Jump to content

Can't Remove HDDTools Virus

feverdog71

By feverdog71
in Resolved Malware Removal Logs

 Share

Recommended Posts

negster22

negster22

Posted
Posted

Hi and Welcome feverdog71,

Can You please copy/paste the MBAM log that shows the threats that were removed.

Also, I need You to try and run the scans in this topic:

http://forums.malwarebytes.org/index.php?showtopic=9573

Then copy/paste all requested logs (do NOT attach them) into your next reply.

Download OTL and save it on your desktop:

http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
  • Do NOT touch your keyboard until the scan is done!!
  • It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
  • Copy/Paste OTL.txt and attach Extras.txt into your next reply,
  • Exit OTL by clicking the X at top right.

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

Thanks for the quick reply. A couple of things to note....... Defogger never asked to reboot. It kept going back to the disable/re-enable dialog box. And secondly, gmer bombed out during the scan and went to the blue screen. I didn't try to run it again.

MBAM LOG

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/21/2010 10:41:55 PM

mbam-log-2010-12-21 (22-41-55).txt

Scan type: Full scan (C:\|)

Objects scanned: 196916

Time elapsed: 57 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 08:13 on 22/12/2010 (Owner)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\documents and settings\all users\application data\ygguuiaahy.dll (Trojan.FakeAlert.Gen) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\ygguuiaahy.dll (Trojan.FakeAlert.Gen) -> Delete on reboot.

DDS (Ver_10-12-12.02) - NTFSx86

Run by Owner at 8:15:43.90 on Wed 12/22/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.137 [GMT -6:00]

AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe

C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 10/3/2008 09:53:13 PM

System Uptime: 12/22/2010 07:41:20 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0N6381

Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 72 GiB total, 35.476 GiB free.

D: is CDROM ()

E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {00000000-0000-0000-0000-000000000000}

Description: Ethernet Controller

Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_019D1028&REV_02\4&1C660DD6&0&40F0

Manufacturer:

Name: Ethernet Controller

PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_019D1028&REV_02\4&1C660DD6&0&40F0

Service:

==== System Restore Points ===================

RP68: 9/23/2010 05:22:02 PM - System Checkpoint

RP69: 9/24/2010 10:27:54 PM - System Checkpoint

RP70: 9/26/2010 09:37:12 AM - System Checkpoint

RP71: 9/27/2010 05:03:54 PM - System Checkpoint

RP72: 9/28/2010 05:08:07 PM - System Checkpoint

RP73: 9/28/2010 08:30:15 PM - Software Distribution Service 3.0

RP74: 9/30/2010 05:06:12 PM - System Checkpoint

RP75: 10/2/2010 08:23:53 AM - System Checkpoint

RP76: 10/3/2010 08:52:01 AM - System Checkpoint

RP77: 10/4/2010 05:10:38 PM - System Checkpoint

RP78: 10/5/2010 09:00:07 PM - System Checkpoint

RP79: 10/5/2010 10:16:21 PM - Software Distribution Service 3.0

RP80: 10/7/2010 05:04:07 PM - System Checkpoint

RP81: 10/8/2010 05:14:17 PM - System Checkpoint

RP82: 10/9/2010 06:40:56 PM - System Checkpoint

RP83: 10/11/2010 04:59:13 PM - System Checkpoint

RP84: 10/12/2010 05:26:51 PM - System Checkpoint

RP85: 10/14/2010 08:05:05 PM - System Checkpoint

RP86: 10/15/2010 03:00:46 AM - Software Distribution Service 3.0

RP87: 10/16/2010 08:42:30 AM - System Checkpoint

RP88: 10/17/2010 11:38:17 AM - System Checkpoint

RP89: 10/18/2010 12:21:24 PM - System Checkpoint

RP90: 10/19/2010 07:15:29 PM - System Checkpoint

RP91: 10/20/2010 07:18:48 PM - System Checkpoint

RP92: 10/22/2010 05:02:44 PM - System Checkpoint

RP93: 10/23/2010 07:40:42 PM - System Checkpoint

RP94: 10/26/2010 05:25:18 PM - System Checkpoint

RP95: 10/28/2010 05:31:47 PM - System Checkpoint

RP96: 10/29/2010 07:43:08 PM - System Checkpoint

RP97: 10/31/2010 09:26:43 AM - System Checkpoint

RP98: 11/1/2010 07:08:46 PM - System Checkpoint

RP99: 11/2/2010 07:23:59 PM - System Checkpoint

RP100: 11/5/2010 06:54:27 PM - System Checkpoint

RP101: 11/7/2010 07:49:06 AM - System Checkpoint

RP102: 11/9/2010 05:10:03 PM - System Checkpoint

RP103: 11/10/2010 05:16:08 PM - System Checkpoint

RP104: 11/10/2010 08:28:27 PM - Software Distribution Service 3.0

RP105: 11/11/2010 08:35:39 PM - System Checkpoint

RP106: 11/13/2010 07:24:55 AM - System Checkpoint

RP107: 11/14/2010 07:42:26 AM - System Checkpoint

RP108: 11/15/2010 07:05:38 PM - System Checkpoint

RP109: 11/16/2010 08:38:10 PM - System Checkpoint

RP110: 11/17/2010 09:08:34 PM - System Checkpoint

RP111: 11/19/2010 08:34:31 PM - System Checkpoint

RP112: 11/21/2010 08:59:58 AM - System Checkpoint

RP113: 11/22/2010 01:01:07 PM - System Checkpoint

RP114: 11/23/2010 04:57:35 PM - System Checkpoint

RP115: 11/24/2010 06:13:15 PM - System Checkpoint

RP116: 11/26/2010 08:32:28 AM - System Checkpoint

RP117: 11/27/2010 09:02:57 AM - System Checkpoint

RP118: 11/28/2010 09:30:52 AM - System Checkpoint

RP119: 12/2/2010 08:47:26 PM - System Checkpoint

RP120: 12/4/2010 08:38:51 AM - System Checkpoint

RP121: 12/5/2010 01:34:14 PM - System Checkpoint

RP122: 12/6/2010 09:04:27 PM - System Checkpoint

RP123: 12/9/2010 05:05:45 PM - System Checkpoint

RP124: 12/10/2010 08:25:31 PM - System Checkpoint

RP125: 12/12/2010 07:45:50 AM - System Checkpoint

RP126: 12/13/2010 05:17:38 PM - System Checkpoint

RP127: 12/14/2010 08:08:19 PM - Software Distribution Service 3.0

RP128: 12/15/2010 08:27:21 PM - System Checkpoint

RP129: 12/16/2010 08:33:22 PM - System Checkpoint

RP130: 12/18/2010 08:56:57 AM - System Checkpoint

RP131: 12/18/2010 11:33:44 AM - Software Distribution Service 3.0

RP132: 12/21/2010 10:57:20 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com

Ad-Aware

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.3.3

AiO_Scan_CDA

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft Software Suite

Bonjour

BroadJump Client Foundation

CA Anti-Spam

CA Anti-Spyware

CA Anti-Virus

CA Internet Security Suite

CA Pest Patrol Realtime Protection

CCleaner

Conexant D850 56K V.9x DFVc Modem

D-Link PCI Fast Ethernet Adapter

Dell ResourceCD

Desktop Maestro 3.0

DVD Shrink 3.2

Frontline Registry Cleaner

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Photosmart, Officejet and Deskjet 7.0.A

Intel® Extreme Graphics 2 Driver

iTunes

Java Auto Updater

Java 6 Update 20

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office Professional Edition 2003

Microsoft Primary Interoperability Assemblies 2005

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Move Networks Media Player for Internet Explorer

Mozilla Firefox (3.0.19)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Napster

Napster Burn Engine

Nero - Burning Rom

Nero 7 Essentials

Nikon View 6

PowerDVD 5.3

QFolder

QuickTime

RealPlayer

RealUpgrade 1.0

RPS CRT

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SoundMAX

Spybot - Search & Destroy

SpywareBlaster 4.1

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB975364)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VoiceOver Kit

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

12/21/2010 11:45:22 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

12/21/2010 11:39:02 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

12/21/2010 11:38:02 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

12/21/2010 11:37:32 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

12/21/2010 11:37:02 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

12/20/2010 08:55:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde

12/20/2010 08:55:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

12/19/2010 07:33:11 AM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service UmxAgent with arguments "-Service" in order to run the server: {9B58BB29-3745-44A2-9E8B-B09C1DB53243}

12/19/2010 07:32:17 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service PPCtlPriv with arguments "" in order to run the server: {F974178A-A284-440A-BEFC-5B0D11BCDB68}

12/19/2010 07:32:17 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}

12/19/2010 07:31:18 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

12/19/2010 07:31:02 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

12/19/2010 07:30:46 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec KmxAgent KmxStart MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss Tcpip VET-FILT VET-REC VETEFILE VETMONNT

12/19/2010 07:30:46 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

12/19/2010 07:30:46 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/19/2010 07:30:46 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/19/2010 07:30:46 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

12/19/2010 07:30:46 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/19/2010 07:30:46 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/19/2010 07:30:41 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxPol with arguments "-Service" in order to run the server: {4C89C3FD-5F94-4678-BBB5-F64759C3C54A}

12/16/2010 05:05:38 PM, error: Service Control Manager [7022] - The SSDP Discovery Service service hung on starting.

12/16/2010 05:05:38 PM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: After starting, the service hung in a start-pending state.

12/16/2010 05:05:37 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

12/16/2010 04:33:58 PM, error: Service Control Manager [7000] - The PPCtlPriv service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/16/2010 04:33:57 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PPCtlPriv service to connect.

12/16/2010 04:33:55 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service PPCtlPriv with arguments "" in order to run the server: {F974178A-A284-440A-BEFC-5B0D11BCDB68}

12/15/2010 04:30:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.

12/15/2010 04:30:36 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/15/2010 04:30:34 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

12/15/2010 04:28:17 PM, error: Service Control Manager [7000] - The CaCCProvSP service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/15/2010 04:28:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CaCCProvSP service to connect.

12/15/2010 04:28:11 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}

12/15/2010 04:25:34 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

12/15/2010 04:25:34 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/15/2010 04:24:12 PM, error: Service Control Manager [7000] - The Security Services Driver (x86) service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

OTL logfile created on: 12/22/2010 09:00:20 AM - Run 1

OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 193.00 Mb Available Physical Memory | 38.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 46.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 71.54 Gb Total Space | 35.40 Gb Free Space | 49.49% Space Free | Partition Type: NTFS

Computer Name: THOMAS-9F9D90E9 | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/22 08:57:47 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

PRC - [2010/12/21 09:42:55 | 000,377,856 | ---- | M] (Optimization Corporation) -- C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe

PRC - [2010/12/21 09:42:27 | 000,534,016 | ---- | M] (MOSE software) -- C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe

PRC - [2010/06/30 15:52:56 | 000,374,096 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\casc.exe

PRC - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/05/27 16:16:41 | 000,288,080 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

PRC - [2010/05/27 16:16:41 | 000,271,696 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

PRC - [2010/05/27 16:16:40 | 000,222,544 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

PRC - [2010/05/27 16:16:39 | 000,333,136 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

PRC - [2010/03/08 16:52:51 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

PRC - [2010/03/01 20:03:24 | 001,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/03/01 20:03:24 | 000,524,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2009/11/10 16:34:47 | 000,259,312 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

PRC - [2009/11/10 16:34:47 | 000,128,240 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

PRC - [2009/09/16 18:36:46 | 000,014,064 | ---- | M] (CA) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe

PRC - [2009/07/29 12:49:14 | 000,283,888 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

PRC - [2009/06/15 10:32:26 | 000,760,664 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

PRC - [2009/04/01 09:45:52 | 000,875,000 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

PRC - [2009/04/01 09:45:52 | 000,207,352 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

PRC - [2009/03/05 15:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/12/04 10:47:38 | 000,144,696 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe

PRC - [2006/03/03 20:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe

PRC - [2004/10/14 13:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe

========== Modules (SafeList) ==========

MOD - [2010/12/22 08:57:47 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

MOD - [2009/09/16 18:36:46 | 000,087,280 | ---- | M] (CA) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOEHook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)

SRV - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/05/27 16:16:41 | 000,288,080 | ---- | M] (CA, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -- (VETMSGNT)

SRV - [2010/05/27 16:16:40 | 000,222,544 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe -- (PPCtlPriv)

SRV - [2010/03/01 20:03:24 | 001,029,456 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2009/11/10 16:34:47 | 000,259,312 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)

SRV - [2009/11/10 16:34:47 | 000,128,240 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe -- (ccSchedulerSVC)

SRV - [2009/07/29 12:49:14 | 000,283,888 | ---- | M] (CA, Inc.) [Auto | Running] -- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe -- (ITMRTSVC)

SRV - [2009/06/15 10:32:26 | 000,760,664 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe -- (UmxCfg)

SRV - [2009/04/01 09:45:52 | 000,875,000 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe -- (UmxAgent)

SRV - [2009/04/01 09:45:52 | 000,207,352 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe -- (UmxPol)

SRV - [2007/12/04 10:47:38 | 000,144,696 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe -- (CAISafe)

SRV - [2006/03/03 20:03:10 | 000,069,632 | ---- | M] (HP) [unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)

DRV - [2010/06/03 16:52:44 | 000,746,216 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetefile.sys -- (VETEFILE)

DRV - [2010/06/03 16:52:44 | 000,130,280 | ---- | M] (Computer Associates International, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\veteboot.sys -- (VETEBOOT)

DRV - [2009/10/29 15:59:08 | 000,161,008 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetmonnt.sys -- (VETMONNT)

DRV - [2009/10/29 15:59:08 | 000,021,488 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetfddnt.sys -- (VETFDDNT)

DRV - [2009/10/29 15:59:08 | 000,021,104 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vet-rec.sys -- (VET-REC)

DRV - [2009/10/29 15:59:07 | 000,026,352 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vet-filt.sys -- (VET-FILT)

DRV - [2009/06/08 10:02:02 | 000,108,024 | ---- | M] (CA) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\kmxstart.sys -- (KmxStart)

DRV - [2009/04/25 19:04:36 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2009/04/01 09:45:50 | 000,205,304 | ---- | M] (CA) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KmxCfg.sys -- (KmxCfg)

DRV - [2009/04/01 09:45:50 | 000,073,720 | ---- | M] (CA) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\KmxAgent.sys -- (KmxAgent)

DRV - [2009/03/10 12:57:01 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)

DRV - [2009/03/10 12:56:52 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)

DRV - [2004/12/01 19:33:00 | 000,043,008 | R--- | M] (D-Link ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dlkfet5b.sys -- (FETNDISB)

DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)

DRV - [2004/03/22 11:24:00 | 000,004,272 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bvrp_pci.sys -- (bvrp_pci)

DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)

DRV - [2001/04/16 13:54:26 | 000,044,227 | ---- | M] (ahead software gmbh

im stoeckmaedle 6

76307 karlsbad, germany

Fax: ++49-7248-911-888

e-mail: info@nero.com) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NeroCD2k.sys -- (NeroCd2k)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}: C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C} [2010/12/18 11:23:17 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/05 14:47:09 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/14 19:47:02 | 000,000,000 | ---D | M]

[2009/01/19 20:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions

[2010/06/26 06:16:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vhpv9aw.default\extensions

[2010/04/07 19:10:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vhpv9aw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/12/19 09:21:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/06/23 15:40:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/06/23 15:38:42 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/20 09:51:14 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.

O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)

O4 - HKLM..\Run: [CAPPActiveProtection] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe (CA, Inc.)

O4 - HKLM..\Run: [CAVRID] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)

O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe (CA, Inc.)

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [QOELOADER] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe (CA)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKCU..\Run: [bKNILMsCGe.exe] C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe (MOSE software)

O4 - HKCU..\Run: [qGy6kOdgyFFL] C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe (Optimization Corporation)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)

O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)

O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1223159523942 (MUWebControl Class)

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.168.12 97.64.183.165

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\PFW: DllName - UmxWnp.Dll - C:\WINDOWS\System32\UmxWNP.dll (CA)

O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/10/03 20:51:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{45fc2ef5-c0e1-11dd-a693-001cf0ca2f1c}\Shell - "" = AutoRun

O33 - MountPoints2\{45fc2ef5-c0e1-11dd-a693-001cf0ca2f1c}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{45fc2ef5-c0e1-11dd-a693-001cf0ca2f1c}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/22 08:57:46 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2010/12/22 08:41:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2010/12/22 07:47:33 | 000,459,264 | ---- | C] (MediaPlayer software) -- C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll

[2010/12/21 13:02:42 | 007,622,280 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe

[2010/12/21 09:42:55 | 000,377,856 | ---- | C] (Optimization Corporation) -- C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe

[2010/12/21 09:42:37 | 000,534,016 | ---- | C] (MOSE software) -- C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe

[2010/12/21 09:40:48 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\test.exe

[2010/12/20 19:07:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FrontLine Registry Cleaner

[2010/12/20 19:06:57 | 000,000,000 | ---D | C] -- C:\Program Files\Frontline Registry Cleaner

[2010/12/18 11:23:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}

[2010/12/18 11:20:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\dOhOb06511

[2010/12/14 17:17:03 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys

[2010/12/14 17:14:04 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/22 08:57:47 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2010/12/22 08:49:10 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/12/22 08:39:46 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/12/22 08:39:32 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/12/22 08:35:24 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dfrg

[2010/12/22 08:35:24 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dfrgr

[2010/12/22 08:32:00 | 000,459,264 | ---- | M] (MediaPlayer software) -- C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll

[2010/12/22 08:30:13 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-1417001333-725345543-1003.job

[2010/12/22 08:29:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/12/22 08:29:49 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys

[2010/12/22 08:26:41 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe

[2010/12/22 08:20:20 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2003.lnk

[2010/12/22 08:15:36 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr

[2010/12/22 08:11:45 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable

[2010/12/22 08:10:43 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0

[2010/12/21 22:46:39 | 000,000,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1

[2010/12/21 19:59:25 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/12/21 13:02:40 | 007,622,280 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe

[2010/12/21 13:01:07 | 000,660,815 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe

[2010/12/21 09:44:01 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Disk Repair.lnk

[2010/12/21 09:43:30 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL

[2010/12/21 09:42:55 | 000,377,856 | ---- | M] (Optimization Corporation) -- C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe

[2010/12/21 09:42:27 | 000,534,016 | ---- | M] (MOSE software) -- C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe

[2010/12/20 21:16:27 | 000,014,006 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\cc_20101220_211617.reg

[2010/12/20 20:10:46 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/12/20 19:08:00 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\FrontLine Registry Cleaner Scheduled Scan - Owner.job

[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/12/20 18:04:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Emomozecahexofip.bin

[2010/12/20 17:44:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/12/18 11:23:31 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Dcuqutehobek.dat

[2010/12/16 17:32:26 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/12/16 17:23:05 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-1417001333-725345543-1003.job

[2010/12/15 20:38:07 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/12/15 16:23:47 | 000,192,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/12/14 20:15:46 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/12/06 19:31:17 | 000,002,758 | ---- | M] () -- C:\WINDOWS\cdplayer.ini

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/22 08:26:39 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe

[2010/12/22 08:15:35 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr

[2010/12/22 08:11:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable

[2010/12/22 08:10:53 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe

[2010/12/21 13:43:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/12/21 13:01:05 | 000,660,815 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe

[2010/12/21 12:07:38 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrgr

[2010/12/21 12:07:35 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrg

[2010/12/21 09:44:01 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Disk Repair.lnk

[2010/12/21 09:43:30 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL

[2010/12/20 21:16:24 | 000,014,006 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\cc_20101220_211617.reg

[2010/12/20 19:35:44 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/12/20 19:08:00 | 000,000,436 | ---- | C] () -- C:\WINDOWS\tasks\FrontLine Registry Cleaner Scheduled Scan - Owner.job

[2010/12/20 17:44:39 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys

[2010/12/18 11:23:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Emomozecahexofip.bin

[2010/12/18 11:23:31 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Dcuqutehobek.dat

[2010/12/14 20:09:32 | 000,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK

[2010/04/04 15:45:09 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2009/08/05 19:38:01 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini

[2009/01/16 19:09:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/10/27 19:43:43 | 000,002,758 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2008/10/04 19:21:43 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/10/04 16:02:46 | 000,061,440 | R--- | C] () -- C:\WINDOWS\System32\vuins32.dll

[2008/10/03 21:19:25 | 000,004,272 | R--- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys

[2008/10/03 21:15:28 | 000,002,806 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2008/10/03 13:43:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2006/01/04 02:12:04 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll

[2004/08/12 07:58:15 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll

[2004/08/12 07:58:15 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll

[2004/08/12 07:58:15 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll

[2004/08/12 07:58:15 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll

[2004/08/12 07:58:15 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2001/07/07 02:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/09/16 18:40:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA

[2008/10/22 15:21:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cdebubch

[2010/12/18 11:31:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\dOhOb06511

[2010/12/20 19:07:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FrontLine Registry Cleaner

[2008/11/19 19:13:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster

[2010/08/19 19:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/06/13 14:53:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update

[2010/06/05 18:25:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Visual Networks

[2010/07/04 19:04:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2009/01/24 19:57:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

[2008/11/04 20:17:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Desktop Maestro

[2009/08/05 19:42:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nikon

[2010/12/20 20:10:46 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

[2010/12/20 19:08:00 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\FrontLine Registry Cleaner Scheduled Scan - Owner.job

========== Purity Check ==========

========== Files - Unicode (All) ==========

[2009/04/24 21:00:37 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\????????????????????4???????????????????????) -- C:\WINDOWS\System32\?????????????????????????

???????????????????

[2009/04/24 21:00:37 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\????????????????????4???????????????????????) -- C:\WINDOWS\System32\?????????????????????????

???????????????????

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3

< End of report >

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Hi feverdog71,

The OTL log gave me a good idea of the extent to which HDDTools has infected your system so we'll try to reverse that now.

You have a lot of security programs running that are known to interfere with fixes!!

It's essential that You disable Adwatch and Teatimer for the duration of the clean-up or any fixes we make will have no impact or be reversed!! They keep the good out along with the bad!!

First, disable Spybot's TeaTimer or any fixes we make in HjiackThis will be reversed. This is a two step process.

First:

- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

- Choose Exit Spybot S&D Resident

Second:

- Open Spybot S&D

- Click Mode, check Advanced Mode

- Go To Left Panel, Click Tools, then also in left panel, click Resident

Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

Disable AD-AWARE AD-WATCH

* Start Ad-Aware

* Click the Ad-Watch tab

* Click the Settings button

* Ensure all highlighted options bellow are unchecked:(some settings may be used or changed only in the Pro version)

Under the General tab

o Processes Protection

o Registry Protection

o Network Protection

Under the Detection Layers tab:

o Spyware heuristics

o AntiVirus engine

* OK your way out, and close the main Ad-Aware window.

* Shut down Ad-Aware and Ad-Watch Live! by right clicking on the system tray icon, and selecting Exit Ad-Aware.

* OK the change.

We're going to rerun OTL with a script that fixes the infected load points and files on your system as follows:

  • Disable the active protection component of your antivirus by following the directions that apply here:
    http://www.bleepingcomputer.com/forums/topic114351.html
  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :File
    C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe
    C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe
    C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll
    C:\Documents and Settings\Owner\Desktop\test.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}
    C:\Documents and Settings\All Users\Application Data\dOhOb06511
    :OTL
    O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O4 - HKCU..\Run: [bKNILMsCGe.exe] C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe (MOSE software)
    O4 - HKCU..\Run: [qGy6kOdgyFFL] C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe (Optimization Corporation)
      ipconfig /flushdns /c
     :Commands
    	  [purity]
    	  [resethosts]
    	  [emptytemp]
    	  [emptyflash]
    	  [createrestorepoint]
    	  [reboot]


  • Now click Run Fix and let the program run uninterrupted.
  • Let the program run unhindered, and reboot the PC when it is done
  • Copy/Paste OTL Log in your next reply

Do You have any idea what these multiple "k" drivers are as they were installed the same time your system was infected and their quantity and creation date makes them appear suspicious?:

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1

[2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0

[2010/12/21 22:46:39 | 000,000,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2

[2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

I would say the k drivers were part of the virus. Nothing I intentionally loaded.

So far so good. Looks like it's gone. I was getting that wave sound every 30 seconds or so (sounds like a suction cup for lack of a better description) but I ran my spyware program and seems to have gotten rid of it.

I went ahead and enabled my anti-virus so let me know if I will need to disable it for anything else.

Here's the report ......

All processes killed

Error: Unable to interpret <:File> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll> in the current context!

Error: Unable to interpret <C:\Documents and Settings\Owner\Desktop\test.exe> in the current context!

Error: Unable to interpret <C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\dOhOb06511> in the current context!

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\TkBellExe deleted successfully.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\bKNILMsCGe.exe deleted successfully.

C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\qGy6kOdgyFFL deleted successfully.

C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 2801698 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->FireFox cache emptied: 3084640 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41620 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 80693095 bytes

->Flash cache emptied: 8765 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 197543913 bytes

->Flash cache emptied: 15173 bytes

User: Owner

->Temp folder emptied: 451696415 bytes

->Temporary Internet Files folder emptied: 145271287 bytes

->Java cache emptied: 538 bytes

->FireFox cache emptied: 38314328 bytes

->Flash cache emptied: 85074 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2172533 bytes

%systemroot%\System32 .tmp files removed: 587281 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 3120489 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 50206216 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 7224 bytes

Total Files Cleaned = 931.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

->Flash cache emptied: 0 bytes

User: LocalService

->Flash cache emptied: 0 bytes

User: NetworkService

->Flash cache emptied: 0 bytes

User: Owner

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error starting restore point: System Restore is disabled.

Error closing restore point: System Restore is disabled.

OTL by OldTimer - Version 3.2.18.0 log created on 12222010_125242

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Good Job!!

Please keep Teatimer and Adwatch disabled.

We're going to rerun OTL with a new script to make some more fixes as follows:

  • Disable the active protection component of your antivirus by following the directions that apply here:
    http://www.bleepingcomputer.com/forums/topic114351.html
  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe
    C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe
    C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll
    C:\Documents and Settings\Owner\Desktop\test.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}
    C:\Documents and Settings\All Users\Application Data\dOhOb06511
    :OTL
    [2010/12/21 12:07:38 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrgr
    [2010/12/21 12:07:35 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrg
    [2010/12/21 09:44:01 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Disk Repair.lnk
    [2010/12/18 11:23:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Emomozecahexofip.bin
    [2010/12/18 11:23:31 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Dcuqutehobek.dat
    2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7
    [2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
    [2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
    [2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
    [2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
    [2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
    [2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
    [2010/12/21 22:46:40 | 000,000,028 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
    [2010/12/21 22:46:39 | 000,000,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
    [2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
    [2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
    [2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
    [2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
    [2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
    [2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
    [2010/12/21 22:46:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
    :Commands
    [reboot]


  • Now click Run Fix and let the program run uninterrupted.
  • Let the program run unhindered, and reboot the PC when it is done
  • Copy/Paste OTL Log in your next reply

Is FrontLine Registry Cleaner something you installed because I do no advocate the use of Registry Cleaners as they usually do more harm than good and they are absolutely unnecessary!

Please post the new OTL log and run a new and fully updated MBAM scan (there's a new version out so You may have to upgrade internally) and post the MBAM log!!!

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

OTL log .............

All processes killed

Error: Unable to interpret <:File> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll> in the current context!

Error: Unable to interpret <C:\Documents and Settings\Owner\Desktop\test.exe> in the current context!

Error: Unable to interpret <C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}> in the current context!

Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\dOhOb06511> in the current context!

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\TkBellExe deleted successfully.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\bKNILMsCGe.exe deleted successfully.

C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\qGy6kOdgyFFL deleted successfully.

C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 2801698 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->FireFox cache emptied: 3084640 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41620 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 80693095 bytes

->Flash cache emptied: 8765 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 197543913 bytes

->Flash cache emptied: 15173 bytes

User: Owner

->Temp folder emptied: 451696415 bytes

->Temporary Internet Files folder emptied: 145271287 bytes

->Java cache emptied: 538 bytes

->FireFox cache emptied: 38314328 bytes

->Flash cache emptied: 85074 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2172533 bytes

%systemroot%\System32 .tmp files removed: 587281 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 3120489 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 50206216 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 7224 bytes

Total Files Cleaned = 931.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

->Flash cache emptied: 0 bytes

User: LocalService

->Flash cache emptied: 0 bytes

User: NetworkService

->Flash cache emptied: 0 bytes

User: Owner

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error starting restore point: System Restore is disabled.

Error closing restore point: System Restore is disabled.

OTL by OldTimer - Version 3.2.18.0 log created on 12222010_125242

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites
negster22

negster22

Posted
Posted

That is the old log because I did not specify any registry keys for deletion during the current scan so I think that error prevented the log from being created.

AT what point did You receive the svchost error during the execution of my directions?

Keep Adwatch and Teatimer disabled.

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Do NOT reboot!!

Please process this NEW OTL script - I'm going to remove the "k" driver deletions for now because deleting drivers can be touchy!

  • Disable the active protection component of your antivirus by following the directions that apply here:
    http://www.bleepingcomputer.com/forums/topic114351.html
  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    C:\Documents and Settings\All Users\Application Data\qGy6kOdgyFFL.exe
    C:\Documents and Settings\All Users\Application Data\bKNILMsCGe.exe
    C:\Documents and Settings\All Users\Application Data\Ygguuiaahy.dll
    C:\Documents and Settings\Owner\Desktop\test.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\{720E9D1B-4A29-4186-8EC8-1ABF64ABAF7C}
    C:\Documents and Settings\All Users\Application Data\dOhOb06511
    :OTL
    [2010/12/21 12:07:38 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrgr
    [2010/12/21 12:07:35 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrg
    [2010/12/21 09:44:01 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Disk Repair.lnk
    [2010/12/18 11:23:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Emomozecahexofip.bin
    [2010/12/18 11:23:31 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Dcuqutehobek.dat
    :Commands
    [reboot]


  • Now click Run Fix and let the program run uninterrupted.
  • Let the program run unhindered, and reboot the PC when it is done
  • Copy/Paste OTL Log in your next reply

Is FrontLine Registry Cleaner something you installed because I do no advocate the use of Registry Cleaners as they usually do more harm than good and they are absolutely unnecessary!

Please post the new OTL log and run a new and fully updated MBAM scan (there's a new version out so You may have to upgrade internally) and post the MBAM log!!!

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

Not sure what happened to the OTL log. The one on my desktop is the one I already posted. It looks like it didn't create a new one. Did a search, nothing came up.

The Frontline Registry cleaner, I loaded yesterday before I came here. I read an article that promoted it as a fix for HDDTools. I will remove it. I don't think it was even freeware. Didn't even wait for it to finish its scan before I gave up and came here.

During the MBam scan, I came in to see my anti-virus had deleted 3 instances of Win32/hiloti.vit

It seems like everytime after a reboot when I open IE, and addional instance opens and takes me to some website where they're trying to sell me something.

The mbam scan finished and that log disappeared as well. It found four trojans. Don't remember what they were.

I will run it again and manaually save the log before it reboots.

Thanks for all the help, btw. Really appreciated.

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Things disappearing does NOT sound good nor does this:

It seems like everytime after a reboot when I open IE, and addional instance opens and takes me to some website where they're trying to sell me something.

And since these Rogues (Fake security or Maintenance/Utility programs) can come with "hidden friends", I want You to run a couple more rather quick scans, and You're very welcome, BTW!!

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download Rootkit Unhooker and save it on your desktop (this is an alternative to Gmer Anti-Rootkit)

http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar

Only if your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that.

http://www.7-zip.org/

Just right click the RAR file you downloaded to your desktop, and choose the 7-Zip -> "Extract here" option from the context menu.

  • Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
  • Double click RkU3.8.388.590.exe to run the program
  • Click the Report tab, then click Scan
  • Check Processes, Drivers, and Stealth Code
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Re-enable your security programs
  • Copy the entire contents of the report and paste it in your next reply.

During the MBam scan, I came in to see my anti-virus had deleted 3 instances of Win32/hiloti.vit

Can I see the log which shows those detections? They may be inactive (quarantined or in system restore data) which means they are effectively harmless.

The mbam scan finished and that log disappeared as well. It found four trojans. Don't remember what they were.

Open MBAM, Click the "Logs" tab and retrieve the log from today's scan, then copy/paste it here.

BTW, those mysterious "k" files are legitimate files associated with your CA Anti-Virus Suite!!

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

Here's the logs from CA anti-virus. Below is the Mbam Log. I will send this and then run the other scans.

12/22/2010 16:23:04 PM File infection: C:\System Volume Information\_restore{B2BBAC00-7A43-48C3-B5D9-8FEEF634C4F2}\RP132\A0026011.exe is Win32/Hiloti.VIT trojan. Deleted

12/22/2010 16:23:05 PM File infection: C:\System Volume Information\_restore{B2BBAC00-7A43-48C3-B5D9-8FEEF634C4F2}\RP132\A0026018.dll is Win32/Hiloti.VIT trojan. Deleted

12/22/2010 16:25:30 PM File infection: C:\System Volume Information\_restore{B2BBAC00-7A43-48C3-B5D9-8FEEF634C4F2}\RP131\A0023999.exe is Win32/Hiloti.VIT trojan. Deleted

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5378

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/22/2010 04:46:03 PM

mbam-log-2010-12-22 (16-46-03).txt

Scan type: Full scan (C:\|)

Objects scanned: 191951

Time elapsed: 53 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{b2bbac00-7a43-48c3-b5d9-8feef634c4f2}\RP132\A0029110.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

c:\_OTL\movedfiles\12222010_125242\c_documents and settings\all users\application data\bknilmscge.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\_OTL\movedfiles\12222010_125242\c_documents and settings\all users\application data\qgy6kodgyffl.exe (Rogue.FakeHDD.Gen) -> Quarantined and deleted successfully.

c:\_OTL\movedfiles\12222010_143015\c_documents and settings\all users\application data\ygguuiaahy.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Those all point to inactive malware and are nothing to worry about - as expected all detections are in OTL quarantine storage and C:\System Volume Information\_restore which is system restore data (we will purge that at the end of the clean-up). So next step is to run TDSSKiller and RKU to see if they turn up any stealth malware footprints.

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

Here are the other two logs.....

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>Processes

==============================================

0x823CAA00 [4] System

0x81D53020 [156] C:\WINDOWS\system32\HPZipm12.exe (HP, PML Driver)

0x81DC3558 [432] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)

0x81ED12F0 [496] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81C28328 [524] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe (CA, Inc., CA Anti-Virus Realtime Messaging Service)

0x81FADB28 [536] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)

0x81BF2488 [564] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)

0x82001100 [632] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)

0x82229740 [692] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)

0x822B2B50 [756] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe (Computer Associates International, Inc., CA ISafe Service)

0x82013458 [772] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81C59810 [808] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81FA4598 [880] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA, HIPS Configuration Engine)

0x81CA2440 [940] C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe (Computer Associates International, Inc., Ca CCSchedulerSVC)

0x81F4F2F0 [964] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)

0x82231B28 [1032] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA, HIPS Policy Manager Service)

0x81DF8B28 [1104] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81F5FDA0 [1132] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)

0x81F979E0 [1196] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (CA, HIPS Event Manager)

0x821E9D78 [1300] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)

0x81C52440 [1316] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated, Adobe Reader and Acrobat Manager)

0x81F733A8 [1360] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))

0x81FE3B28 [1396] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x82222020 [1704] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)

0x81D5E9E0 [1724] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (CA, Inc., eTrust PestPatrol Real-time service)

0x81913260 [1840] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)

0x81D5A9F0 [1852] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java Quick Starter Service)

0x822BCDA0 [1956] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81FE7020 [2036] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x818C53B0 [2084] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))

0x81CE5590 [2380] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)

0x818C8328 [2528] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation, hkcmd Module)

0x818CA680 [2540] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation, persistence Module)

0x818DA9E0 [2604] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc., SMax4PNP MFC Application)

0x81D819E0 [2628] C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CA, Inc., CCProvSP)

0x818DADA0 [2664] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe (CA, Inc., CA Anti-Virus Realtime Infection Report)

0x818D3DA0 [2776] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe (CA, Inc., CAPPActiveProtection Application)

0x818AE8C0 [2832] C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation, Windows Security Center Notification App)

0x81D4F4A0 [2996] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe (CA, Inc., CA Anti-Spyware Elevation service)

0x81954DA0 [3004] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe (CA, QOELoader Application)

0x81C7D020 [3100] C:\Documents and Settings\Owner\Desktop\MustBeRandomlyNamed\2H0LF.exe (UG North, RKULE, SR2 Normandy)

0x81DAD460 [3632] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)

0x81CA1440 [3704] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java Update Scheduler)

0x81DC0BC0 [3784] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)

==============================================

>Drivers

==============================================

0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2189952 bytes

0x804D7000 RAW 2189952 bytes

0x804D7000 WMIxWDM 2189952 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF81CC000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)

0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)

0xEFD28000 C:\WINDOWS\System32\Drivers\VETEFILE.SYS 741376 bytes (Computer Associates International, Inc., RealTime Anti-Virus Protection Driver)

0xF8046000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)

0xF83CB000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xEFB43000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF7EF0000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xEFC4E000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xEF3C6000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xEEE1A000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xF811D000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )

0xEFDFC000 C:\WINDOWS\System32\DRIVERS\kmxcfg.sys 225280 bytes (CA, HIPS Kernel Configuration Cache)

0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)

0xF84E9000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xEF586000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF839E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xEE967000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xEFBB3000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xEFC26000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xEFC00000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xEFCDA000 C:\WINDOWS\System32\Drivers\VETMONNT.SYS 155648 bytes (Computer Associates International, Inc., CA Antivirus File Protection Driver)

0xF80F9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF8194000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF815D000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xEFBDE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)

0xF8363000 kmxstart.sys 135168 bytes (CA, HIPS Core Driver)

0x806EE000 ACPI_HAL 131840 bytes

0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF8481000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF84B9000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xEFDDD000 C:\WINDOWS\System32\Drivers\VETEBOOT.SYS 126976 bytes (Computer Associates International, Inc., RealTime Anti-Virus Protection Driver)

0xF8384000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF84A1000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xEFA63000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF8458000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF802F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xEFE33000 C:\WINDOWS\System32\DRIVERS\kmxagent.sys 86016 bytes (CA, HIPS Agent Driver)

0xEF109000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF8180000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xF81B8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xEFCA7000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF846F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF84D8000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF801E000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF86D8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF8798000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF8778000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xF85C8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF8588000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)

0xF87A8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xEF326000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF8658000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)

0xF8578000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF8768000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF85D8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF8558000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF85F8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF8758000 C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys 45056 bytes (D-Link , NDIS 5.0 miniport driver)

0xF86A8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF85B8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF8548000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF8788000 C:\WINDOWS\system32\drivers\NeroCd2k.sys 45056 bytes (ahead software gmbh

im stoeckmaedle 6

76307 karlsbad, germany

Fax: ++49-7248-911-888

e-mail: info@nero.com, Nero Filter Driver)

0xF85E8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF8538000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF8638000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF8628000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF8568000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF8748000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xF8608000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF8688000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xEE917000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF8598000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF86B8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF88F0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF8880000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF8888000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF87B8000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF88A0000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)

0xF8890000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF8898000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF8878000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF88D8000 C:\WINDOWS\System32\Drivers\VET-FILT.SYS 24576 bytes (Computer Associates International, Inc., CA Antivirus File Protection Driver)

0xF88E0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF88C8000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xF88E8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF87C0000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF88B0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF88B8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF88A8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF88F8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF832A000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xEF9FF000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF8A1C000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)

0xF8A20000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xF89D8000 C:\WINDOWS\System32\Drivers\VET-REC.SYS 16384 bytes (Computer Associates International, Inc., CA Antivirus File Protection Driver)

0xF89C4000 C:\WINDOWS\System32\Drivers\VETFDDNT.SYS 16384 bytes (Computer Associates International, Inc., CA Antivirus File Protection Driver)

0xF8948000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xEFD20000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xEF562000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)

0xF8A2C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF89FC000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF8A68000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF8A98000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF8A64000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF8A3C000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)

0xF8A38000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF8A74000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF8AC4000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xF8A76000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF8A5E000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF8A60000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF8A3A000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF8B4B000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF8B7E000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF8BF8000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF8B00000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

2010/12/22 18:30:57.0296 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/22 18:30:57.0296 ================================================================================

2010/12/22 18:30:57.0296 SystemInfo:

2010/12/22 18:30:57.0296

2010/12/22 18:30:57.0296 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/22 18:30:57.0296 Product type: Workstation

2010/12/22 18:30:57.0296 ComputerName: THOMAS-9F9D90E9

2010/12/22 18:30:57.0296 UserName: Owner

2010/12/22 18:30:57.0296 Windows directory: C:\WINDOWS

2010/12/22 18:30:57.0296 System windows directory: C:\WINDOWS

2010/12/22 18:30:57.0296 Processor architecture: Intel x86

2010/12/22 18:30:57.0296 Number of processors: 1

2010/12/22 18:30:57.0296 Page size: 0x1000

2010/12/22 18:30:57.0296 Boot type: Normal boot

2010/12/22 18:30:57.0296 ================================================================================

2010/12/22 18:30:58.0062 Initialize success

2010/12/22 18:31:16.0187 ================================================================================

2010/12/22 18:31:16.0187 Scan started

2010/12/22 18:31:16.0187 Mode: Manual;

2010/12/22 18:31:16.0187 ================================================================================

2010/12/22 18:31:18.0156 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/22 18:31:18.0328 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/12/22 18:31:18.0500 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/22 18:31:18.0625 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/22 18:31:19.0234 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/22 18:31:19.0390 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/22 18:31:19.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/22 18:31:19.0656 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/22 18:31:19.0765 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/22 18:31:19.0890 bvrp_pci (c945dc4eee3f624dfd07788ea7f0db0a) C:\WINDOWS\system32\drivers\bvrp_pci.sys

2010/12/22 18:31:20.0062 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/22 18:31:20.0296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/22 18:31:20.0390 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/22 18:31:20.0578 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/22 18:31:20.0859 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/22 18:31:21.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/22 18:31:21.0265 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/22 18:31:21.0359 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/22 18:31:21.0531 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/22 18:31:21.0765 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/22 18:31:22.0031 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/22 18:31:22.0187 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/12/22 18:31:22.0328 FETNDISB (e7ca05fdefd199492a45c7a784143b20) C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys

2010/12/22 18:31:22.0593 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/22 18:31:22.0687 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/12/22 18:31:22.0843 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/22 18:31:22.0937 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/22 18:31:23.0125 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/22 18:31:23.0218 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/12/22 18:31:23.0406 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/22 18:31:23.0671 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/12/22 18:31:23.0796 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/12/22 18:31:23.0968 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/12/22 18:31:24.0140 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2010/12/22 18:31:24.0312 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2010/12/22 18:31:24.0531 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/22 18:31:24.0828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/22 18:31:24.0937 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/12/22 18:31:25.0203 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/22 18:31:25.0328 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/12/22 18:31:25.0500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/22 18:31:25.0578 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/22 18:31:25.0718 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/22 18:31:25.0812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/22 18:31:25.0953 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/22 18:31:26.0140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/22 18:31:26.0296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/22 18:31:26.0484 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/22 18:31:26.0625 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/22 18:31:26.0703 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/22 18:31:26.0890 KmxAgent (c7b37c0fd3678a1a05201a8c4c624a9b) C:\WINDOWS\system32\DRIVERS\kmxagent.sys

2010/12/22 18:31:26.0984 KmxCfg (84f76979c3bc3b0117f847c393c9fc36) C:\WINDOWS\system32\DRIVERS\kmxcfg.sys

2010/12/22 18:31:27.0218 KmxStart (9e0891eb24ff3e01a5802cc6e2219e98) C:\WINDOWS\system32\DRIVERS\kmxstart.sys

2010/12/22 18:31:27.0375 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/22 18:31:27.0515 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/12/22 18:31:27.0703 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/12/22 18:31:27.0812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/22 18:31:27.0968 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/22 18:31:28.0062 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/12/22 18:31:28.0234 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/22 18:31:28.0390 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/22 18:31:28.0593 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

2010/12/22 18:31:28.0687 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

2010/12/22 18:31:29.0015 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/22 18:31:29.0140 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/22 18:31:29.0343 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/22 18:31:29.0468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/22 18:31:29.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/22 18:31:29.0687 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/22 18:31:29.0781 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/22 18:31:29.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/22 18:31:30.0000 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/22 18:31:30.0187 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/22 18:31:30.0281 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/22 18:31:30.0453 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/22 18:31:30.0546 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/22 18:31:30.0734 NeroCd2k (58b29812b8d23501d15d85dd72eacb34) C:\WINDOWS\system32\drivers\NeroCd2k.sys

2010/12/22 18:31:30.0859 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/22 18:31:31.0000 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/22 18:31:31.0156 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/22 18:31:31.0359 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/22 18:31:31.0562 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/22 18:31:31.0625 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/22 18:31:31.0781 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/22 18:31:31.0859 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

2010/12/22 18:31:32.0062 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/22 18:31:32.0093 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/22 18:31:32.0281 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/22 18:31:32.0359 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/22 18:31:32.0578 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2010/12/22 18:31:32.0703 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/12/22 18:31:33.0046 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/22 18:31:33.0171 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/22 18:31:33.0296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/22 18:31:33.0421 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/12/22 18:31:33.0640 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/22 18:31:33.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/22 18:31:33.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/22 18:31:34.0000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/22 18:31:34.0140 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/22 18:31:34.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/22 18:31:34.0406 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/22 18:31:34.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/22 18:31:34.0656 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/22 18:31:34.0843 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys

2010/12/22 18:31:35.0078 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/22 18:31:35.0171 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/22 18:31:35.0390 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/22 18:31:35.0609 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys

2010/12/22 18:31:35.0828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/22 18:31:35.0921 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/22 18:31:36.0109 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/22 18:31:36.0343 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/22 18:31:36.0562 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/22 18:31:36.0890 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/22 18:31:37.0078 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/22 18:31:37.0281 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/22 18:31:37.0390 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/22 18:31:37.0500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/22 18:31:37.0703 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/22 18:31:37.0937 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/22 18:31:38.0093 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/12/22 18:31:38.0234 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/22 18:31:38.0406 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/22 18:31:38.0578 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/22 18:31:38.0671 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/22 18:31:38.0859 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/12/22 18:31:38.0984 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/22 18:31:39.0093 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/22 18:31:39.0296 VET-FILT (745c8fa117c58c9adba78dfde11d17af) C:\WINDOWS\system32\drivers\VET-FILT.sys

2010/12/22 18:31:39.0500 VET-REC (4b9881af8a3d9de74082f1cfecc5db58) C:\WINDOWS\system32\drivers\VET-REC.sys

2010/12/22 18:31:39.0593 VETEBOOT (c079f80582c31728029f3efcdfeaf221) C:\WINDOWS\system32\drivers\VETEBOOT.sys

2010/12/22 18:31:39.0812 VETEFILE (31bab965e7af8295c22f641401d622b3) C:\WINDOWS\system32\drivers\VETEFILE.sys

2010/12/22 18:31:40.0062 VETFDDNT (24ce79eafbd9edfd00aacae75345eb69) C:\WINDOWS\system32\drivers\VETFDDNT.sys

2010/12/22 18:31:40.0125 VETMONNT (5e166c4f3b97798e9e3c47ff74278598) C:\WINDOWS\system32\drivers\VETMONNT.sys

2010/12/22 18:31:40.0265 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/22 18:31:40.0390 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/22 18:31:40.0484 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/22 18:31:40.0687 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/22 18:31:41.0015 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/12/22 18:31:41.0296 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/12/22 18:31:41.0390 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/12/22 18:31:41.0531 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/12/22 18:31:41.0609 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/12/22 18:31:41.0609 ================================================================================

2010/12/22 18:31:41.0609 Scan finished

2010/12/22 18:31:41.0609 ================================================================================

2010/12/22 18:31:41.0640 Detected object count: 1

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Rootkit Unhooker is clean.

But You had TDL4 which is a MBR bootkit (Hard drive rootkit infection of your master boot record) and TDSSKiller detected and removed it:

2010/12/22 18:31:41.0609 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

You can read about it here:

http://secure-computer-solutions.com/blog/2010/10/

Browse with IE and please let me know if You're still experiencing those extra advertisement windows. They should be gone now!

Link to post
Share on other sites
negster22

negster22

Posted
Posted

That's good news!!

Now, I want to run one more program that is very good at detecting if any remaining items remain.

This program will only run properly if all anti-malware protection is disabled!!

You need to do that prior to downloading it because many AV's mistakenly detect some of its components as a threat and gobble up them up!!

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Note: If You renamed another tool such as rkill.exe -> iexplore.exe then You'll have to reverse that!

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it to iexplore.exe

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers and programs.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - that is normal!!
  • If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and Enter (copy/paste) this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

ONLY If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading normally, the Advanced Options Menu should appear;
  • Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
  • Choose your usual account and launch Combofix.exe using the above instructions!

Link to post
Share on other sites
feverdog71

feverdog71

Posted
  • Author
Posted

I missed the part where you wanted me to enter that code. Should I run it over again?

ComboFix 10-12-23.02 - Owner 12/23/2010 19:26:42.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.298 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Application Data\Adobe\AdobeUpdate .exe

c:\documents and settings\Owner\Application Data\Adobe\plugs

c:\documents and settings\Owner\Start Menu\Programs\Defragmenter

c:\documents and settings\Owner\Start Menu\Programs\Defragmenter\Defragmenter.lnk

c:\documents and settings\Owner\Start Menu\Programs\Defragmenter\Uninstall Defragmenter.lnk

.

((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))

.

2010-12-23 00:52 . 2010-12-23 00:52 -------- d-----w- c:\program files\7-Zip

2010-12-22 18:52 . 2010-12-22 18:52 -------- d-----w- C:\_OTL

2010-12-22 14:41 . 2010-12-22 14:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-12-21 01:07 . 2010-12-21 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner

2010-12-21 01:06 . 2010-12-21 01:08 -------- d-----w- c:\program files\Frontline Registry Cleaner

2010-12-14 23:17 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-14 23:14 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 00:09 . 2010-06-13 17:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2010-06-13 17:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2008-10-04 02:48 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-12 13:59 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-12 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-12 13:57 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-12 14:01 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-12 14:09 1853312 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk

backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]

2008-08-01 16:35 3213200 ----a-w- c:\program files\Desktop Maestro\deskmech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]

2008-09-08 23:00 323216 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-06-11 23:58 147456 ----a-w- c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/24/2009 08:03 PM 64160]

R3 NeroCd2k;NeroCd2k;c:\windows\system32\drivers\NeroCD2k.sys [4/16/2001 01:54 PM 44227]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 06:15 PM 135664]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 03:34 PM 1029456]

.

Contents of the 'Scheduled Tasks' folder

2010-12-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 02:03]

2010-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-12-21 c:\windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - Owner.job

- c:\program files\Frontline Registry Cleaner\FrontlineRegistryCleaner.exe [2010-05-11 22:20]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:15]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:15]

2010-12-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-1417001333-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-12-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-1417001333-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://msn.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vhpv9aw.default\

FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

AddRemove-{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1 - c:\documents and settings\Owner\Desktop\MustBeRandomlyNamed\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-23 19:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-12-23 19:36:35

ComboFix-quarantined-files.txt 2010-12-24 01:36

Pre-Run: 38,559,424,512 bytes free

Post-Run: 38,958,034,944 bytes free

- - End Of File - - 4D08E2F5D5C3D9AAF353FD5AED6BF3EA

Link to post
Share on other sites
negster22

negster22

Posted
Posted

By code if you mean this:

Click Start --> Run, and Enter (copy/paste) this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

No,there is no need to run it again, that is just an extra precaution in the event that active processes prevent Combofix from running.

Give me a chance to review your log and I'll be back.

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Hi feverdog71,

Good News!!! There's nothing in the CF log worth worrying about.

If you removed or are planning to remove FrontLine Registry Cleaner, You should also remove this task from Task Scheduler:

2010-12-21 c:\windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - Owner.job

To open Task Scheduler:

Click Start -> Run

Type Taskschd.msc

Hit Enter or Click OK

Delete these folders (if Frontline Registry Cleaner was removed):

c:\program files\Frontline Registry Cleaner\

c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner

Since you are not using McAfee any longer, you should remove this shortcut:

McAfee Security Scan Plus.lnk

From the XP All Users Start-up folder here:

C:^Documents and Settings\All Users\Start Menu\Programs

Are things still running well? If so we can finish up!

Link to post
Share on other sites
negster22

negster22

Posted
Posted

You're very Welcome and Excellent job!

We have a few steps to finish up now!!

If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

  • Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  • Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)

If I asked You to download OTL, TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location).

To remove Combofix and it's quarantine folder:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • Flush your system restore points and create a new restore point.
  • Rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing

And

HAPPY HOLIDAYS!!!! :D

Link to post
Share on other sites
  • 1 month later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.