Jump to content

Still can't open some .exe apps


UrnZway

Recommended Posts

Hi there, hope you can help.

My kids picked up some fakeAV junk from "freeonlinegames" (I think???). It is their computer and I only get i on it when they break it:-)

I've been fighting it for a couple of day now.

I started by booting (XP PRO SP3) in safe mode and updating and running CCleaner, Symantec Corp. AV, MBAM, AdAware, and Spybot S&D.

Once those were complete, I booted the OS normally and ran them all again, each one until they found no problems.

Only MBAM and Spybot found any problems. Unfortunalely, I did not retain the logs, and I have removed the programs to try to re-install to fix the .exe not running problem.

I thought the problem was clear, and for the most part the machine is running normally.

However, I am still unable to run certain .exe files (only AV / AM stuff like MBAM.EXE). It runs fine when re-named, and I have no trouble installing it and updating it as MBAM.SCR.

Also noticed some IE re-directs too. I'm running IE with no add-ons now to stop any more crap!

I've tried RootRepeal and ProcessExplorer, but don't see anything I don't expect to be running.

What should I do next?

Link to post
Share on other sites

Hello urnZway and welcome to MalwareBytes forums.

Nice write-up and notes.....but not one indication as to which Windows version/edition this is running !? It would help us to better focus the initial reply.

Tell me if the Symantec AV license is current?

First, make sure you have saved all your work before you begin, and close your open apps.

1st

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

Step 2

Note: If using Firefox right-click on any download links and choose Save As

Save both files to the same place ---- the Desktop.

Please download OTH and SAVE to the Desktop

Please download OTL and SAVE to the Desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

IF you are running Vista or Windows 7, then do a Right-click on OTH and select Run As Administrator to start.

OTH_Main.gif

Once OTH has started, click on Start OTL. OTL will now start.

  • Do the following in OTL:
  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

  • Back in OTH:
    Click the Internet Explorer button. Go to this forum & login & return to this topic.
    Copy & Paste these logs into your reply here.
  • After you are all done, press Reboot to start your system fresh.

P.S. Not being able to run EXEs is an indication that the rogue is doing serious blocking of cleanup tools.

Any fixes will not be quick and will take a good bit of time.

Do NOT do any websurfing at all, no online games, no online transactions, and please tell all of the users of this system.

Only go to this forum and the websites I guide you to. Otherwise, put this system & treat it as in Quarantine. Not to be played with.

Copy and Paste in reply box the contents of OTL.txt and Extras.txt for my review.

Edited by Maurice Naggar
Link to post
Share on other sites

Maurice,

Thanks for the assistance.

I did mention this is XP PRO SP3, and it is Genuine (or at least is "passes" GAT!) I am able, and periodically get updates from MS.

Yes Symantec license is current, and up to date. LiveUpdate was not able to run until after I ran MBAM, but it is current now.

As soon as the "fakeAV" popups started, I disabled the network adapter to shut down open access to the web.

No surfing, only cleanup operations, of course. It will reamin quarantined, as you suggested.

I have only enabled the network adapter to update the utilities (I had initially get MBAM on another machine and transfer it via USB flash).

I've disabled Symantec AV. Firewall is on.

Rkill did not shutdown anything, except itself. I had already ran this too, after trying the suggestions from here... http://forums.malwarebytes.org/index.php?showtopic=17607

Downloaded and executed OTH and OTL. Here are the outputs...

OTL logfile created on: 9/14/2010 5:50:25 PM - Run 1

OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 478.00 Mb Available Physical Memory | 47.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 44.35 Gb Total Space | 9.53 Gb Free Space | 21.50% Space Free | Partition Type: NTFS

Drive D: | 7.53 Gb Total Space | 7.49 Gb Free Space | 99.54% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NONI

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/14 17:47:57 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr

PRC - [2010/09/14 17:47:48 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTH.scr

PRC - [2006/09/27 21:33:44 | 000,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe

PRC - [2006/09/27 21:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PRC - [2006/09/27 21:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe

PRC - [2006/07/19 20:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

PRC - [2006/07/19 20:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

PRC - [2006/07/19 20:26:04 | 000,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe

PRC - [2006/04/11 18:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

========== Modules (SafeList) ==========

MOD - [2010/09/14 17:47:57 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr

MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/01/19 01:29:19 | 002,326,920 | ---- | M] (Acronis) [Auto | Stopped] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)

SRV - [2009/09/12 17:31:30 | 000,660,520 | ---- | M] (Acronis) [Auto | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)

SRV - [2006/09/27 21:33:38 | 000,116,464 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)

SRV - [2006/09/27 21:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2006/09/27 21:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

SRV - [2006/09/02 17:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)

SRV - [2006/08/07 17:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)

SRV - [2006/07/19 20:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2006/07/19 20:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

SRV - [2006/04/11 18:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvrs.sys -- (LVRS)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvcflt.sys -- (FilterService)

DRV - [2010/07/15 04:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100913.004\NAVEX15.SYS -- (NAVEX15)

DRV - [2010/07/15 04:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100913.004\NAVENG.SYS -- (NAVENG)

DRV - [2010/05/28 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/05/28 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2010/01/19 01:29:21 | 000,159,168 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)

DRV - [2010/01/19 01:29:15 | 000,902,432 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm251.sys -- (tdrpman251) Acronis Try&Decide and Restore Points filter (build 251)

DRV - [2010/01/19 01:29:12 | 000,570,016 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)

DRV - [2010/01/19 01:29:01 | 000,157,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)

DRV - [2009/11/20 22:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2009/06/02 09:26:28 | 000,099,856 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)

DRV - [2009/03/30 10:51:20 | 000,068,924 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jl2005c.sys -- (JL2005C)

DRV - [2009/03/25 12:52:02 | 000,028,896 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)

DRV - [2008/04/13 15:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)

DRV - [2008/04/13 14:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)

DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/04/26 10:23:44 | 000,988,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)

DRV - [2007/04/26 10:23:08 | 000,267,520 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2007/04/26 10:23:04 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2006/09/18 18:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)

DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)

DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)

DRV - [2006/08/07 17:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)

DRV - [2006/08/07 17:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)

DRV - [2006/07/07 15:24:24 | 000,564,224 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2006/04/11 18:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2004/09/29 16:33:50 | 001,036,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

DRV - [2004/05/13 18:31:24 | 000,083,552 | ---- | M] (ALinx Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\m4301A.sys -- (m4301a)

DRV - [2004/03/26 15:08:54 | 000,122,112 | ---- | M] (Cisco-Linksys LLC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vnet58lx.sys -- (FVNETusb)

DRV - [2002/11/06 09:48:34 | 000,136,448 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys -- (fasttx2k)

DRV - [2002/09/09 21:45:50 | 000,041,728 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)

DRV - [2002/03/22 04:21:32 | 000,134,784 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)

DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)

DRV - [2001/08/17 09:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)

DRV - [2001/08/17 09:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)

DRV - [2001/08/17 09:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)

DRV - [2001/08/17 09:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)

DRV - [2001/08/17 09:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)

DRV - [2001/08/17 09:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)

DRV - [2001/08/17 09:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)

DRV - [2001/08/17 09:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)

DRV - [2001/08/17 09:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)

DRV - [1997/04/22 11:16:00 | 000,006,272 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.nickjr.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{AE2F5838-D614-4700-8569-2EC4A1670D16}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{AE2F5838-D614-4700-8569-2EC4A1670D16}\

O1 HOSTS File: ([2009/03/21 16:05:07 | 000,303,042 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 10444 more lines...

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.

O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)

O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 08 00 00 00 [binary data]

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1237666098890 (WUWebControl Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found

O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

O24 - Desktop Components:0 () - http://images.psndealer.com/dealersite%2Fi...2Fnv43151_1.jpg

O24 - Desktop Components:1 (My Current Home Page) - About:Home

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/11/01 01:24:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (auto_reactivate \\?\Volume{cf81467d-42f6-11de-a490-806d6172696f}\bootwiz\asrm.bin) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/14 17:47:57 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr

[2010/09/14 17:47:48 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTH.scr

[2010/09/14 13:09:40 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe

[2010/09/14 13:04:12 | 003,887,480 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Administrator\Desktop\winlogon.exe

[2010/09/14 12:43:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent

[2010/09/14 11:26:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/09/14 11:25:50 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe

[2010/09/13 17:38:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sunbelt Software

[2010/09/13 13:05:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/09/13 13:04:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/09/13 11:36:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2010/09/03 15:52:29 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data\SecuROM

[2010/08/17 16:20:58 | 000,000,000 | ---D | C] -- C:\Program Files\Robot Arena

[2010/08/17 13:42:48 | 000,000,000 | ---D | C] -- C:\Program Files\Hasbro Interactive

[2002/08/29 04:41:18 | 000,203,264 | ---- | C] ( ) -- C:\WINDOWS\ubocudirota.dll

[227 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/14 17:47:57 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr

[2010/09/14 17:47:48 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTH.scr

[2010/09/14 17:46:03 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com

[2010/09/14 17:25:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/09/14 13:09:51 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat

[2010/09/14 13:09:31 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip

[2010/09/14 13:04:18 | 003,887,480 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Administrator\Desktop\winlogon.exe

[2010/09/14 12:45:10 | 000,000,738 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/09/14 12:45:10 | 000,000,262 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/09/14 12:45:10 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/09/14 12:13:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/09/14 12:13:00 | 000,273,040 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml

[2010/09/14 12:12:37 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/09/14 12:12:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/09/14 12:12:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/09/14 12:10:56 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/09/14 11:25:51 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe

[2010/09/14 11:22:37 | 000,000,689 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk

[2010/09/14 11:12:45 | 000,000,166 | -H-- | M] () -- C:\aaw7boot.cmd

[2010/09/13 20:17:10 | 000,031,184 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/09/13 20:13:41 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/09/13 17:41:31 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/09/12 10:30:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Gvezalosupukaleg.bin

[2010/09/12 07:41:20 | 000,002,507 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Outlook.lnk

[2010/09/12 07:32:19 | 000,000,000 | ---- | M] () -- C:\WINDOWS\avovimupagidi.dll

[2010/09/06 16:48:52 | 000,000,849 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Big Truck Adventures 2 - Car Games - Bike Games -- DriveArcade.com.url

[2010/09/02 13:46:43 | 000,006,701 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Untitled12.lxf

[2010/09/01 19:26:43 | 004,229,936 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/08/31 15:23:38 | 000,013,443 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Untitled3.lxf

[2010/08/31 13:16:25 | 000,001,097 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adventures In Time.lnk

[2010/08/29 15:24:57 | 000,013,423 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MON.jpg

[2010/08/29 14:06:14 | 000,076,034 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo001.jpg

[2010/08/29 10:06:54 | 000,000,347 | ---- | M] () -- C:\WINDOWS\EReg213.dat

[2010/08/25 08:35:35 | 000,000,098 | ---- | M] () -- C:\WINDOWS\EasyRip.ini

[2010/08/23 14:27:52 | 000,002,487 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft PowerPoint.lnk

[2010/08/20 14:29:41 | 000,031,184 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT

[2010/08/17 13:50:54 | 000,143,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/08/17 13:38:41 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/08/17 13:33:21 | 000,000,856 | ---- | M] () -- C:\WINDOWS\ka.ini

[2010/08/17 12:59:25 | 000,001,847 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LEGO Creator Knights' Kingdom.lnk

[227 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/14 17:46:03 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com

[2010/09/14 13:09:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat

[2010/09/14 13:09:31 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip

[2010/09/14 11:22:37 | 000,000,689 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk

[2010/09/14 11:12:45 | 000,000,166 | -H-- | C] () -- C:\aaw7boot.cmd

[2010/09/12 07:32:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\avovimupagidi.dll

[2010/09/05 09:53:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Gvezalosupukaleg.bin

[2010/08/31 13:16:25 | 000,001,097 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adventures In Time.lnk

[2010/08/29 15:25:15 | 000,013,423 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MON.jpg

[2010/08/29 14:03:44 | 000,076,034 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo001.jpg

[2010/08/17 13:33:20 | 000,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll

[2010/08/17 13:33:20 | 000,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll

[2010/08/17 12:59:25 | 000,001,847 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\LEGO Creator Knights' Kingdom.lnk

[2010/07/28 08:29:38 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

[2010/07/21 09:38:28 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

[2010/07/20 16:36:30 | 000,000,098 | ---- | C] () -- C:\WINDOWS\EasyRip.ini

[2010/07/11 13:47:20 | 000,000,856 | ---- | C] () -- C:\WINDOWS\ka.ini

[2010/04/29 09:06:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI

[2010/01/25 20:38:39 | 000,000,372 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2010/01/24 14:43:19 | 000,000,253 | ---- | C] () -- C:\WINDOWS\Creator.INI

[2009/12/06 14:26:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\RussSqr.INI

[2009/10/10 17:16:35 | 000,373,648 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2009/06/23 19:35:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI

[2009/06/05 16:09:17 | 000,000,620 | ---- | C] () -- C:\WINDOWS\hegames.ini

[2008/04/16 09:36:42 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/04/14 21:13:40 | 000,000,011 | ---- | C] () -- C:\WINDOWS\SA2003.ini

[2008/04/14 11:23:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat

[2008/04/14 09:45:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI

[2004/11/17 01:08:10 | 000,000,041 | ---- | C] () -- C:\WINDOWS\loc2.INI

[2004/11/17 01:08:06 | 000,000,041 | ---- | C] () -- C:\WINDOWS\FindServ.INI

[2004/11/08 05:33:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2004/11/08 03:29:23 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\WINKRNME.DLL

[2004/11/07 16:02:04 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll

[2004/11/01 17:48:54 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS

[2004/11/01 01:31:40 | 000,003,793 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2004/11/01 01:31:39 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

========== LOP Check ==========

[2010/03/31 19:16:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Acronis

[2009/09/05 18:15:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Activision

[2010/06/04 12:22:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\E-centives

[2010/05/20 20:22:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LEGO Company

[2010/09/13 20:13:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Pyive

[2010/03/14 15:05:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Unity

[2010/07/19 07:16:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WeatherBug

[2009/04/19 23:09:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search

[2010/09/08 12:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ysic

[2010/01/19 01:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis

[2009/09/05 18:15:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activision

[2009/11/29 09:56:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VivaMedia

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 9/14/2010 5:50:25 PM - Run 1

OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 478.00 Mb Available Physical Memory | 47.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 44.35 Gb Total Space | 9.53 Gb Free Space | 21.50% Space Free | Partition Type: NTFS

Drive D: | 7.53 Gb Total Space | 7.49 Gb Free Space | 99.54% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NONI

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- File not found

"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- File not found

"C:\Program Files\Steam\SteamApps\abwarren\raceds\RaceDedicatedServer_Steam.exe" = C:\Program Files\Steam\SteamApps\abwarren\raceds\RaceDedicatedServer_Steam.exe:*:Enabled:Race Dedicated Server -- (Simbin Development Team AB)

"C:\Vortex 15.0\bin\Vortex.exe" = C:\Vortex 15.0\bin\Vortex.exe:*:Enabled:Vortex -- File not found

"C:\Program Files\Steam\SteamApps\abwarren\race\SteamProxy.exe" = C:\Program Files\Steam\SteamApps\abwarren\race\SteamProxy.exe:*:Enabled:Race - The WTCC Game -- ()

"C:\Program Files\Steam\SteamApps\abwarren\race\RaceConfig_Steam.exe" = C:\Program Files\Steam\SteamApps\abwarren\race\RaceConfig_Steam.exe:*:Enabled:Race - The WTCC Game -- (Simbin Development Team AB)

"C:\Program Files\Steam\SteamApps\abwarren\race\Race_Steam.exe" = C:\Program Files\Steam\SteamApps\abwarren\race\Race_Steam.exe:*:Disabled:Race -- (Simbin Development Team AB)

"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java Platform SE binary -- File not found

"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{02034A48-25C6-4BB4-8186-54917E5D49DA}" = SpongeBob SquarePants - Lights, Camera, Pants!

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan

"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3DD2E9EA-0544-4162-B8BE-E21E994E9F3B}" = LEGO Racers 2

"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer

"{48ADB3C0-18FB-4922-B172-7C8C4B99409C}" = Kung Fu Panda

"{5188D24B-9003-41B9-BC5D-7FEBA5C8F3AE}" = Dirt Track Racing 2

"{58E8338B-9794-4E2C-9595-56723B5AC91B}" = Merriweather Farm

"{67E8CB4D-9FF5-4273-9353-554DBFA9DD7B}" = Deerfield Valley

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{68D5CEF9-0DA8-47FE-B0EB-4CBFB5AAF662}" = ArcSoft PhotoImpression 4

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762

"{77C28982-EFF7-4A10-B703-A6BB93335DCB}" = Robot Arena

"{86AF1477-868E-42A3-8A05-41816AF82B31}" = WinZip

"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage

"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan

"{A637F36B-2B36-11D4-A322-0001020A6A3D}" = LEGO Creator Knights' Kingdom

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C2F1F96A-057E-5819-B52E-FEA1D1D2933B}" = Acronis

Link to post
Share on other sites

Hello,

Yes, my bad for not having seen your mention of Windows XP.

Please do the following:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Apply changes & exit Windows Explorer.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 3

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
    If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 4

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to C:\WINDOWS\ubocudirota.dll, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Repeat the same steps for C:\WINDOWS\Gvezalosupukaleg.bin

Save the results

Repeat the same steps for C:\WINDOWS\avovimupagidi.dll

Save the results

Step 5

  • Please double-click OTL.scr otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :processes
    killallprocesses
    :OTL
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    :files
    C:\WINDOWS\ubocudirota.dll
    C:\WINDOWS\Gvezalosupukaleg.bin
    C:\WINDOWS\avovimupagidi.dll
    C:\WINDOWS\xobglu16.dll
    C:\WINDOWS\xobglu32.dll
    recycler /alldrives
    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 5

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of contents of VirusTotal reports

the OTL MovedFiles log

and C:\Combofix.txt

Edited by Maurice Naggar
Link to post
Share on other sites

2010/09/15 11:53:05.0234 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/15 11:53:05.0234 ================================================================================

2010/09/15 11:53:05.0234 SystemInfo:

2010/09/15 11:53:05.0234

2010/09/15 11:53:05.0234 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/15 11:53:05.0234 Product type: Workstation

2010/09/15 11:53:05.0234 ComputerName: NONI

2010/09/15 11:53:05.0234 UserName: Administrator

2010/09/15 11:53:05.0234 Windows directory: C:\WINDOWS

2010/09/15 11:53:05.0234 System windows directory: C:\WINDOWS

2010/09/15 11:53:05.0234 Processor architecture: Intel x86

2010/09/15 11:53:05.0234 Number of processors: 1

2010/09/15 11:53:05.0234 Page size: 0x1000

2010/09/15 11:53:05.0234 Boot type: Normal boot

2010/09/15 11:53:05.0234 ================================================================================

2010/09/15 11:53:06.0515 Initialize success

2010/09/15 11:53:35.0562 ================================================================================

2010/09/15 11:53:35.0562 Scan started

2010/09/15 11:53:35.0562 Mode: Manual;

2010/09/15 11:53:35.0562 ================================================================================

2010/09/15 11:53:35.0953 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/15 11:53:36.0046 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/15 11:53:36.0218 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

2010/09/15 11:53:36.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/15 11:53:36.0406 afcdp (f132d0bfde7c5ea1ab42325c5694a969) C:\WINDOWS\system32\DRIVERS\afcdp.sys

2010/09/15 11:53:36.0515 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/15 11:53:36.0625 agp440 (64a9c5668e7862b85bb30a1ae46b70cb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/15 11:53:36.0625 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: 64a9c5668e7862b85bb30a1ae46b70cb, Fake md5: 08fd04aa961bdc77fb983f328334e3d7

2010/09/15 11:53:36.0640 agp440 - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/09/15 11:53:37.0031 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/09/15 11:53:37.0281 aslm75 (71356a1370739e25375a1d17b6ae318f) C:\WINDOWS\system32\drivers\aslm75.sys

2010/09/15 11:53:37.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/15 11:53:37.0515 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/15 11:53:37.0671 AtiHdmiService (f661f01e990b84c58519c1ff43c2108f) C:\WINDOWS\system32\drivers\AtiHdmi.sys

2010/09/15 11:53:37.0765 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/15 11:53:37.0875 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/15 11:53:37.0968 b57w2k (db42dff456af8d35cbe00fe94144f251) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/09/15 11:53:38.0062 basic2 (1b9c81ab9a456eabd9f8335f04b5f495) C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys

2010/09/15 11:53:38.0203 BCM43XX (3003c21e5e1f04ba84fc8e705a65db2b) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2010/09/15 11:53:38.0343 bcm4sbxp (ba03a18635d4b0830c9262cd80d4026b) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2010/09/15 11:53:38.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/15 11:53:38.0515 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/15 11:53:38.0609 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/09/15 11:53:38.0765 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/15 11:53:38.0859 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/15 11:53:38.0937 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/15 11:53:39.0171 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/09/15 11:53:39.0484 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/15 11:53:39.0609 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/15 11:53:39.0734 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/15 11:53:39.0812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/15 11:53:39.0906 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/15 11:53:40.0062 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/15 11:53:40.0171 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/09/15 11:53:40.0234 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2010/09/15 11:53:40.0390 Fallback (c823debe2548656549f84a875d65237b) C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys

2010/09/15 11:53:40.0484 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/15 11:53:40.0562 fasttx2k (0aec191abd2f2dfad94c95816532db0e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys

2010/09/15 11:53:40.0640 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/15 11:53:40.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/15 11:53:40.0843 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/15 11:53:40.0953 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/15 11:53:41.0031 Fsks (6483414841d4cab6c3b4db2ac6edd70b) C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys

2010/09/15 11:53:41.0125 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/15 11:53:41.0203 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/15 11:53:41.0312 FVNETusb (199062d35b8789238a11e9980479336b) C:\WINDOWS\system32\DRIVERS\vnet58lx.sys

2010/09/15 11:53:41.0390 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/09/15 11:53:41.0484 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/15 11:53:41.0593 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/15 11:53:41.0703 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys

2010/09/15 11:53:41.0812 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/15 11:53:41.0984 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/09/15 11:53:42.0078 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/09/15 11:53:42.0156 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/09/15 11:53:42.0265 HSFHWBS2 (6312dc46356df3974e88aa51b69360dc) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2010/09/15 11:53:42.0421 HSF_DP (8ed6714c8e754520dd8a939f91383ea0) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2010/09/15 11:53:42.0625 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/09/15 11:53:42.0781 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys

2010/09/15 11:53:42.0921 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/15 11:53:43.0125 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/15 11:53:43.0218 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/15 11:53:43.0375 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/09/15 11:53:43.0437 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/15 11:53:43.0500 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/15 11:53:43.0625 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/15 11:53:43.0718 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/15 11:53:43.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/15 11:53:43.0890 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/15 11:53:43.0968 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/15 11:53:44.0046 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/15 11:53:44.0156 JL2005C (b5ed0401d4fbbcb4bf5eaa01e8eb86e8) C:\WINDOWS\system32\Drivers\jl2005c.sys

2010/09/15 11:53:44.0281 K56 (9c5e3fdbfcc30cf71a49ca178b9ad442) C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys

2010/09/15 11:53:44.0359 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/15 11:53:44.0437 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/09/15 11:53:44.0515 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/15 11:53:44.0593 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/15 11:53:44.0968 m4301a (763a50ce71f03df16fe3c74a9531f85f) C:\WINDOWS\system32\DRIVERS\m4301A.sys

2010/09/15 11:53:45.0078 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/09/15 11:53:45.0171 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/15 11:53:45.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/15 11:53:45.0375 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/09/15 11:53:45.0453 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/15 11:53:45.0546 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/09/15 11:53:45.0625 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/15 11:53:45.0750 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/15 11:53:45.0875 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/15 11:53:45.0968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/15 11:53:46.0046 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/15 11:53:46.0140 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/15 11:53:46.0218 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/15 11:53:46.0312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/15 11:53:46.0406 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/09/15 11:53:46.0468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/15 11:53:46.0562 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/09/15 11:53:46.0718 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100915.002\naveng.sys

2010/09/15 11:53:46.0828 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100915.002\navex15.sys

2010/09/15 11:53:46.0953 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/15 11:53:47.0078 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/09/15 11:53:47.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/15 11:53:47.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/15 11:53:47.0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/15 11:53:47.0390 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/15 11:53:47.0468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/15 11:53:47.0546 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/15 11:53:47.0671 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/09/15 11:53:47.0734 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/15 11:53:47.0828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/15 11:53:47.0984 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/15 11:53:48.0437 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/09/15 11:53:48.0890 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/15 11:53:48.0984 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/15 11:53:49.0078 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/09/15 11:53:49.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/15 11:53:49.0234 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/15 11:53:49.0343 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/15 11:53:49.0406 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/15 11:53:49.0562 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/15 11:53:49.0656 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/15 11:53:50.0109 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/15 11:53:50.0187 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/09/15 11:53:50.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/15 11:53:50.0343 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/15 11:53:50.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/15 11:53:50.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/15 11:53:50.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/15 11:53:50.0953 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/15 11:53:51.0031 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/15 11:53:51.0109 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/15 11:53:51.0187 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/15 11:53:51.0281 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/15 11:53:51.0375 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/15 11:53:51.0500 Rksample (bb7549bd94d1aac3599c7606c50c48a0) C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys

2010/09/15 11:53:51.0703 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys

2010/09/15 11:53:51.0750 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2010/09/15 11:53:51.0890 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/15 11:53:51.0984 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/15 11:53:52.0046 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/15 11:53:52.0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/15 11:53:52.0343 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/09/15 11:53:52.0484 smwdm (bf208c85119770e6a9b6577019a3d810) C:\WINDOWS\system32\drivers\smwdm.sys

2010/09/15 11:53:52.0640 snapman (ffd9b64db2cd7b74b766c3a8452a5816) C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/09/15 11:53:52.0765 SoftFax (d9e8e0ce154a2f6430d9efabdf730867) C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys

2010/09/15 11:53:52.0953 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/09/15 11:53:53.0062 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/15 11:53:53.0140 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys

2010/09/15 11:53:53.0250 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/15 11:53:53.0375 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/09/15 11:53:53.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/15 11:53:53.0562 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/15 11:53:53.0812 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS

2010/09/15 11:53:53.0921 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/09/15 11:53:54.0015 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/09/15 11:53:54.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/15 11:53:54.0359 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/15 11:53:54.0468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/15 11:53:54.0625 tdrpman251 (3630f5b8181554deecfe2e4252bc4c4c) C:\WINDOWS\system32\DRIVERS\tdrpm251.sys

2010/09/15 11:53:54.0750 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/15 11:53:54.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/15 11:53:54.0921 tifsfilter (18f20c81f84599bf457ed640891aad99) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/09/15 11:53:55.0015 timounter (c820bfc70feb25ec877c49e81cd477c1) C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/09/15 11:53:55.0156 Tones (8021a499db46b2961c285168671cb9af) C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys

2010/09/15 11:53:55.0328 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/15 11:53:55.0484 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/15 11:53:55.0640 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/09/15 11:53:55.0765 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/15 11:53:55.0843 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/15 11:53:55.0906 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/15 11:53:56.0015 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/15 11:53:56.0093 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/15 11:53:56.0171 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/15 11:53:56.0250 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/15 11:53:56.0359 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/09/15 11:53:56.0484 V124 (269c0ade94b90029b12497747be408cb) C:\WINDOWS\system32\DRIVERS\HSF_V124.sys

2010/09/15 11:53:56.0562 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/15 11:53:56.0750 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/15 11:53:56.0875 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/15 11:53:57.0031 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/15 11:53:57.0171 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/09/15 11:53:57.0437 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/09/15 11:53:57.0562 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/15 11:53:57.0671 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/15 11:53:57.0859 ================================================================================

2010/09/15 11:53:57.0859 Scan finished

2010/09/15 11:53:57.0859 ================================================================================

2010/09/15 11:53:57.0890 Detected object count: 1

2010/09/15 11:54:11.0937 agp440 (64a9c5668e7862b85bb30a1ae46b70cb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/15 11:54:11.0937 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: 64a9c5668e7862b85bb30a1ae46b70cb, Fake md5: 08fd04aa961bdc77fb983f328334e3d7

2010/09/15 11:54:13.0640 Backup copy found, using it..

2010/09/15 11:54:13.0687 C:\WINDOWS\system32\DRIVERS\agp440.sys - will be cured after reboot

2010/09/15 11:54:13.0687 Rootkit.Win32.TDSS.tdl3(agp440) - User select action: Cure

2010/09/15 11:57:48.0531 Deinitialize success

All processes killed

========== PROCESSES ==========

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.

========== FILES ==========

C:\WINDOWS\ubocudirota.dll moved successfully.

C:\WINDOWS\Gvezalosupukaleg.bin moved successfully.

C:\WINDOWS\avovimupagidi.dll moved successfully.

C:\WINDOWS\xobglu16.dll moved successfully.

C:\WINDOWS\xobglu32.dll moved successfully.

C:\RECYCLER\S-1-5-21-1993962763-1801674531-725345543-500 folder moved successfully.

C:\RECYCLER\S-1-5-21-1993962763-1801674531-725345543-1003 folder moved successfully.

C:\RECYCLER folder moved successfully.

recycler not found in D:\

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 2101199 bytes

->Temporary Internet Files folder emptied: 6974473 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 1968838 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33237 bytes

User: Z

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 300 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 21143751 bytes

%systemroot%\System32 .tmp files removed: 7697 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 16867 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 31.00 mb

Unable to start service SrService!

[EMPTYFLASH]

User: Administrator

->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Z

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.12.0 log created on 09152010_125205

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Hi Maurice,

Still waiting on results from VirusTotal. (By the way, the link provided does not work, had to navigate to (HTTP://www.virustotal.com/)

I had to use the e-mail version. The web upload was too busy.

Sent file "C:\WINDOWS\ubocudirota.dll", waiting on reply.

Files "C:\WINDOWS\Gvezalosupukaleg.bin" and "C:\WINDOWS\avovimupagidi.dll" were empty (0 bytes) and would not upload.

Continued on as directed.

2010/09/15 11:53:05.0234 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/15 11:53:05.0234 ================================================================================

2010/09/15 11:53:05.0234 SystemInfo:

2010/09/15 11:53:05.0234

2010/09/15 11:53:05.0234 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/15 11:53:05.0234 Product type: Workstation

2010/09/15 11:53:05.0234 ComputerName: NONI

2010/09/15 11:53:05.0234 UserName: Administrator

2010/09/15 11:53:05.0234 Windows directory: C:\WINDOWS

2010/09/15 11:53:05.0234 System windows directory: C:\WINDOWS

2010/09/15 11:53:05.0234 Processor architecture: Intel x86

2010/09/15 11:53:05.0234 Number of processors: 1

2010/09/15 11:53:05.0234 Page size: 0x1000

2010/09/15 11:53:05.0234 Boot type: Normal boot

2010/09/15 11:53:05.0234 ================================================================================

2010/09/15 11:53:06.0515 Initialize success

2010/09/15 11:53:35.0562 ================================================================================

2010/09/15 11:53:35.0562 Scan started

2010/09/15 11:53:35.0562 Mode: Manual;

2010/09/15 11:53:35.0562 ================================================================================

2010/09/15 11:53:35.0953 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/15 11:53:36.0046 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/15 11:53:36.0218 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

2010/09/15 11:53:36.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/15 11:53:36.0406 afcdp (f132d0bfde7c5ea1ab42325c5694a969) C:\WINDOWS\system32\DRIVERS\afcdp.sys

2010/09/15 11:53:36.0515 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/15 11:53:36.0625 agp440 (64a9c5668e7862b85bb30a1ae46b70cb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/15 11:53:36.0625 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: 64a9c5668e7862b85bb30a1ae46b70cb, Fake md5: 08fd04aa961bdc77fb983f328334e3d7

2010/09/15 11:53:36.0640 agp440 - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/09/15 11:53:37.0031 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/09/15 11:53:37.0281 aslm75 (71356a1370739e25375a1d17b6ae318f) C:\WINDOWS\system32\drivers\aslm75.sys

2010/09/15 11:53:37.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/15 11:53:37.0515 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/15 11:53:37.0671 AtiHdmiService (f661f01e990b84c58519c1ff43c2108f) C:\WINDOWS\system32\drivers\AtiHdmi.sys

2010/09/15 11:53:37.0765 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/15 11:53:37.0875 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/15 11:53:37.0968 b57w2k (db42dff456af8d35cbe00fe94144f251) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/09/15 11:53:38.0062 basic2 (1b9c81ab9a456eabd9f8335f04b5f495) C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys

2010/09/15 11:53:38.0203 BCM43XX (3003c21e5e1f04ba84fc8e705a65db2b) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2010/09/15 11:53:38.0343 bcm4sbxp (ba03a18635d4b0830c9262cd80d4026b) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2010/09/15 11:53:38.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/15 11:53:38.0515 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/15 11:53:38.0609 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/09/15 11:53:38.0765 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/15 11:53:38.0859 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/15 11:53:38.0937 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/15 11:53:39.0171 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/09/15 11:53:39.0484 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/15 11:53:39.0609 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/15 11:53:39.0734 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/15 11:53:39.0812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/15 11:53:39.0906 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/15 11:53:40.0062 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/15 11:53:40.0171 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/09/15 11:53:40.0234 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2010/09/15 11:53:40.0390 Fallback (c823debe2548656549f84a875d65237b) C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys

2010/09/15 11:53:40.0484 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/15 11:53:40.0562 fasttx2k (0aec191abd2f2dfad94c95816532db0e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys

2010/09/15 11:53:40.0640 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/15 11:53:40.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/15 11:53:40.0843 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/15 11:53:40.0953 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/15 11:53:41.0031 Fsks (6483414841d4cab6c3b4db2ac6edd70b) C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys

2010/09/15 11:53:41.0125 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/15 11:53:41.0203 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/15 11:53:41.0312 FVNETusb (199062d35b8789238a11e9980479336b) C:\WINDOWS\system32\DRIVERS\vnet58lx.sys

2010/09/15 11:53:41.0390 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/09/15 11:53:41.0484 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/15 11:53:41.0593 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/15 11:53:41.0703 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys

2010/09/15 11:53:41.0812 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/15 11:53:41.0984 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/09/15 11:53:42.0078 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/09/15 11:53:42.0156 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/09/15 11:53:42.0265 HSFHWBS2 (6312dc46356df3974e88aa51b69360dc) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2010/09/15 11:53:42.0421 HSF_DP (8ed6714c8e754520dd8a939f91383ea0) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2010/09/15 11:53:42.0625 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/09/15 11:53:42.0781 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys

2010/09/15 11:53:42.0921 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/15 11:53:43.0125 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/15 11:53:43.0218 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/15 11:53:43.0375 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/09/15 11:53:43.0437 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/15 11:53:43.0500 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/15 11:53:43.0625 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/15 11:53:43.0718 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/15 11:53:43.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/15 11:53:43.0890 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/15 11:53:43.0968 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/15 11:53:44.0046 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/15 11:53:44.0156 JL2005C (b5ed0401d4fbbcb4bf5eaa01e8eb86e8) C:\WINDOWS\system32\Drivers\jl2005c.sys

2010/09/15 11:53:44.0281 K56 (9c5e3fdbfcc30cf71a49ca178b9ad442) C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys

2010/09/15 11:53:44.0359 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/15 11:53:44.0437 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/09/15 11:53:44.0515 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/15 11:53:44.0593 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/15 11:53:44.0968 m4301a (763a50ce71f03df16fe3c74a9531f85f) C:\WINDOWS\system32\DRIVERS\m4301A.sys

2010/09/15 11:53:45.0078 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/09/15 11:53:45.0171 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/15 11:53:45.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/15 11:53:45.0375 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/09/15 11:53:45.0453 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/15 11:53:45.0546 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/09/15 11:53:45.0625 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/15 11:53:45.0750 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/15 11:53:45.0875 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/15 11:53:45.0968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/15 11:53:46.0046 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/15 11:53:46.0140 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/15 11:53:46.0218 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/15 11:53:46.0312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/15 11:53:46.0406 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/09/15 11:53:46.0468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/15 11:53:46.0562 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/09/15 11:53:46.0718 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100915.002\naveng.sys

2010/09/15 11:53:46.0828 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100915.002\navex15.sys

2010/09/15 11:53:46.0953 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/15 11:53:47.0078 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/09/15 11:53:47.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/15 11:53:47.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/15 11:53:47.0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/15 11:53:47.0390 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/15 11:53:47.0468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/15 11:53:47.0546 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/15 11:53:47.0671 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/09/15 11:53:47.0734 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/15 11:53:47.0828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/15 11:53:47.0984 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/15 11:53:48.0437 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/09/15 11:53:48.0890 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/15 11:53:48.0984 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/15 11:53:49.0078 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/09/15 11:53:49.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/15 11:53:49.0234 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/15 11:53:49.0343 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/15 11:53:49.0406 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/15 11:53:49.0562 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/15 11:53:49.0656 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/15 11:53:50.0109 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/15 11:53:50.0187 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/09/15 11:53:50.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/15 11:53:50.0343 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/15 11:53:50.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/15 11:53:50.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/15 11:53:50.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/15 11:53:50.0953 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/15 11:53:51.0031 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/15 11:53:51.0109 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/15 11:53:51.0187 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/15 11:53:51.0281 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/15 11:53:51.0375 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/15 11:53:51.0500 Rksample (bb7549bd94d1aac3599c7606c50c48a0) C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys

2010/09/15 11:53:51.0703 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys

2010/09/15 11:53:51.0750 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2010/09/15 11:53:51.0890 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/15 11:53:51.0984 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/15 11:53:52.0046 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/15 11:53:52.0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/15 11:53:52.0343 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/09/15 11:53:52.0484 smwdm (bf208c85119770e6a9b6577019a3d810) C:\WINDOWS\system32\drivers\smwdm.sys

2010/09/15 11:53:52.0640 snapman (ffd9b64db2cd7b74b766c3a8452a5816) C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/09/15 11:53:52.0765 SoftFax (d9e8e0ce154a2f6430d9efabdf730867) C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys

2010/09/15 11:53:52.0953 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/09/15 11:53:53.0062 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/15 11:53:53.0140 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys

2010/09/15 11:53:53.0250 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/15 11:53:53.0375 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/09/15 11:53:53.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/15 11:53:53.0562 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/15 11:53:53.0812 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS

2010/09/15 11:53:53.0921 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/09/15 11:53:54.0015 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/09/15 11:53:54.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/15 11:53:54.0359 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/15 11:53:54.0468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/15 11:53:54.0625 tdrpman251 (3630f5b8181554deecfe2e4252bc4c4c) C:\WINDOWS\system32\DRIVERS\tdrpm251.sys

2010/09/15 11:53:54.0750 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/15 11:53:54.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/15 11:53:54.0921 tifsfilter (18f20c81f84599bf457ed640891aad99) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/09/15 11:53:55.0015 timounter (c820bfc70feb25ec877c49e81cd477c1) C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/09/15 11:53:55.0156 Tones (8021a499db46b2961c285168671cb9af) C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys

2010/09/15 11:53:55.0328 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/15 11:53:55.0484 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/15 11:53:55.0640 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/09/15 11:53:55.0765 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/15 11:53:55.0843 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/15 11:53:55.0906 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/15 11:53:56.0015 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/15 11:53:56.0093 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/15 11:53:56.0171 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/15 11:53:56.0250 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/15 11:53:56.0359 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/09/15 11:53:56.0484 V124 (269c0ade94b90029b12497747be408cb) C:\WINDOWS\system32\DRIVERS\HSF_V124.sys

2010/09/15 11:53:56.0562 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/15 11:53:56.0750 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/15 11:53:56.0875 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/15 11:53:57.0031 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/15 11:53:57.0171 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/09/15 11:53:57.0437 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/09/15 11:53:57.0562 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/15 11:53:57.0671 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/15 11:53:57.0859 ================================================================================

2010/09/15 11:53:57.0859 Scan finished

2010/09/15 11:53:57.0859 ================================================================================

2010/09/15 11:53:57.0890 Detected object count: 1

2010/09/15 11:54:11.0937 agp440 (64a9c5668e7862b85bb30a1ae46b70cb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/15 11:54:11.0937 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: 64a9c5668e7862b85bb30a1ae46b70cb, Fake md5: 08fd04aa961bdc77fb983f328334e3d7

2010/09/15 11:54:13.0640 Backup copy found, using it..

2010/09/15 11:54:13.0687 C:\WINDOWS\system32\DRIVERS\agp440.sys - will be cured after reboot

2010/09/15 11:54:13.0687 Rootkit.Win32.TDSS.tdl3(agp440) - User select action: Cure

2010/09/15 11:57:48.0531 Deinitialize success

All processes killed

========== PROCESSES ==========

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.

========== FILES ==========

C:\WINDOWS\ubocudirota.dll moved successfully.

C:\WINDOWS\Gvezalosupukaleg.bin moved successfully.

C:\WINDOWS\avovimupagidi.dll moved successfully.

C:\WINDOWS\xobglu16.dll moved successfully.

C:\WINDOWS\xobglu32.dll moved successfully.

C:\RECYCLER\S-1-5-21-1993962763-1801674531-725345543-500 folder moved successfully.

C:\RECYCLER\S-1-5-21-1993962763-1801674531-725345543-1003 folder moved successfully.

C:\RECYCLER folder moved successfully.

recycler not found in D:\

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 2101199 bytes

->Temporary Internet Files folder emptied: 6974473 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 1968838 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33237 bytes

User: Z

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 300 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 21143751 bytes

%systemroot%\System32 .tmp files removed: 7697 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 16867 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 31.00 mb

Unable to start service SrService!

[EMPTYFLASH]

User: Administrator

->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Z

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.12.0 log created on 09152010_125205

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ComboFix 10-09-14.05 - Administrator 09/15/2010 13:03:24.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.487 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))

.

2010-09-15 15:49 . 2010-09-15 15:49 -------- d-----w- c:\program files\ERUNT

2010-09-14 15:26 . 2010-09-14 17:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-14 15:12 . 2010-09-14 15:12 166 ---ha-w- C:\aaw7boot.cmd

2010-09-14 00:17 . 2010-09-14 00:17 31184 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-09-13 21:38 . 2010-09-13 21:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sunbelt Software

2010-09-13 17:05 . 2010-09-13 17:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-13 17:04 . 2010-09-13 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-13 15:36 . 2010-09-13 15:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-09-03 19:52 . 2010-09-03 19:52 -------- d--h--r- c:\documents and settings\Administrator\Application Data\SecuROM

2010-08-17 20:20 . 2010-08-20 14:33 -------- d-----w- c:\program files\Robot Arena

2010-08-17 17:42 . 2010-08-17 17:42 -------- d-----w- c:\program files\Hasbro Interactive

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-15 16:57 . 2008-04-14 12:15 -------- d-----w- c:\program files\Symantec AntiVirus

2010-09-15 15:58 . 2004-08-04 06:07 42368 ----a-w- c:\windows\system32\drivers\agp440.sys

2010-09-14 15:22 . 2009-03-22 16:35 -------- d-----w- c:\program files\CCleaner

2010-09-14 15:16 . 2009-03-21 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-09-14 12:52 . 2009-11-22 16:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-14 12:52 . 2009-03-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-14 00:13 . 2009-12-22 21:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Pyive

2010-09-13 21:41 . 2009-11-22 16:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-09-12 19:08 . 2010-06-24 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-09-08 16:35 . 2009-07-11 17:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ysic

2010-09-06 21:44 . 2010-09-12 14:33 170874 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-08-29 14:06 . 2010-01-24 18:11 347 ----a-w- c:\windows\EReg213.dat

2010-08-17 20:20 . 2004-11-08 07:05 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-17 17:33 . 2010-07-11 17:47 -------- d-----w- c:\program files\JumpStart

2010-08-03 12:15 . 2009-04-26 18:40 -------- d-----w- c:\program files\Steam

2010-07-28 12:29 . 2010-01-24 18:06 -------- d-----w- c:\program files\LEGO Media

2010-07-28 12:29 . 2010-07-28 12:29 2272 ------w- c:\windows\system32\w95inf16.dll

2010-07-28 12:29 . 2010-07-28 12:29 4608 ------w- c:\windows\system32\w95inf32.dll

2010-07-27 20:41 . 2010-07-27 20:41 -------- d-----w- c:\program files\Atari

2010-07-27 17:18 . 2010-07-17 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure

2010-07-19 11:16 . 2010-07-19 11:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\WeatherBug

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0auto_reactivate \\?\Volume{cf81467d-42f6-11de-a490-806d6172696f}\bootwiz\asrm.bin

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Dock]

2010-02-25 13:02 581632 ----a-w- c:\documents and settings\Administrator\My Documents\RCA easyRip\EZDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Steam\\SteamApps\\abwarren\\raceds\\RaceDedicatedServer_Steam.exe"=

"c:\\Program Files\\Steam\\SteamApps\\abwarren\\race\\SteamProxy.exe"=

"c:\\Program Files\\Steam\\SteamApps\\abwarren\\race\\RaceConfig_Steam.exe"=

"c:\\Program Files\\Steam\\SteamApps\\abwarren\\race\\Race_Steam.exe"=

R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [1/19/2010 1:29 AM 902432]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [1/19/2010 1:29 AM 2326920]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [1/19/2010 1:29 AM 159168]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2010 11:31 AM 102448]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/24/2010 10:20 AM 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [5/13/2004 6:31 PM 83552]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]

.

Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 14:20]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 14:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nickjr.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-15 13:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3192)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-15 13:10:18

ComboFix-quarantined-files.txt 2010-09-15 17:10

Pre-Run: 10,108,063,744 bytes free

Post-Run: 10,066,481,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 624BBB0348498D6719B465B18BE30C13

Link to post
Share on other sites

Let's have you do 1 scan with MBAM, followed by a scan with Sysclean from Trend Micro

Step 1

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM

Step 2

Next a virus scan with Sysclean by TrendMicro:

1. Create a new folder on drive "C:\" and name it Sysclean - (C:\Sysclean).

2. Download >> Sysclean Package & save it to that folder.

It's a ZIP file.

Extract all the contents of the zip file to that folder.

3. Then download the latest >> Virus Pattern Files - (Pattern files are usually named "lptxxx.zip",

where xxx is the pattern file number)

4. Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com.

(Click here for information on how to extract a file if you are not sure how to do this. . DO NOT scan yet.

Reboot your computer in SAFE MODE using the "F8" method.

To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.

A menu will appear with several options.

Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Sysclean as follows:

1. Open the Sysclean folder and double-click on "sysclean.com" to start the scanning process.

2. Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.

3. Click the Advanced button.

4. The scan options appear. Select the Scan all local fixed drives.

5. Click the Scan button on the TrendMicro™ System Cleaner console.

6. It will take some time to complete. Be patient and let it clean whatever it finds.

7. Another MS-DOS window appears containing the log file generated in the System Cleaner folder.

8. To view the log, click the View button on the TrendMicro System Cleaner console. The TrendMicro Sysclean Package - Log window appears.

The Files Detected section shows the viruses that were detected by System Cleaner.

The Files Clean section shows the viruses that were cleaned.

The Clean Fail section shows the viruses that were not cleaned.

9. Exit when done, reboot normally and re-enable your anti-virus program.

Instructions with screenshots are here if you need them.

This tool generates a log file (sysclean.log) in the same folder where the scan is completed.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations.

The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

Step 3

Make sure the system is back in Normal mode.

Reply with copy of the Latest MBAM scan log and the Sysclean log.

Link to post
Share on other sites

Scanned MBAB, only found "winlogon.exe" on the desktop, which is actually Sysinternals "Procexp.exe", re-named.

Sysclean is scanning now. (I'm replying from one of my other machines)

Will post logs when complete.

Here is the server reply from VirusTotal for ubocudirota.dll.

Complete scanning result of "ubocudirota.dll", processed in VirusTotal at 09/15/2010 22:32:59 (CET).

[ file data ]

* name..: ubocudirota.dll

* size..: 203264

* md5...: 4e0a2e8dbc771e512f3593e8b84b126c

* sha1..: 84d9db3360c72d249aa1d7fce62614bddc2417bd

* peid..: -

[ scan result ]

AhnLab-V3 2010.09.16.00/20100915 found nothing

AntiVir 8.2.4.52/20100915 found nothing

Antiy-AVL 2.0.3.7/20100915 found nothing

Authentium 5.2.0.5/20100915 found nothing

Avast 4.8.1351.0/20100915 found [Win32:MalOb-CB]

Avast5 5.0.594.0/20100915 found [Win32:MalOb-CB]

AVG 9.0.0.851/20100915 found nothing

BitDefender 7.2/20100915 found [Gen:Variant.Kazy.190]

CAT-QuickHeal 11.00/20100915 found nothing

ClamAV 0.96.2.0-git/20100915 found nothing

Comodo 6089/20100915 found nothing

DrWeb 5.0.2.03300/20100915 found nothing

Emsisoft 5.0.0.37/20100915 found [Trojan.Hiloti!IK]

eSafe 7.0.17.0/20100915 found nothing

eTrust-Vet 36.1.7856/20100915 found nothing

F-Prot 4.6.1.107/20100915 found nothing

F-Secure 9.0.15370.0/20100915 found [Gen:Variant.Kazy.190]

Fortinet 4.1.143.0/20100915 found nothing

GData 21/20100915 found [Gen:Variant.Kazy.190]

Ikarus T3.1.1.88.0/20100915 found [Trojan.Hiloti]

Jiangmin 13.0.900/20100915 found nothing

K7AntiVirus 9.63.2522/20100915 found nothing

Kaspersky 7.0.0.125/20100915 found nothing

McAfee 5.400.0.1158/20100915 found [Hiloti.gen.g]

McAfee-GW-Edition 2010.1C/20100915 found [Hiloti.gen.g]

Microsoft 1.6103/20100915 found [Trojan:Win32/Hiloti.gen!D]

NOD32 5453/20100915 found nothing

Norman 6.06.06/20100915 found nothing

nProtect 2010-09-15.01/20100915 found [Gen:Variant.Kazy.190]

Panda 10.0.2.7/20100915 found [suspicious file]

PCTools 7.0.3.5/20100915 found [Trojan.Zefarch]

Prevx 3.0/20100915 found nothing

Rising 22.65.02.04/20100915 found nothing

Sophos 4.57.0/20100915 found [Mal/Hiloti-C]

Sunbelt 6880/20100915 found nothing

SUPERAntiSpyware 4.40.0.1006/20100915 found nothing

Symantec 20101.1.1.7/20100915 found [Trojan.Zefarch!gen]

TheHacker 6.7.0.0.018/20100915 found nothing

TrendMicro 9.120.0.1004/20100915 found nothing

TrendMicro-HouseCall 9.120.0.1004/20100915 found nothing

VBA32 3.12.14.0/20100915 found nothing

ViRobot 2010.8.25.4006/20100915 found nothing

VirusBuster 12.65.8.0/20100915 found nothing

Link to post
Share on other sites

Here's what the Microsoft security site says about the trojan

Trojan:Win32/Hiloti.gen!D is a generic detection for a trojan that interferes with an affected user's browsing habits and downloads and executes arbitrary files.

Please read and digest the information.

The link is this http://www.microsoft.com/security/portal/t...iloti.gen!D

You are strongly advised to do the following immediately.

1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer.

* Take any other steps you think appropriate for an attempted identity theft.

This system had / has serious trojans.

This is a point where you need to make a choice.

If we continue hunting and trying to remove what is left, there is no guarantee that all malware will be found & removed.

If you decide to go forward with cleaning, I'll work with you but just be aware there will be lots more to do and no guarantees.

On the other hand, you may opt to backup your personal files to offline media, and then wipe the hard drive and install Windows fresh as a new install.

The process of new install will mean that all personal files will be lost, unless first saved.

Let me know what you decide. Just understand the safest for the long term is to do a wipe & install new.

Note I have added some emphasis in red in the Virustotal report. 13 of the antivirus/antimalware vendors got it right as a malware.

Link to post
Share on other sites

Maurice,

Thanks for the sound advice. I was thinking along the same lines already.

I have some appended Acronis images from various dates for this machine, so restoration will be fairly straightforward. Most likely, I'll go back to the original image as it is getting kinda cluttered in here.

This machine is exclusively used by my 2 boys, age 5 and age 8. As such, we do not and never have used it for anything else.

They use it for games, web browsing, music, etc. I knew this would happen sooner or later, and it is a valuable learning experience for them.

I want them to be proficient in computers, and I want them to learn how they could be attacked and how to prevent it from happening, so I'm not too bummed.

I doubt any personal information has been compromised as we do our banking and such on another machine, I have a laptop for work use, and we have a HTPC for multimedia.

On a side note, I can execute MBAM without renaming it now! So I'm sure we were headed in the right direction, but at some point I realize I'll have to cut my losses, which are minimal in this case.

That point is now.

Thanks again, I appreciate your help and expertise.

-Z

Link to post
Share on other sites

Good decision. You are welcome. Here's what I typically suggest to stay safer. Which in your case would be after you've restored from image.

We are finished here. Best regards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.