2006/06/12 09:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\tsp.dll

[2004/09/10 14:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll

[2004/09/10 14:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/05/05 07:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Broadcom

[2009/05/05 07:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp

[2009/05/05 06:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search

[2009/05/05 07:03:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T

[2009/05/27 07:21:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn

[2009/05/05 06:57:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems

[2009/09/03 19:31:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft

[2009/05/05 07:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp

[2010/07/28 19:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WEngineLite

[2010/04/19 18:40:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/09/02 21:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\5B24A3E99D25C80BA4C1AC326090F581

[2009/05/05 07:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Broadcom

[2010/07/30 20:24:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\CallingID

[2010/08/25 21:43:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\comcasttb

[2009/10/19 17:48:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Nemetschek

[2009/05/05 07:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Wave Systems Corp

[2009/05/05 06:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Windows Desktop Search

[2009/05/11 15:33:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Windows Search

[2009/05/05 07:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Broadcom

[2009/05/05 07:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Wave Systems Corp

[2009/05/05 06:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Desktop Search

[2009/05/05 07:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Broadcom

[2009/05/05 07:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Wave Systems Corp

[2009/05/05 06:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Windows Desktop Search

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

OTL Extras logfile created on: 9/3/2010 11:00:22 AM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 98.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 99.41 Gb Free Space | 66.71% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

Drive H: | 7.47 Gb Total Space | 4.19 Gb Free Space | 56.10% Space Free | Partition Type: FAT32

I: Drive not present or media not loaded

Computer Name: DZINER

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

"C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe" = C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe:*:Enabled:Panasonic Trap Monitor Service -- (Panasonic)

"C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe" = C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe:*:Enabled:Panasonic Trap Receiving Services -- (Panasonic Communications Co., Ltd.)

"C:\Program Files\VectorWorks 2008\VectorWorks2008.exe" = C:\Program Files\VectorWorks 2008\VectorWorks2008.exe:*:Enabled:VectorWorks 2008 Application -- (Nemetschek North America, Inc.)

"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVC.exe" = C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVC.exe:*:Enabled:SonicWALL Global VPN Client -- (SonicWALL, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4

"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call

"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools

"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery

"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4

"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4

"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module

"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software

"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler

"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations

"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger

"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager

"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data

"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4

"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4

"{12872B4E-90F7-44E5-B1AA-D13AFEC8618B}" = First Step Guide

"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0

"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update

"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4

"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4

"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB

"{173497F1-F291-4AA7-943E-61CB9378771D}" = SO32MMWrapper

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK

"{2220CF3A-EBD6-4070-94D0-0C7337B537A7}" = All Day Battery Life Configuration

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config

"{24A494F3-5B5F-4183-9F7D-9CE82812C1FC}" = tsp patch

"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype

Link to post
Share on other sites

as i explained. RKU would not load.

Upon double clicking>

a pop up dialogue box comes up displaying

"Warning - Integrity checking

Rootkit Unhooker has detected parasite inside itself!

It is recommended to remove parasite, okay?

Parasite type: Unknown remote thread

Thread ID: 1664

Priority: 8

Thread start address: 0x77DF845A

Module: advapi32.dll

OK Cancel"

As instructed I ignored this message by clicking the "X" in the upper right corner of the dialogue box. This is followed by another pop up dialogue box displaying

"Error

Program integrity damaged!

OK"

I again ignore the message and click the "X" in the upper right corner which prompts a third dialogue box displaying

"Error

Error loading/opening driver

OK"

By ignoring this final prompt and clicking the "X" in the upper right corner the dialogue box disappears and the system goes back to the its idle state.

Link to post
Share on other sites

In that case, lets just skip it.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I got a dialogue box

Rootkit !!

ComboFix has detected the presence of rootkit activity and needs to reboot the machine

OK

should I follow the prompt? If so and it reboots, should I pull it back into Safe Mode with Networking or use the recovery console that it just installed... please advise before I make a mess of this thing!

Link to post
Share on other sites

ComboFix 10-09-02.04 - Administrator 09/03/2010 14:02:39.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3027.2761 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\debug.exe

c:\docume~1\ADMINI~1\LOCALS~1\Temp\iexplarer.exe

c:\docume~1\ADMINI~1\LOCALS~1\Temp\lsass.exe

c:\docume~1\ADMINI~1\LOCALS~1\Temp\svchost.exe

c:\docume~1\ADMINI~1\LOCALS~1\Temp\win16.exe

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

c:\documents and settings\Dan\.COMMgr

c:\documents and settings\Dan\Local Settings\Application Data\{37EFA6E0-27CD-4204-9064-50E6A62FC21F}

c:\documents and settings\Dan\Local Settings\Application Data\{37EFA6E0-27CD-4204-9064-50E6A62FC21F}\chrome.manifest

c:\documents and settings\Dan\Local Settings\Application Data\{37EFA6E0-27CD-4204-9064-50E6A62FC21F}\chrome\content\_cfg.js

c:\documents and settings\Dan\Local Settings\Application Data\{37EFA6E0-27CD-4204-9064-50E6A62FC21F}\chrome\content\overlay.xul

c:\documents and settings\Dan\Local Settings\Application Data\{37EFA6E0-27CD-4204-9064-50E6A62FC21F}\install.rdf

c:\documents and settings\Dan\Local Settings\Application Data\rkdrvkqov

c:\documents and settings\Dan\Local Settings\Application Data\rkdrvkqov\txpsrqwshdw.exe

c:\documents and settings\Dan\Local Settings\Application Data\Windows Server

c:\documents and settings\Dan\Local Settings\Application Data\Windows Server\admin.txt

c:\documents and settings\Dan\Local Settings\Application Data\Windows Server\server.dat

c:\program files\Shared

c:\windows\apukogevusukase.dll

c:\windows\drweb.exe

c:\windows\edupacup.dll

c:\windows\gdi32.exe

c:\windows\login.exe

c:\windows\owufesufiy.dll

c:\windows\system32\Cache

c:\windows\system32\h3gckq.dll

c:\windows\system32\hzegdi.dll

c:\windows\system32\yw5giy0.dll

c:\windows\ubamudutibofe.dll

c:\windows\uxorivew.dll

c:\windows\uzawiqul.dll

c:\windows\win.exe

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))

.

2010-09-03 17:34 . 2010-09-03 17:35 -------- d-----w- C:\32788R22FWJFW

2010-09-03 17:16 . 2010-09-03 17:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2010-09-03 14:59 . 2010-09-03 14:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-09-03 01:13 . 2010-09-03 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-03 01:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-03 01:13 . 2010-09-03 14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-03 01:13 . 2010-09-03 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-03 01:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-03 00:10 . 2010-09-03 00:56 791552 ----a-w- c:\windows\system32\drivers\saqstqex.sys

2010-08-29 22:33 . 2010-08-29 22:33 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll

2010-08-26 01:51 . 2009-03-06 03:58 87064 ----a-w- c:\windows\system32\drivers\SWIPsec.sys

2010-08-26 01:51 . 2010-08-26 01:51 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2010-08-26 01:51 . 2010-08-26 01:51 -------- d-----w- c:\program files\SonicWALL

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-03 17:31 . 2009-05-14 12:48 -------- d-----w- c:\program files\Symantec AntiVirus

2010-09-03 17:29 . 2009-05-11 18:55 0 ----a-w- c:\documents and settings\Dan\Local Settings\Application Data\WavXMapDrive.bat

2010-09-03 11:49 . 2009-05-27 11:20 -------- d-----w- c:\program files\LogMeIn

2010-08-29 22:33 . 2010-01-20 00:43 -------- d-----w- c:\program files\Quicken

2010-08-29 22:32 . 2010-01-20 00:45 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE

2010-08-10 16:40 . 2009-05-27 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2010-07-28 23:34 . 2010-07-28 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite

2010-07-28 23:34 . 2010-07-28 23:34 -------- d-----w- c:\program files\Verizon Wireless

2010-07-28 23:34 . 2010-07-28 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless

2010-07-28 23:33 . 2010-07-28 23:33 -------- d-----w- c:\program files\HTC

2010-07-28 23:33 . 2009-05-05 10:54 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-19 14:13 . 2010-05-15 12:06 59176 ---ha-w- c:\windows\system32\mlfcache.dat

2010-06-25 11:55 . 2009-05-05 11:10 73160 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-23 02:05 . 2010-06-23 02:05 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb494.tmp.exe

2009-05-11 19:39 . 2009-05-11 19:39 212 ----a-w- c:\program files\Setup.log

2009-05-11 19:39 . 2009-05-11 19:39 132 ----a-w- c:\program files\PanaHDS.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zzzHPSETUP"="d:\setup.exe \RESET" [X]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 136600]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]

"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]

"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]

"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-05-05 2220032]

"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-11 68592]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"HPWQTOOLBOX"="c:\program files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" [2005-06-03 335872]

"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

Job Status Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2005-8-21 143360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=

"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=

"c:\\Program Files\\VectorWorks 2008\\VectorWorks2008.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVC.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [10/25/2009 1:23 AM 18110]

R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [10/25/2009 1:23 AM 619390]

R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [10/25/2009 1:23 AM 423454]

R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [8/25/2010 9:51 PM 87064]

S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 1:49 PM 616408]

S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [6/27/2008 2:47 PM 1664248]

S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [7/1/2008 7:57 PM 110592]

S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 12:07 PM 320800]

S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 9:06 PM 443168]

S2 gupdate1c9dfda3454ce8c;Google Update Service (gupdate1c9dfda3454ce8c);c:\program files\Google\Update\GoogleUpdate.exe [5/28/2009 5:21 PM 133104]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]

S2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [3/1/2009 7:09 PM 77824]

S2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [3/5/2009 11:57 PM 227352]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/5/2009 9:38 AM 112512]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/18/2010 8:02 PM 102448]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/5/2009 9:38 AM 109568]

S3 Normandy;Normandy SR2; [x]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 6:45 PM 12192]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]

S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [3/4/2009 6:03 PM 21016]

.

Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-09-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-11 21:20]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 21:20]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 21:20]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.comcast.net/

mWindow Title = Windows Internet Explorer provided by Comcast

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MKcrc - c:\windows\login.exe

HKCU-Run-MKasc - c:\windows\drweb.exe

HKCU-Run-MKfa - c:\windows\win.exe

HKCU-Run-MKbMc - c:\windows\gdi32.exe

HKLM-Run-guittrov - c:\documents and settings\Dan\Local Settings\Application Data\rkdrvkqov\txpsrqwshdw.exe

HKLM-Run-Fwehudajugabo - c:\windows\apukogevusukase.dll

HKLM-Run-MKcrc - c:\windows\login.exe

HKLM-Run-MKasc - c:\windows\drweb.exe

HKLM-Run-MKfa - c:\windows\win.exe

HKLM-Run-MKbMc - c:\windows\gdi32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-03 14:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)

c:\windows\system32\LMIinit.dll

c:\windows\System32\TdmNetworkProvider.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\System32\BCMLogon.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(1388)

c:\windows\system32\wvauth.dll

.

Completion time: 2010-09-03 14:08:10

ComboFix-quarantined-files.txt 2010-09-03 18:08

Pre-Run: 106,645,417,984 bytes free

Post-Run: 110,891,159,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 02FA33365B6B06EC54FEA3806A98FDB8

Link to post
Share on other sites

That took out a nasty rootkit. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Now launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

i do use the infected system for personal and business banking and record keeping as well as accessing a company VPN. so it sounds like a reformat is really all I can do to be sure I don't lose everything I own.

So, my knowledge of reformatting would lead me to believe that this whole system is going to get wiped out and start all over again. I don't have the disks for all the programs on my machine any longer, so will I end up losing all of those programs? What about the sensitive data currently on the machine how do I save all of that?

Is there any way to clean this machine and run checks to find out if any more backdoors exist? is that a waste of time?

This is really bad news for me. is there anything else to do?

Link to post
Share on other sites

Hi, if you need to backup data, I recommend you to finish the cleanup so you know you can safely transfer data.

A reformat and reinstall will indeed wipe everything, including all programs. You will need to reinstall any programs you need.

I understand this can be a problem, it is up to you what you eventually do, but especially since you use this computer for business banking, I would be extremely cautious.

If you really can't reinstall those programs, you can opt for a repair install of windows. This will basically replace your windows installation, but leave all personal data and applications alone. It is not as secure as a reformat/reinstall, but it is better than nothing. However, if you do this, you need to make sure first there is no malware left here.

Link to post
Share on other sites

Malwarebytes is still running 1hr 30mins into the scan... i have 5 objects infected. also during the malwarebytes scan symantec anti-virus auto-protect popped up as it found two risks, both "Backdoor.Tidserv.I!inf" it says 3 counts of each and file name is disk.sys.vir its original location was some folder I have never heard of "C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\"

Link to post
Share on other sites

Also, I have a message from Malwarebytes asking to restart the system. Should I restart now? If so, should I boot up in Safe mode or Normal mode?

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

9/3/2010 4:46:06 PM

mbam-log-2010-09-03 (16-46-06).txt

Scan type: Full scan (C:\|)

Objects scanned: 225809

Time elapsed: 1 hour(s), 34 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 8

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubhtgtrf (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubhtgre (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkcuc (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkcucla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9.0.1) gecko/2008070208 firefox/3.0.1 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\drweb.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\gdi32.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\login.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\win.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi, yes you should reboot; you can do taht in normal mode.

Can you please rerun an MBAM quick scan (this should go faster).

Those file detections are all in Combofix quarantine and nothing to worry about, but I want to see if none of the other entries is getting recreated.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

9/4/2010 12:51:23 PM

mbam-log-2010-09-04 (12-51-23).txt

Scan type: Quick scan

Objects scanned: 138795

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.