Jump to content

Recommended Posts

Updating this thread: http://forums.malwarebytes.org/index.php?showtopic=77815

I have still been unable to run DDS.com or DDS.scr in either normal or safe modes. DDS runs for a minute or so but then the system locks up. I have occasionally been able to run GMER although it usually produces a BSOD. Here is a GMER log...

Thanks.

GMER 1.0.15.15570 - http://www.gmer.net

Rootkit scan 2011-03-28 22:52:38

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HITACHI_DK23EB-40 rev.00K0A0C0

Running: chwx0l59.exe; Driver: C:\DOCUME~1\Dave\LOCALS~1\Temp\ugqcykob.sys

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3604] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x97 0x20 0x4E 0x9A ...

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please describe your symptoms of infection in detail.

Next, update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Link to post
Share on other sites

Hi Screen317,

My primary symptom is an inability to download anything from Microsoft. This includes Windows updates. The downloads fizzle and terminate after a few minutes after perhaps 500KB to 1MB has been downloaded. I have not noticed any problem downloading from any other websites. I have two computers with this problem. Both are XP sp3. I have tried downloading without my router but the problem is still present. I just tried to download the MS Malicious Software Removal Tool and the download terminated after 615kb of 11.9mb.

I am unable to run DDS.com or .scr in normal or safe mode. The system always locks up at the exact same point when the DDS progress bar is about 3/4 across the screen. Running GMER usually results in a BSOD.

Since it seems unlikely that downloads from Microsoft would become impossible for no reason I suspect I have some sort of infection. I am taking a class on malware at the community college so I think it is possible I have stumbled into some sort of infection. Thanks for any advice.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6219

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/30/2011 3:37:08 PM

mbam-log-2011-03-30 (15-37-08).txt

Scan type: Quick scan

Objects scanned: 166257

Time elapsed: 14 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

I'm not sure if this is malware quite yet, but let's investigate. :)

Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

Link to post
Share on other sites

Thanks. I have run this before and I did get an extras.txt file but now I don't.

OTL logfile created on: 3/31/2011 10:08:41 PM - Run 5

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Dave\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free

3.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.26 Gb Total Space | 4.32 Gb Free Space | 11.59% Space Free | Partition Type: NTFS

Drive E: | 3.73 Gb Total Space | 0.61 Gb Free Space | 16.47% Space Free | Partition Type: FAT32

Computer Name: YOUR-BFE930219B | User Name: Dave | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/31 16:09:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe

PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe

PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

PRC - [2010/03/16 01:58:36 | 000,718,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/03/31 16:09:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe

MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)

SRV - File not found [Auto | Stopped] -- -- (Ati HotKey Poller)

SRV - [2011/03/31 15:45:17 | 000,482,176 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Dave\Local Settings\Temp\WZBYNTPRU.exe -- (WZBYNTPRU)

SRV - [2011/03/31 15:34:23 | 000,506,752 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Dave\Local Settings\Temp\DBA.exe -- (DBA)

SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)

SRV - [2010/03/25 09:25:22 | 030,969,208 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)

SRV - [2008/07/29 12:10:46 | 003,201,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)

========== Driver Services (SafeList) ==========

DRV - [2011/03/31 16:13:05 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF7A33E0-34DC-4D0D-89FE-D4273C5C6B79}\MpKslefc87fea.sys -- (MpKslefc87fea)

DRV - [2010/07/09 13:18:56 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz134_x32.sys -- (cpuz134)

DRV - [2008/07/10 01:49:14 | 000,242,712 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RsFx0102.sys -- (RsFx0102)

DRV - [2003/01/07 19:41:12 | 000,166,016 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)

DRV - [2003/01/03 19:41:00 | 000,540,672 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2002/11/11 19:57:16 | 000,193,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97) Audio Driver (WDM)

DRV - [2002/11/08 15:13:50 | 000,020,579 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ozscr.sys -- (O2SCBUS)

DRV - [2001/08/22 10:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2

FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.4

FF - prefs.js..extensions.enabledItems: {61ED2A9A-39EB-4AAF-BD14-06DFBE8880C3}:1.0.2

FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {E6C1199F-E687-42da-8C24-E7770CC3AE66}:1.7.2

FF - prefs.js..extensions.enabledItems: {6e098d65-7d2d-46d4-ada0-2f882a29f795}:0.2.3

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.6.2

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9

FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:11.0.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/28 23:58:36 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/28 23:58:30 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/01/07 15:22:42 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/02/28 13:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Extensions

[2010/02/28 13:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2011/03/31 12:54:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions

[2010/05/25 17:13:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/10/15 07:02:20 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

[2010/02/14 14:47:34 | 000,000,000 | ---D | M] (Duplicate Tab) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{61ED2A9A-39EB-4AAF-BD14-06DFBE8880C3}

[2010/10/13 06:20:38 | 000,000,000 | ---D | M] (CHM Reader) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}

[2011/03/03 14:53:04 | 000,000,000 | ---D | M] (Tamper Data) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}

[2010/12/03 09:31:50 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

[2011/03/22 08:03:29 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

[2011/03/03 14:53:04 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

[2010/08/25 21:20:44 | 000,000,000 | ---D | M] (QuickJava) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}

[2011/02/19 12:58:30 | 000,000,000 | ---D | M] (Firebug) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\firebug@software.joehewitt.com

[2011/03/31 12:54:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/08/12 06:27:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/10/22 06:10:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

[2011/01/17 09:46:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

[2011/02/23 19:59:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

[2010/06/20 14:02:42 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/03/14 13:17:21 | 000,623,214 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 http://fbgdc.com

O1 - Hosts: 127.0.0.1 www.experts-exchange.com

O1 - Hosts: 127.0.0.1 www.msn.com

O1 - Hosts: 127.0.0.1 www.kayak.com

O1 - Hosts: 127.0.0.1 qcckayak.com

O1 - Hosts: 127.0.0.1 grouply.com

O1 - Hosts: 127.0.0.1 allturtle.ru

O1 - Hosts: 127.0.0.1 ashdog.ru

O1 - Hosts: 127.0.0.1 badmap.ru

O1 - Hosts: 127.0.0.1 boldrace.ru

O1 - Hosts: 127.0.0.1 cooltrack.ru

O1 - Hosts: 127.0.0.1 cornerrat.ru

O1 - Hosts: 127.0.0.1 fastermail.ru

O1 - Hosts: 127.0.0.1 firmwriter.ru

O1 - Hosts: 127.0.0.1 freenetbox.ru

O1 - Hosts: 127.0.0.1 hairybelt.ru

O1 - Hosts: 127.0.0.1 kindsunday.ru

O1 - Hosts: 127.0.0.1 lameflash.ru

O1 - Hosts: 127.0.0.1 macroarea.ru

O1 - Hosts: 127.0.0.1 ministate.ru

O1 - Hosts: 127.0.0.1 modelprod.ru

O1 - Hosts: 127.0.0.1 passportblues.ru

O1 - Hosts: 127.0.0.1 pearlpole.ru

O1 - Hosts: 127.0.0.1 petlips.ru

O1 - Hosts: 16471 more lines...

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)

O4 - HKLM..\Run: [ATIPTA] File not found

O4 - HKLM..\Run: [avast5] File not found

O4 - HKLM..\Run: [bCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)

O4 - HKCU..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab (F-Secure Online Scanner Launcher)

O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264585099638 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/01/27 03:11:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/31 16:50:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\IceSword122en

[2011/03/31 16:09:32 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe

[2011/03/31 14:36:42 | 001,137,360 | ---- | C] (F-Secure Corporation) -- C:\Documents and Settings\Dave\Desktop\fsbl.exe

[2011/03/31 12:59:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\765762RootkitRevealer

[2011/03/31 12:21:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\FBI CODE

[2011/03/30 22:35:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2011/03/30 22:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\My Documents\Simply Super Software

[2011/03/30 22:33:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trojan Remover

[2011/03/30 22:33:45 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll

[2011/03/30 22:33:21 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover

[2011/03/30 22:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Application Data\Simply Super Software

[2011/03/30 22:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software

[2011/03/30 16:38:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Start Menu\Programs\WinRAR

[2011/03/30 16:38:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Application Data\WinRAR

[2011/03/30 16:38:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR

[2011/03/30 16:38:32 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR

[2011/03/30 09:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\NUCLEAR

[2011/03/25 16:01:06 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC

[2011/03/24 14:57:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2011/03/21 09:22:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client

[2011/03/17 10:58:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\antivirus logs

[2011/03/17 10:56:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\malicious

[2011/03/16 16:07:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2011/03/16 16:07:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2011/03/16 15:40:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee

[2011/03/16 15:24:55 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center

[2011/03/14 22:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\jpg

[2011/03/14 22:17:59 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF

[2011/03/14 19:43:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Iconoid

[2011/03/14 19:43:25 | 000,000,000 | ---D | C] -- C:\Program Files\Iconoid

[2011/03/14 19:42:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\iconoid

[2011/03/14 12:43:28 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys

[2011/03/14 12:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\log

[2011/03/13 12:19:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\mar12_11

[2011/03/11 17:38:03 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2011/03/10 11:08:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\SERVER ERRORS

[2011/03/05 20:34:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\mar05_11

[2011/03/05 08:32:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\feb14_11

[2011/03/04 12:32:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\kayak_trip forms

[2011/03/03 16:51:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Local Settings\Application Data\Temp

[2011/03/02 22:39:44 | 000,000,000 | ---D | C] -- C:\ASP.NET 3.5 VB

[2011/03/02 22:39:09 | 000,000,000 | ---D | C] -- C:\Murach

[2011/03/02 20:42:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe

========== Files - Modified Within 30 Days ==========

[2011/03/31 17:01:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/03/31 17:00:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/03/31 16:52:19 | 000,068,426 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\is001.JPG

[2011/03/31 16:09:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe

[2011/03/31 15:55:15 | 003,271,617 | ---- | M] () -- C:\WINDOWS\System32\LHAPSGKKT

[2011/03/31 15:34:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\DTIUURQ

[2011/03/31 15:33:57 | 000,025,577 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb006.JPG

[2011/03/31 15:33:05 | 000,036,727 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb005.JPG

[2011/03/31 15:31:27 | 000,027,196 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb004.JPG

[2011/03/31 14:55:41 | 000,028,464 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb003.JPG

[2011/03/31 14:54:18 | 000,063,076 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb002.JPG

[2011/03/31 14:52:21 | 000,212,684 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rkr003.JPG

[2011/03/31 14:37:08 | 001,137,360 | ---- | M] (F-Secure Corporation) -- C:\Documents and Settings\Dave\Desktop\fsbl.exe

[2011/03/31 14:36:19 | 000,149,950 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb001.JPG

[2011/03/31 13:20:48 | 000,144,278 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rkr002.JPG

[2011/03/31 12:59:11 | 000,181,535 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rkr001.JPG

[2011/03/31 12:58:09 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\RootkitRevealer.zip

[2011/03/31 12:36:12 | 000,071,092 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword007.JPG

[2011/03/31 12:34:12 | 000,203,593 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword006.JPG

[2011/03/31 12:33:17 | 000,124,185 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword005.JPG

[2011/03/31 12:32:15 | 000,175,678 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword004.JPG

[2011/03/31 12:31:30 | 000,112,683 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword003.JPG

[2011/03/31 12:24:21 | 000,067,285 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword002.JPG

[2011/03/31 12:23:16 | 000,062,305 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword001.JPG

[2011/03/29 17:34:36 | 000,130,666 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\stl_race07.jpg

[2011/03/29 14:01:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2011/03/29 00:30:28 | 088,190,976 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP

[2011/03/28 23:58:38 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/03/28 23:58:37 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2011/03/28 15:42:34 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\chwx0l59.exe

[2011/03/28 15:35:45 | 000,058,730 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\plutonium.pdf

[2011/03/28 14:53:52 | 000,003,706 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\itrs.sql

[2011/03/25 15:19:29 | 000,089,088 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\mbr.exe

[2011/03/24 04:15:49 | 000,026,523 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\mse_error.JPG

[2011/03/24 03:17:53 | 000,158,372 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\gmer002.JPG

[2011/03/23 20:45:29 | 000,134,795 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\gmer001.JPG

[2011/03/23 17:58:28 | 000,620,465 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\Autoruns.zip

[2011/03/21 09:24:01 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif

[2011/03/21 09:04:37 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2011/03/16 23:13:20 | 000,056,495 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\110315g.pdf

[2011/03/14 21:56:10 | 000,169,081 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_some_verified.JPG

[2011/03/14 19:29:36 | 000,168,766 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_some2.JPG

[2011/03/14 19:28:51 | 000,158,432 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_some.JPG

[2011/03/14 18:01:02 | 000,170,023 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_all_verified.JPG

[2011/03/14 15:00:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Dave\defogger_reenable

[2011/03/14 13:17:21 | 000,623,214 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS

[2011/03/14 12:43:28 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys

[2011/03/11 07:35:00 | 000,005,963 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\Default.aspx.html

[2011/03/11 02:01:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/03/10 14:21:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/03/09 21:31:02 | 000,101,136 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\aspnet1.pdf

[2011/03/09 21:11:00 | 000,010,017 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\web.config.bak

[2011/03/07 13:25:54 | 000,139,146 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rootkit03.JPG

[2011/03/07 12:02:53 | 000,298,048 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2011/03/07 10:58:09 | 000,138,352 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rootkit02.JPG

[2011/03/07 10:08:20 | 000,142,424 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rootkit01.JPG

[2011/03/07 00:05:02 | 000,001,208 | ---- | M] () -- C:\bar.emf

[2011/03/02 10:20:37 | 000,095,232 | ---- | M] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011/03/31 16:52:19 | 000,068,426 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\is001.JPG

[2011/03/31 15:51:40 | 003,271,617 | ---- | C] () -- C:\WINDOWS\System32\LHAPSGKKT

[2011/03/31 15:34:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\DTIUURQ

[2011/03/31 15:33:57 | 000,025,577 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb006.JPG

[2011/03/31 15:33:05 | 000,036,727 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb005.JPG

[2011/03/31 15:31:27 | 000,027,196 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb004.JPG

[2011/03/31 14:55:41 | 000,028,464 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb003.JPG

[2011/03/31 14:54:18 | 000,063,076 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb002.JPG

[2011/03/31 14:52:21 | 000,212,684 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rkr003.JPG

[2011/03/31 14:36:18 | 000,149,950 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb001.JPG

[2011/03/31 13:20:48 | 000,144,278 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rkr002.JPG

[2011/03/31 12:59:10 | 000,181,535 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rkr001.JPG

[2011/03/31 12:58:07 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\RootkitRevealer.zip

[2011/03/31 12:36:11 | 000,071,092 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword007.JPG

[2011/03/31 12:34:12 | 000,203,593 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword006.JPG

[2011/03/31 12:33:17 | 000,124,185 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword005.JPG

[2011/03/31 12:32:15 | 000,175,678 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword004.JPG

[2011/03/31 12:31:30 | 000,112,683 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword003.JPG

[2011/03/31 12:24:21 | 000,067,285 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword002.JPG

[2011/03/31 12:23:15 | 000,062,305 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword001.JPG

[2011/03/30 22:33:45 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll

[2011/03/30 22:33:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll

[2011/03/30 22:33:45 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll

[2011/03/30 22:33:44 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll

[2011/03/29 17:34:32 | 000,130,666 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\stl_race07.jpg

[2011/03/28 15:42:15 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\chwx0l59.exe

[2011/03/28 15:35:43 | 000,058,730 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\plutonium.pdf

[2011/03/28 14:53:51 | 000,003,706 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\itrs.sql

[2011/03/25 15:19:27 | 000,089,088 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\mbr.exe

[2011/03/24 04:15:49 | 000,026,523 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\mse_error.JPG

[2011/03/24 03:17:53 | 000,158,372 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\gmer002.JPG

[2011/03/23 20:45:29 | 000,134,795 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\gmer001.JPG

[2011/03/23 17:58:20 | 000,620,465 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\Autoruns.zip

[2011/03/23 15:37:35 | 088,190,976 | ---- | C] () -- C:\WINDOWS\MEMORY.DMP

[2011/03/17 10:32:28 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif

[2011/03/16 23:13:19 | 000,056,495 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\110315g.pdf

[2011/03/14 21:56:09 | 000,169,081 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_some_verified.JPG

[2011/03/14 19:29:35 | 000,168,766 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_some2.JPG

[2011/03/14 19:28:50 | 000,158,432 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_some.JPG

[2011/03/14 18:01:01 | 000,170,023 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_all_verified.JPG

[2011/03/14 15:00:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dave\defogger_reenable

[2011/03/11 07:31:36 | 000,005,963 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\Default.aspx.html

[2011/03/09 21:31:00 | 000,101,136 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\aspnet1.pdf

[2011/03/09 15:06:37 | 000,010,017 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\web.config.bak

[2011/03/07 13:25:53 | 000,139,146 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rootkit03.JPG

[2011/03/07 10:58:09 | 000,138,352 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rootkit02.JPG

[2011/03/07 10:08:20 | 000,142,424 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rootkit01.JPG

[2010/10/07 01:04:40 | 000,179,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/06/22 08:20:23 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat

[2010/06/21 20:01:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/03/12 11:11:14 | 000,208,036 | ---- | C] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\debuggee.mdmp

[2010/02/03 23:02:24 | 000,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI

[2010/01/30 18:31:41 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini

[2010/01/30 18:31:39 | 000,001,004 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2010/01/28 20:16:36 | 000,095,232 | ---- | C] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/01/27 09:34:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010/01/27 03:29:18 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe.bak

[2010/01/27 03:16:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2010/01/27 03:07:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2010/01/26 18:59:00 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2010/01/26 18:57:19 | 000,298,048 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe

[2004/08/03 19:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2004/08/02 08:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2001/08/23 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2001/08/23 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2001/08/23 14:00:00 | 000,507,040 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2001/08/23 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2001/08/23 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2001/08/23 14:00:00 | 000,096,282 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2001/08/23 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2001/08/23 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2001/08/23 14:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2001/08/23 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[1997/08/26 02:00:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\WRKGADM.EXE

[1997/08/26 02:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL

[1997/08/26 02:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL

[1997/08/26 02:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

< End of report >

Link to post
Share on other sites

OTL Extras logfile created on: 4/3/2011 11:32:02 PM - Run 7

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Dave\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free

3.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.26 Gb Total Space | 4.84 Gb Free Space | 12.99% Space Free | Partition Type: NTFS

Drive E: | 3.73 Gb Total Space | 0.61 Gb Free Space | 16.47% Space Free | Partition Type: FAT32

Computer Name: YOUR-BFE930219B | User Name: Dave | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Documents and Settings\Dave\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\Dave\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player

"C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Pinnacle\VideoSpin\Programs\RM.exe" = C:\Program Files\Pinnacle\VideoSpin\Programs\RM.exe:*:Enabled:Render Manager

"C:\Program Files\Pinnacle\VideoSpin\Programs\umi.exe" = C:\Program Files\Pinnacle\VideoSpin\Programs\umi.exe:*:Enabled:umi

"C:\Program Files\Pinnacle\VideoSpin\Programs\VideoSpin.exe" = C:\Program Files\Pinnacle\VideoSpin\Programs\VideoSpin.exe:*:Enabled:Pinnacle VideoSpin

"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{01C5A10F-AD9B-405B-853A-6659841A1242}" = Microsoft SQL Server 2008 Policies

"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32

"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools - enu

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files

"{2020045B-8DCF-4449-8D5C-EB5BA37440F1}" = Microsoft SQL Server 2008 Management Studio

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 24

"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5

"{300A2961-B2B5-4889-9CB9-5C2A570D08AD}" = Debugging Tools for Windows (x86)

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime

"{440A992F-3BDB-4D76-9CB4-B4C09F5998B7}" = Microsoft SQL Server 2008 Books Online (October 2009)

"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files

"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime

"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services

"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu

"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense

"{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}" = Microsoft SQL Server Compact 3.5 SP1 Query Tools English

"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC

"{6F7F59D5-12F6-4571-9935-A2921AA17F78}" = Microsoft SQL Server 2008 Setup Support Files (English)

"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware

"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client

"{7959721D-8268-4565-9E0E-C41A9F4848A9}" = SigmaTel AC97 Audio Drivers

"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007

"{90120000-0021-0000-0000-0000000FF1CE}_VisualWebDeveloper_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007

"{90120000-0021-0409-0000-0000000FF1CE}_VisualWebDeveloper_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007

"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)

"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007

"{90120000-0054-0409-0000-0000000FF1CE}_VISPRO_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14

"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010

"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010

"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008

"{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU

"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Win32 Tools

"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU

"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services

"{B67C01B3-8502-4BE7-AEAB-BBDE910AD3EE}" = Microsoft Web Platform Installer 2.0

"{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}" = Microsoft SQL Server VSS Writer

"{BCD2FF98-7DF2-4FE2-B7E3-9593C5D66A4E}_is1" = Iconoid version 3.8.6

"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = B57Inst

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C688457E-03FD-4941-923B-A27F4D42A7DD}" = Microsoft SQL Server 2008 Browser

"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program

"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Tools

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD

"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU

"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client

"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English

"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2

"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support

"{F1DC7648-8623-442F-92B7-E118DF61872E}" = Microsoft SQL Server 2008 RsFx Driver

"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared

"{FA9C3624-C693-4423-8A8B-2BC2B9F607AB}" = Microsoft SQL Server 2008 Management Studio

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"ATI Display Driver" = ATI Display Driver

"CPUID CPU-Z_is1" = CPUID CPU-Z 1.56

"ESET Online Scanner" = ESET Online Scanner v3

"ie8" = Windows Internet Explorer 8

"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Driver Installer

"IrfanView" = IrfanView (remove only)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008

"Microsoft Report Viewer Redistributable 2008 (KB971119)" = Microsoft Report Viewer Redistributable 2008 SP1

"Microsoft Security Client" = Microsoft Security Essentials

"Microsoft SQL Server 10" = Microsoft SQL Server 2008

"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008

"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime

"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU

"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)

"Mozilla Thunderbird (3.0.3)" = Mozilla Thunderbird (3.0.3)

"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010

"Office8.0" = Microsoft Office 97, Professional Edition

"Trojan Remover_is1" = Trojan Remover 6.8.2

"VISPRO" = Microsoft Office Visio Professional 2007

"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime

"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component

"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinFF_is1" = WinFF 1.3.1

"WinGimp-2.0_is1" = GIMP 2.6.8

"WinRAR archiver" = WinRAR 4.00 (32-bit)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"f031ef6ac137efc5" = Dell Driver Download Manager

"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 3/17/2011 12:32:29 PM | Computer Name = YOUR-BFE930219B | Source = Microsoft Security Client Setup | ID = 100

Description = HRESULT:0x8004FF0A Description:Microsoft Security Essentials installation

was canceled. You canceled the Security Essentials installation on your computer.

Error code:0x8004FF0A.

Error - 3/17/2011 1:10:16 PM | Computer Name = YOUR-BFE930219B | Source = Microsoft Security Client Setup | ID = 100

Description = HRESULT:0x8004FF0A Description:Microsoft Security Essentials installation

was canceled. You canceled the Security Essentials installation on your computer.

Error code:0x8004FF0A.

Error - 3/21/2011 11:23:38 AM | Computer Name = YOUR-BFE930219B | Source = MPSampleSubmission | ID = 5000

Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8107.0,

P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 3/21/2011 12:34:00 PM | Computer Name = YOUR-BFE930219B | Source = MPSampleSubmission | ID = 5000

Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4

0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 3/24/2011 6:13:22 AM | Computer Name = YOUR-BFE930219B | Source = MPSampleSubmission | ID = 5000

Description = EventType mptelemetry, P1 80240022, P2 processdownloadresults, P3

download, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials

(edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.

Error - 3/24/2011 6:15:56 AM | Computer Name = YOUR-BFE930219B | Source = Microsoft Security Client | ID = 5000

Description =

Error - 4/1/2011 12:24:43 PM | Computer Name = YOUR-BFE930219B | Source = devenv | ID = 0

Description =

Error - 4/2/2011 2:19:57 PM | Computer Name = YOUR-BFE930219B | Source = devenv | ID = 0

Description =

[ System Events ]

Error - 3/31/2011 9:35:55 PM | Computer Name = YOUR-BFE930219B | Source = Disk | ID = 262155

Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 4/1/2011 12:00:49 AM | Computer Name = YOUR-BFE930219B | Source = Disk | ID = 262155

Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 4/1/2011 10:53:09 AM | Computer Name = YOUR-BFE930219B | Source = Service Control Manager | ID = 7000

Description = The Ati HotKey Poller service failed to start due to the following

error: %%2

Error - 4/1/2011 12:32:01 PM | Computer Name = YOUR-BFE930219B | Source = Schannel | ID = 36882

Description = The certificate received from the remote server was issued by an untrusted

certificate authority. Because of this, none of the data contained in the certificate

can be validated. The SSL connection request has failed. The attached data contains

the server certificate.

Error - 4/2/2011 10:17:10 AM | Computer Name = YOUR-BFE930219B | Source = Service Control Manager | ID = 7000

Description = The Ati HotKey Poller service failed to start due to the following

error: %%2

Error - 4/2/2011 2:17:18 PM | Computer Name = YOUR-BFE930219B | Source = Disk | ID = 262155

Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 4/2/2011 11:23:38 PM | Computer Name = YOUR-BFE930219B | Source = Service Control Manager | ID = 7000

Description = The Ati HotKey Poller service failed to start due to the following

error: %%2

Error - 4/3/2011 11:31:00 AM | Computer Name = YOUR-BFE930219B | Source = Service Control Manager | ID = 7000

Description = The Ati HotKey Poller service failed to start due to the following

error: %%2

Error - 4/3/2011 11:53:10 PM | Computer Name = YOUR-BFE930219B | Source = Service Control Manager | ID = 7000

Description = The Ati HotKey Poller service failed to start due to the following

error: %%2

Error - 4/4/2011 1:25:40 AM | Computer Name = YOUR-BFE930219B | Source = Disk | ID = 262155

Description = The driver detected a controller error on \Device\Harddisk1\D.

< End of report >

Link to post
Share on other sites

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Looks like Combofix does what DDS does -- produce a lockup. Maybe I should describe the lockup: The mouse cursor is still alive but even ctrl-alt-del doesn't work. I am curious whether a bootable DVD might be available for this sort of anti-malware investigation? Thanks.

Link to post
Share on other sites

  • Staff

Hi,

Thanks for letting me know.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

You're welcome to try any (or all if you'd like) of the following anti-malware boot CDs:

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.

Link to post
Share on other sites

I'm thinking maybe I ought to just buy another HD for $60 and start reinstalling everything.

2011/04/08 10:41:06.0935 1224 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/04/08 10:41:07.0106 1224 ================================================================================

2011/04/08 10:41:07.0106 1224 SystemInfo:

2011/04/08 10:41:07.0106 1224

2011/04/08 10:41:07.0106 1224 OS Version: 5.1.2600 ServicePack: 3.0

2011/04/08 10:41:07.0106 1224 Product type: Workstation

2011/04/08 10:41:07.0106 1224 ComputerName: YOUR-BFE930219B

2011/04/08 10:41:07.0106 1224 UserName: Dave

2011/04/08 10:41:07.0106 1224 Windows directory: C:\WINDOWS

2011/04/08 10:41:07.0106 1224 System windows directory: C:\WINDOWS

2011/04/08 10:41:07.0106 1224 Processor architecture: Intel x86

2011/04/08 10:41:07.0106 1224 Number of processors: 1

2011/04/08 10:41:07.0106 1224 Page size: 0x1000

2011/04/08 10:41:07.0106 1224 Boot type: Normal boot

2011/04/08 10:41:07.0106 1224 ================================================================================

2011/04/08 10:41:10.0581 1224 Initialize success

2011/04/08 10:41:13.0265 2432 ================================================================================

2011/04/08 10:41:13.0265 2432 Scan started

2011/04/08 10:41:13.0265 2432 Mode: Manual;

2011/04/08 10:41:13.0265 2432 ================================================================================

2011/04/08 10:41:15.0528 2432 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/04/08 10:41:16.0299 2432 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/04/08 10:41:16.0940 2432 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/04/08 10:41:17.0350 2432 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/04/08 10:41:17.0721 2432 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/04/08 10:41:19.0734 2432 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/04/08 10:41:20.0064 2432 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/04/08 10:41:20.0785 2432 ati2mtag (31b35cc6deb111d4ebcdba20f64cd277) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/04/08 10:41:21.0376 2432 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/04/08 10:41:21.0777 2432 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/04/08 10:41:22.0197 2432 b57w2k (f26e6eaedea6eb87ae4c5d2f678a1bc2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/04/08 10:41:22.0588 2432 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/04/08 10:41:23.0069 2432 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/04/08 10:41:23.0609 2432 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/04/08 10:41:23.0940 2432 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/04/08 10:41:24.0290 2432 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/04/08 10:41:24.0841 2432 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/04/08 10:41:25.0442 2432 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/04/08 10:41:25.0973 2432 cpuz134 (75fa19142531cbf490770c2988a7db64) C:\WINDOWS\system32\drivers\cpuz134_x32.sys

2011/04/08 10:41:26.0894 2432 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/04/08 10:41:27.0495 2432 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/04/08 10:41:28.0106 2432 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/04/08 10:41:28.0476 2432 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/04/08 10:41:28.0817 2432 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/04/08 10:41:29.0398 2432 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/04/08 10:41:29.0788 2432 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/04/08 10:41:30.0159 2432 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/04/08 10:41:30.0529 2432 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/04/08 10:41:30.0860 2432 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/04/08 10:41:31.0240 2432 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/04/08 10:41:31.0631 2432 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/04/08 10:41:32.0011 2432 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/04/08 10:41:32.0392 2432 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/04/08 10:41:32.0733 2432 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/04/08 10:41:33.0373 2432 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/04/08 10:41:34.0175 2432 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/04/08 10:41:34.0525 2432 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/04/08 10:41:35.0086 2432 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/04/08 10:41:35.0416 2432 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/04/08 10:41:35.0737 2432 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/04/08 10:41:36.0077 2432 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/04/08 10:41:36.0548 2432 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/04/08 10:41:36.0929 2432 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/04/08 10:41:37.0319 2432 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/04/08 10:41:37.0670 2432 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/04/08 10:41:38.0020 2432 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/04/08 10:41:38.0371 2432 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/04/08 10:41:38.0771 2432 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/04/08 10:41:39.0172 2432 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/04/08 10:41:39.0773 2432 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/04/08 10:41:40.0113 2432 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/04/08 10:41:40.0444 2432 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/04/08 10:41:40.0784 2432 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/04/08 10:41:41.0115 2432 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/04/08 10:41:41.0525 2432 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

2011/04/08 10:41:41.0886 2432 MpKsl56e9dd7b (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4234979-4A81-4DFF-BC11-630DA6351FEF}\MpKsl56e9dd7b.sys

2011/04/08 10:41:42.0767 2432 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/04/08 10:41:43.0278 2432 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/04/08 10:41:43.0748 2432 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/04/08 10:41:44.0069 2432 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/04/08 10:41:44.0389 2432 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/04/08 10:41:44.0690 2432 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/04/08 10:41:45.0010 2432 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/04/08 10:41:45.0401 2432 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/04/08 10:41:45.0921 2432 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/04/08 10:41:46.0322 2432 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/04/08 10:41:46.0693 2432 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/04/08 10:41:47.0043 2432 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/04/08 10:41:47.0404 2432 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/04/08 10:41:47.0744 2432 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/04/08 10:41:48.0125 2432 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/04/08 10:41:48.0575 2432 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/04/08 10:41:49.0106 2432 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/04/08 10:41:49.0617 2432 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/04/08 10:41:49.0857 2432 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/04/08 10:41:50.0188 2432 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/04/08 10:41:50.0568 2432 O2SCBUS (7f8d43fd4159b16ebfd65e13ee34677f) C:\WINDOWS\system32\DRIVERS\ozscr.sys

2011/04/08 10:41:50.0899 2432 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

2011/04/08 10:41:51.0269 2432 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/04/08 10:41:51.0620 2432 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/04/08 10:41:51.0950 2432 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/04/08 10:41:52.0301 2432 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/04/08 10:41:52.0851 2432 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/04/08 10:41:53.0212 2432 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/04/08 10:41:54.0844 2432 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/04/08 10:41:55.0205 2432 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/04/08 10:41:55.0565 2432 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/04/08 10:41:57.0128 2432 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/04/08 10:41:57.0468 2432 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/04/08 10:41:57.0849 2432 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/04/08 10:41:58.0189 2432 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/04/08 10:41:58.0600 2432 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/04/08 10:41:58.0970 2432 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/04/08 10:41:59.0371 2432 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/04/08 10:41:59.0811 2432 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/04/08 10:42:00.0192 2432 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/04/08 10:42:00.0633 2432 RsFx0102 (fedd2710b75be3ecf078adace790c423) C:\WINDOWS\system32\DRIVERS\RsFx0102.sys

2011/04/08 10:42:01.0083 2432 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/04/08 10:42:01.0424 2432 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/04/08 10:42:01.0764 2432 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/04/08 10:42:02.0155 2432 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/04/08 10:42:02.0916 2432 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/04/08 10:42:03.0266 2432 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/04/08 10:42:03.0737 2432 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/04/08 10:42:04.0208 2432 STAC97 (f2ca38990f140025b91ee7bbd315f44c) C:\WINDOWS\system32\drivers\STAC97.sys

2011/04/08 10:42:04.0588 2432 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/04/08 10:42:04.0969 2432 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/04/08 10:42:06.0161 2432 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/04/08 10:42:06.0631 2432 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/04/08 10:42:07.0042 2432 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/04/08 10:42:07.0362 2432 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/04/08 10:42:07.0713 2432 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/04/08 10:42:08.0374 2432 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/04/08 10:42:09.0055 2432 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/04/08 10:42:09.0505 2432 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/04/08 10:42:09.0866 2432 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/04/08 10:42:10.0206 2432 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/04/08 10:42:10.0497 2432 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/04/08 10:42:10.0817 2432 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/04/08 10:42:11.0368 2432 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/04/08 10:42:11.0769 2432 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/04/08 10:42:12.0289 2432 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/04/08 10:42:12.0910 2432 ================================================================================

2011/04/08 10:42:12.0910 2432 Scan finished

2011/04/08 10:42:12.0910 2432 ================================================================================

Link to post
Share on other sites

I'd rather learn more about what this is so that if it happens again I won't be as clueless.

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001c

Kernel Drivers (total 117):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806EF000 \WINDOWS\system32\hal.dll

0xF7987000 \WINDOWS\system32\KDCOM.DLL

0xF7897000 \WINDOWS\system32\BOOTVID.dll

0xF75A8000 ACPI.sys

0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7597000 pci.sys

0xF75F7000 isapnp.sys

0xF789B000 compbatt.sys

0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7A4F000 pciide.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF798B000 intelide.sys

0xF74D9000 pcmcia.sys

0xF7607000 MountMgr.sys

0xF74BA000 ftdisk.sys

0xF770F000 PartMgr.sys

0xF7617000 VolSnap.sys

0xF74A2000 atapi.sys

0xF7627000 disk.sys

0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7482000 fltmgr.sys

0xF7470000 sr.sys

0xF7459000 KSecDD.sys

0xF7B52000 Ntfs.sys

0xF742C000 NDIS.sys

0xF7412000 Mup.sys

0xF7647000 agp440.sys

0xF7587000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xBA7D8000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xB9E23000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB9E0F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF778F000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB9DEB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7797000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB9DC2000 \SystemRoot\system32\DRIVERS\b57xp32.sys

0xF779F000 \SystemRoot\system32\DRIVERS\ozscr.sys

0xBA7D4000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS

0xF7557000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF77A7000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF77AF000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7547000 \SystemRoot\system32\DRIVERS\serial.sys

0xBA7D0000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB9DAE000 \SystemRoot\system32\DRIVERS\parport.sys

0xF7537000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF7527000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB9D8B000 \SystemRoot\system32\DRIVERS\ks.sys

0xB9D5B000 \SystemRoot\system32\drivers\STAC97.sys

0xB9D37000 \SystemRoot\system32\drivers\portcls.sys

0xF7517000 \SystemRoot\system32\drivers\drmk.sys

0xF7A9B000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF7507000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA7C4000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB9D16000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF74F7000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA78F000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF77B7000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB9D05000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA77F000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF781F000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF772F000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB8958000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA72F000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7999000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB88FA000 \SystemRoot\system32\DRIVERS\update.sys

0xBA0F4000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA6FF000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF76F7000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF799F000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xADD90000 \SystemRoot\system32\DRIVERS\MpFilter.sys

0xABFD0000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xABD12000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xAC0BE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xB8B6E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7A6E000 \SystemRoot\System32\Drivers\Null.SYS

0xB8B6C000 \SystemRoot\System32\Drivers\Beep.SYS

0xAC0AE000 \SystemRoot\System32\drivers\vga.sys

0xB8B6A000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xB8B68000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xAC0A6000 \SystemRoot\System32\Drivers\Msfs.SYS

0xB9F98000 \SystemRoot\System32\Drivers\Npfs.SYS

0xABFCC000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xAB3C1000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xAB368000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xAB340000 \SystemRoot\system32\DRIVERS\netbt.sys

0xAB31E000 \SystemRoot\System32\drivers\afd.sys

0xAC9FF000 \SystemRoot\system32\DRIVERS\netbios.sys

0xAB2F3000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xAB9CD000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

0xAB283000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF775F000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4234979-4A81-4DFF-BC11-630DA6351FEF}\MpKsl56e9dd7b.sys

0xAB25D000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xABC55000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xAB9C5000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xABC35000 \SystemRoot\System32\Drivers\Fips.SYS

0xAB239000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xAB221000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF79E5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xB9CE7000 \SystemRoot\System32\drivers\Dxapi.sys

0xAB921000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xB898C000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF04E000 \SystemRoot\System32\ati3d2ag.dll

0xBF149000 \SystemRoot\System32\ATMFD.DLL

0xAB219000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xAB0B4000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xB973D000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xAB11D000 \??\C:\WINDOWS\system32\drivers\cpuz134_x32.sys

0xAAFE4000 \SystemRoot\system32\DRIVERS\srv.sys

0xAAD9F000 \SystemRoot\system32\drivers\wdmaud.sys

0xACA2F000 \SystemRoot\system32\drivers\sysaudio.sys

0xAA9E0000 \SystemRoot\System32\Drivers\HTTP.sys

0xF7747000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{90A9B5BC-60D6-4C0B-8714-C8C8914B1C9C}\MpKsle03243b4.sys

0xAB474000 \SystemRoot\System32\Drivers\Cdfs.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 27):

0 System Idle Process

4 System

464 C:\WINDOWS\system32\smss.exe

520 csrss.exe

556 C:\WINDOWS\system32\winlogon.exe

600 C:\WINDOWS\system32\services.exe

612 C:\WINDOWS\system32\lsass.exe

768 C:\WINDOWS\system32\svchost.exe

844 svchost.exe

908 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

944 C:\WINDOWS\system32\svchost.exe

1024 svchost.exe

1148 svchost.exe

1276 C:\WINDOWS\system32\spoolsv.exe

1324 scardsvr.exe

1376 svchost.exe

1440 C:\Program Files\Java\jre6\bin\jqs.exe

1464 C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

1644 sqlbrowser.exe

1676 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

164 alg.exe

2028 C:\WINDOWS\explorer.exe

968 C:\Program Files\Common Files\Java\Java Update\jusched.exe

1040 C:\Program Files\Microsoft Security Client\msseces.exe

356 C:\WINDOWS\system32\ctfmon.exe

496 C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

2544 C:\Documents and Settings\Dave\Desktop\M87687BRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHI_DK23EB-40, Rev: 00K0A0C0

Size Device Name MBR Status

--------------------------------------------

37 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Link to post
Share on other sites

  • Staff

Hi,

I'm not seeing any infections here.

Could be something with your HOSTS file; I see legitimate sites in there such as MSN's homepage, so it could be that there are Microsoft websites in there by mistake causing mishaps when connected to Microsoft sites in Windows but not in Linux.

Link to post
Share on other sites

Hi,

I'm not seeing any infections here.

Could be something with your HOSTS file; I see legitimate sites in there such as MSN's homepage, so it could be that there are Microsoft websites in there by mistake causing mishaps when connected to Microsoft sites in Windows but not in Linux.

Thanks for your help. I have tried MSN in the HOSTS file just to avoid the ads after logging out of Hotmail. If the downloads were actually being blocked cleanly I would suspect the HOSTS file, but as it is the downloads begin but then fizzle out. When I have time I'll try to acquire a bootable DVD and will then report back if I find anything. Thanks again.

Link to post
Share on other sites

Does this occur in all browsers? Have you tried in both Internet Explorer and Firefox?

Yes, IE8, FF, Chrome, Safari. The symptom even occurs with those download wizard things. I did find that I was able to run some diagnostics on my other computer that lock up this laptop, such as DDS, but I don't know if you would want to look at those logs. It would essentially be starting over with a second machine.

Link to post
Share on other sites

  • 2 weeks later...

Ok, removed the old drives and installed a new drive, formatted it and reinstalled XP SP3 and the problem was still very apparent when I got to the ninety plus Microsoft updates. Either my Siemens DSL modem is the problem or it's in the AT&T network.

Link to post
Share on other sites

Likely that your ISP is at fault here, given everything you have said. Please call them and have them evaluate the situation.

The AT&T tech who called me this morning had no clue. I had sent them a link to this image. It shows a 12MB download from Microsoft through a proxy server (ninjacloak.com) followed by an attempt to download the same file directly from Microsoft (looks like noise and is aborted). Something in the direct path obviously isn't working.

So it's going to be "Goodbye AT&T DSL. Hello Charter Cable internet."

microsoft_by_proxy2.PNG

microsoft_by_proxy_fail.PNG

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.