Search Redirects, rootkit?

six2 · October 27, 2011

I think I am experiencing similar problems to a lot of other folks on here recently. I've tried a few things and was able to remove some things with MBAM, but I am still having my google search results redirected and seeing odd behavior like audible but unseen ads playing in the background on IE. I am experiencing the same google redirection problems in IE, Firefox, and Chrome, and I don't see any unusual services or processes running. Tried TDSS killer but the program doesn't even launch in safe mode or a normal boot. I currently have the internet disabled on this machine and I am working from a second machine to troubleshoot.

I'm putting faith in y'alls good hands. Thanks in advance! So, here's my DDS log:

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Root at 23:01:26 on 2011-10-26

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.596 [GMT -6:00]

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\WINDOWS\system32\TODDSrv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Atheros\ACU.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Documents and Settings\Root\Application Data\U3\0000187E7A60B587\LaunchPad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\igfxsrvc.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNB&bmod=TSNB

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui

mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe

mRun: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe

mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: cryptnet32 - cryptnet32.dll

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\root\application data\mozilla\firefox\profiles\ng6sz46x.default\

FF - prefs.js: browser.startup.homepage - file:///C:/NOnEWS.htm

FF - plugin: c:\documents and settings\root\application data\mozilla\firefox\profiles\ng6sz46x.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll

FF - plugin: c:\documents and settings\root\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\root\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\root\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2009-6-29 29760]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2009-5-11 6528]

R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2010-6-4 24064]

R3 PGSUSFLT;PGSUSFLT;c:\windows\system32\drivers\pgsuspend.SYS [2009-12-6 18816]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-6 1684736]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-12-6 174592]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-24 136176]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-24 136176]

S4 taisregispinger;taisregispinger;c:\program files\toshiba\toshibaregistration\TaisRegistPinger.exe [2009-11-19 210304]

S4 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-12-6 51512]

S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]

.

=============== Created Last 30 ================

.

2011-10-27 04:40:44 -------- d-----w- c:\program files\ESET

2011-10-27 01:54:59 7168 ----a-w- c:\windows\system32\5CA0D027.exe

2011-10-26 06:03:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-10-26 06:03:37 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-10-26 06:03:37 773080 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-10-26 06:03:37 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-10-26 06:03:37 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-10-26 06:03:37 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-10-26 06:03:37 1833944 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-10-26 06:03:37 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

.

==================== Find3M ====================

.

2011-10-13 19:19:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 23:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: TOSHIBA_ rev.FG01 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86529ED1]<<

_asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; CMP DWORD [EAX+0x2c], 0x7; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; PUSH EDI; MOV EDI, [EBX+0x60]; JNZ 0x17e; MOV ESI, [EDI+0x4]; MOV EAX, [ESI+0xc]; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86564350]

3 CLASSPNP[0xF7632FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\THPDRV1[0x86565708]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH CS; POP DS; PUSH CS; POP ES; PUSHAD ; MOV [0x7e00], DL; MOV BYTE [0x7e04], 0x1e; MOV AH, 0x48; MOV SI, 0x7e04; INT 0x13; MOV AL, 0x50; JB 0x19b; }

user != kernel MBR !!!

sectors 312581806 (+255): user != kernel

.

============= FINISH: 23:07:31.60 ===============

Here's ATTACH.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 6/4/2010 12:16:40 PM

System Uptime: 10/26/2011 10:34:45 PM (1 hours ago)

.

Motherboard: TOSHIBA | | NPVAA

Processor: Intel® Atom CPU N450 @ 1.66GHz | U2E1 | 1662/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 138 GiB total, 36.184 GiB free.

D: is CDROM (CDFS)

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Atheros AR9285 Wireless Network Adapter

Device ID: PCI\VEN_168C&DEV_002B&SUBSYS_E8111113&REV_01\4&20975680&0&00E1

Manufacturer: Atheros

Name: Atheros AR9285 Wireless Network Adapter

PNP Device ID: PCI\VEN_168C&DEV_002B&SUBSYS_E8111113&REV_01\4&20975680&0&00E1

Service: AR5416

.

==== System Restore Points ===================

.

RP180: 7/31/2011 11:27:03 PM - System Checkpoint

RP181: 8/5/2011 7:32:28 PM - System Checkpoint

RP182: 8/6/2011 8:32:50 PM - System Checkpoint

RP183: 8/20/2011 7:26:27 PM - System Checkpoint

RP184: 8/22/2011 4:23:11 PM - System Checkpoint

RP185: 9/1/2011 7:29:17 PM - System Checkpoint

RP186: 9/3/2011 11:18:00 AM - System Checkpoint

RP187: 9/4/2011 1:49:13 PM - System Checkpoint

RP188: 9/5/2011 1:58:05 PM - System Checkpoint

RP189: 9/8/2011 12:57:21 PM - System Checkpoint

RP190: 9/12/2011 1:31:26 AM - System Checkpoint

RP191: 9/12/2011 5:04:43 PM - Software Distribution Service 3.0

RP192: 9/15/2011 4:41:05 PM - System Checkpoint

RP193: 9/16/2011 12:19:12 AM - Software Distribution Service 3.0

RP194: 9/17/2011 10:33:21 PM - System Checkpoint

RP195: 9/19/2011 4:49:54 PM - System Checkpoint

RP196: 9/21/2011 10:26:30 PM - System Checkpoint

RP197: 9/24/2011 2:07:23 PM - System Checkpoint

RP198: 9/25/2011 4:19:03 PM - System Checkpoint

RP199: 9/26/2011 6:21:41 PM - System Checkpoint

RP200: 9/28/2011 1:00:39 AM - Software Distribution Service 3.0

RP201: 9/29/2011 11:48:19 PM - System Checkpoint

RP202: 10/1/2011 3:52:12 PM - System Checkpoint

RP203: 10/2/2011 8:41:51 PM - System Checkpoint

RP204: 10/9/2011 11:26:03 PM - System Checkpoint

RP205: 10/13/2011 11:49:16 AM - Software Distribution Service 3.0

RP206: 10/16/2011 4:32:32 PM - System Checkpoint

RP207: 10/18/2011 9:14:55 PM - System Checkpoint

RP208: 10/19/2011 10:12:06 PM - System Checkpoint

RP209: 10/22/2011 12:42:32 PM - System Checkpoint

RP210: 10/25/2011 12:40:37 AM - System Checkpoint

RP211: 10/26/2011 2:00:29 AM - System Checkpoint

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.4.6

Apple Application Support

Apple Software Update

Atheros Client Utility

Atheros Driver Installation Program

ATTAC v4.1.11

Civilization II Multiplayer Gold Edition

DeLorme Street Atlas USA 2008

EasyBits GO

ESET Online Scanner v3

FileZilla Client 3.4.0

GIMP 2.6.10

Google Chrome

Google Earth

Google Talk Plugin

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB953955)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB954708)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB981793)

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

IrfanView (remove only)

Java 6 Update 14

Macromedia ColdFusion Studio 5

Macromedia Dreamweaver 8

Macromedia Extension Manager

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2572067)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Mozilla Firefox 7.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Picasa 3

QuickTime

RarZilla Free Unrar

REALTEK GbE & FE Ethernet PCI-E NIC Driver

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2553074)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for 2007 Microsoft Office System (KB2584063)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Office Excel 2007 (KB2553073)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB970483)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SelectiveSuspend

Skype™ 5.3

SWATH 1.9.8

Synaptics Pointing Device Driver

The Ur-Quan Masters 0.6.2

TomTom HOME 2.7.5.2014

TomTom HOME Visual Studio Merge Modules

TopStyle Lite (Version 2)

TOSHIBA Accessibility

TOSHIBA Application and Driver Installer

TOSHIBA Assist

TOSHIBA ConfigFree

TOSHIBA Fn-esse

TOSHIBA Hardware Setup

TOSHIBA HDD Protection

TOSHIBA HDD/SSD Alert

TOSHIBA Hotkey Utility

Toshiba Online Backup

TOSHIBA PC Diagnostic Tool

TOSHIBA Power Saver

TOSHIBA Power Saver Driver

TOSHIBA Quality Application

TOSHIBA Recovery Media Creator

TOSHIBA Service Station

TOSHIBA Supervisor Password

TOSHIBA USB Sleep and Charge Utility

TOSHIBA Web Camera Application

TOSHIBA Zooming Hook

TOSHIBA Zooming Utility

ToshibaRegistration

TouchPad On/Off Utility

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB971180)

Update for Windows Internet Explorer 8 (KB971930)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB898461)

Update for Windows XP (KB951618-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB961503)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Utility Common Driver

VLC media player 1.0.5

WebFldrs XP

Winamp

Winamp Detector Plug-in

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 8

Windows Media Format Runtime

Windows Media Player 10

WinMerge 2.12.4

ZOC Terminal 6.3

.

==== Event Viewer Messages From Past Week ========

.

10/26/2011 8:56:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi Fips intelppm PCIIde TPwSav

10/26/2011 2:06:00 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

10/25/2011 10:58:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD atapi Fips intelppm IPSec MRxSmb NetBIOS NetBT PCIIde RasAcd Rdbss Tcpip TPwSav

10/25/2011 10:58:57 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

10/25/2011 10:58:57 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/25/2011 10:58:57 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/25/2011 10:58:57 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

10/25/2011 10:58:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10/25/2011 10:57:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

10/25/2011 10:54:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi PCIIde

10/23/2011 7:21:33 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

10/23/2011 6:51:09 PM, error: PlugPlayManager [12] - The device 'Realtek PCIe FE Family Controller' (PCI\VEN_10EC&DEV_8136&SUBSYS_FF301179&REV_02\4&2803e7c1&0&00E2) disappeared from the system without first being prepared for removal.

.

==== End Of File ===========================

Jack&Jill · October 30, 2011

Hello and welcome to Malwarebytes.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed. If it shows Stop watching topic, it means you are already subscribed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

six2 · October 30, 2011

Great, thanks! I am now set to immediate notification. Let me know if you need any more logs generated.

Hello and welcome to Malwarebytes.
I am currently assessing your situation and will be back with a fix for your problem as soon as possible.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed. If it shows Stop watching topic, it means you are already subscribed.
Please be patient with me during this time.
Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

six2 · October 30, 2011

I'm also happy to make a donation to the site when this is all sorted out, if that helps.

Jack&Jill · October 31, 2011

Hello six2 ,

Welcome to Malwarebytes. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Terms of Use.
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly . We may begin.

--------------------

Please download aswMBR and save it to your desktop. Click here.

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here and here.
Double click the aswMBR.exe file to run it. If you are asked to download an antivirus software, please allow.
Click on the Scan button to start. The program will launch a scan.
When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
Please post the contents of the log in your next reply.

--------------------

Check for additional security risks

Please download CKScanner© by askey127 and save to your desktop. Click here.
Double click on CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
Post the contents of ckfiles.txt in your reply, it is located on your desktop.
Please run the program only once.

--------------------

As for donations, I thank you for the intention. Please donate the amount that you planned to your local charity or global charity organizations to help those in need.

--------------------

Please post back:

1. aswMBR log

2. CKScanner log

six2 · October 31, 2011

I don't have any running anti-malware/spyware/virus software on the machine in question.

When I run aswMBR.exe from the desktop the program does not open. Just to be sure, I tried copying it over a second time named something random and it still is not allowed to run. I'm assuming this is something about the malware I have, so, no log file.

I ran CK scanner and I have attached the result. Thanks!!! I'll make a donation to charity.

Hello six2 ,
Welcome to Malwarebytes. I am Jack&Jill, and I will be helping you out.
Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
Please observe and follow these Terms of Use.
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly . We may begin.
--------------------
Please download aswMBR and save it to your desktop. Click here.
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here and here.
Double click the aswMBR.exe file to run it. If you are asked to download an antivirus software, please allow.
Click on the Scan button to start. The program will launch a scan.
When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
Please post the contents of the log in your next reply.
--------------------
Check for additional security risks
Please download CKScanner© by askey127 and save to your desktop. Click here.
Double click on CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
Post the contents of ckfiles.txt in your reply, it is located on your desktop.
Please run the program only once.
--------------------
As for donations, I thank you for the intention. Please donate the amount that you planned to your local charity or global charity organizations to help those in need.
--------------------
Please post back:
1. aswMBR log
2. CKScanner log

ckfiles.txt

Jack&Jill · October 31, 2011

Hello six2 ,

Please post the logs that I asked for by copy and pasting. Attach only when I specifically request you to do so.

When you reply, there is no need to quote the whole of my previous response .

--------------------

Please download ComboFix from one of the links below and save it to your desktop.

Link 1

Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Install Recovery Console and run ComboFix

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here and here.
Double click on ComboFix.exe and follow the prompts. Please run it in Normal Mode.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:

1. the ComboFix log

six2 · October 31, 2011

When I run ComboFix, it runs through an installation process and then freezes, so no log file. I waited a while and it never finished. When it froze I saw a new process running called Cmd.3XE and another process called NIRCMD.3XE. Also I see a weird directory I cannot open in my C drive called 32788R22FWJFW, so maybe that's a clue.

I tried rerunning ComboFix, and this time it just closes at the end of the install process, and then nothing happens.

Jack&Jill · October 31, 2011

Hello six2 ,

Please delete the ComboFix copy that you have, then download a fresh one. Save it as six2CF.exe, then try again. If it does not work, move the file to the root of the drive, c:\ and execute from there.

six2 · October 31, 2011

Good and bad news. Good news - this time with a fresh combofix renamed from the root directory, it ran, installing the recovery console, and running for several minutes until around stage 26 (?) when I got a BSOD. Now the computer does not boot, restarting just as Windows is about to start.

Now on booting, the first screen offers me a couple of options, the recovery console, a 'do not select this option', and XP Home Edition. XP Home Edition is selected by default and that leads to another choice, Safe Mode, Safe w/net, Safe w/cmd, last known good config, and start win normally. Neither start win normally or safe mode actually boot.

What do you suggest next?

Thanks for your assistance.

Jack&Jill · October 31, 2011

Hello six2 ,

Did you manage to get a good look at the BSOD details when it happened? Like what is the error code?

When you say do not actually boot, I take it that you are saying this:

restarting just as Windows is about to start.

I need more specific information. Does it happen before the loading splash screen or after, or before the Windows logo appear or after? Or you are already in Windows but just prior to the log on dialog appearing?

When it reboot, do you see any blue screens or error messages?

Do you have the Windows CD?

--------------------

Due to the way forward may not be that smooth, please prepare an xPud boot CD as a fall back for data retrieval or further fixes from the second computer.

Please download GETxPUD and save it to your desktop. Click here.

Double click on GETxPUD.exe to execute it. A new folder GETxPUD will be created on the desktop.
Go into the folder and run get&burn.bat. xpud_0.9.2.iso will be downloaded.
Upon completion of download, BurnCDCC will be initiated, ready for burning of image.
Click on Start and follow the prompts to burn the image to a CD.

In case there is the need to boot from the CD, please set up the BIOS to do so. Depending on the computer, the key that you need to press to enter BIOS may be different. It could be either F1, F2, F10, F12, DEL or ESC.

Tap the key repeatedly when the computer is booting. You can also try pressing the Pause/Break key to freeze the startup screen temporarily to identify which key should be used as it is usually displayed. To resume, press Enter.

We will get back to this if necessary after I assess the situation based on your input.

--------------------

Please post back:

1. the answers to my questions

2. how the preparation of the xPud boot CD go?

six2 · October 31, 2011

The BSOD was gone as soon as it displayed. I saw that it said STOP and then it immediately rebooted.

This is very weird - today, starting it up again to see the error it boots fine after having rebooted several times last night without ever starting the OS. On starting I get the message "The system has recovered from a serious error. A log of this error has been created." The log is:

Error signature

BCCode : ca BCP1 : 00000004 BCP2 : 844ECF10 BCP3 : 00000000

BCP4 : 00000000 OSVer: 5_1_2600 SP: 3_0 Product : 768_1

files included in the error report:

c:\docume~1\root\LOCALS~1\temp\WER02c7.dir00\Mini103111-01.dmp

c:\docume~1\root\LOCALS~1\temp\WER02c7.dir00\sysdata.xml

I have the windows CD. xPUD worked fine, I now have that CD burned as well.

Thanks!

Jack&Jill · November 1, 2011

Hello six2 ,

Good to hear things have turned out for the better. I need you to check for some logs if they are available:

C:\QooBox\ComboFix-quarantined-files.txt

C:\ComboFix.txt

Please post the contents of these logs.

--------------------

Please download MiniToolBox© by farbar and save it to your desktop. Click here.

Double click on MiniToolBox.exe to run it.
Please check (tick) the following options:
- List last 10 Event Viewer Errors
- List Users, Partitions and Memory size.
- List Minidump Files
[*]Click on the GO button. A log will open.
[*]Please post the contents of this log. It can also be found on the desktop as Result.txt.

--------------------

For the few restarts that you have experienced, it could be settings issue. When you have the chance during a reboot, please make some changes according to the below. In case BSOD again, you know what to look for.

Reboot your computer and tap on the F8 key repeatedly during startup. A menu will appear.

Select Disable automatic restart on system failure by using the arrow keys and Enter.

Please provide the error message information as shown in the picture (if it occurs again):

The stop error will be always be displayed, but the other information may or may not be available. Just provide whatever is available.

--------------------

Can you run aswMBR now? Please give it a shot and post back the results.

Please upload this dump file as attachment:

c:\docume~1\root\LOCALS~1\temp\WER02c7.dir00\Mini103111-01.dmp

On the Add Reply page, you will see the Attachments section below the text box that you use for replying. Click on Click To Attach Files, browse to find the file you want to attach and double click on it. It will be uploaded. Please do not post any other logs as attachment unless I request.

--------------------

Please post back:

1. the ComboFix logs

2. MiniToolBox results

3. aswMBR log

4. the dump file as attachment

six2 · November 1, 2011

My computer now has directories c:\qoobox and c:\six2CF (the name we used for combofix), but I don't see any files in c:\qoobox, only folders (there are 5 folders, backenv, lastrun, quarantine, test, and testc). There is no file c:\combofix.txt either. I will keep the reboot instructions in mind for my next restart.

MiniToolBox log:

MiniToolBox by Farbar

Ran by Root (administrator) on 31-10-2011 at 19:06:26

Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Event log errors: ===============================

Application errors:

==================

Error: (10/31/2011 01:16:38 PM) (Source: TOSHIBA Service Station) (User: )

Description: TSS Load: could not communicate with TMachInfo service

Error: (10/31/2011 01:16:38 PM) (Source: TOSHIBA Service Station) (User: )

Description: Cannot start service TMachInfo on computer '.'.

Error: (10/26/2011 10:43:26 PM) (Source: Application Error) (User: )

Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.19154, fault address 0x0015549b.

Processing media-specific event for [iexplore.exe!ws!]

Error: (10/26/2011 10:36:55 PM) (Source: TOSHIBA Service Station) (User: )

Description: TSS Load: could not communicate with TMachInfo service

Error: (10/26/2011 10:36:55 PM) (Source: TOSHIBA Service Station) (User: )

Description: Cannot start service TMachInfo on computer '.'.

Error: (10/26/2011 09:16:04 PM) (Source: TOSHIBA Service Station) (User: )

Description: TSS Load: could not communicate with TMachInfo service

Error: (10/26/2011 09:16:04 PM) (Source: TOSHIBA Service Station) (User: )

Description: Cannot start service TMachInfo on computer '.'.

Error: (10/26/2011 08:55:01 PM) (Source: crypt32) (User: )

Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (10/26/2011 08:49:14 PM) (Source: TOSHIBA Service Station) (User: )

Description: TSS Load: could not communicate with TMachInfo service

Error: (10/26/2011 08:49:14 PM) (Source: TOSHIBA Service Station) (User: )

Description: Cannot start service TMachInfo on computer '.'.

System errors:

=============

Error: (10/31/2011 07:06:01 PM) (Source: DCOM) (User: SYSTEM)

Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"

in order to run the server:

{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (10/31/2011 07:05:38 PM) (Source: DCOM) (User: Root)

Description: DCOM got error "%%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (10/31/2011 07:00:57 PM) (Source: DCOM) (User: Root)

Description: DCOM got error "%%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (10/31/2011 07:00:43 PM) (Source: DCOM) (User: Root)

Description: DCOM got error "%%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (10/31/2011 01:32:01 PM) (Source: DCOM) (User: Root)

Description: DCOM got error "%%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (10/31/2011 01:31:31 PM) (Source: DCOM) (User: Root)

Description: DCOM got error "%%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (10/31/2011 01:15:29 PM) (Source: System Error) (User: )

Description: Error code 000000ca, parameter1 00000004, parameter2 844ecf10, parameter3 00000000, parameter4 00000000.

Error: (10/31/2011 01:14:53 PM) (Source: Service Control Manager) (User: )

Description: The following boot-start or system-start driver(s) failed to load:

atapi

PCIIde

Error: (10/31/2011 00:08:24 AM) (Source: DCOM) (User: Root)

Description: DCOM got error "%%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (10/31/2011 00:06:01 AM) (Source: DCOM) (User: SYSTEM)

Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"

in order to run the server:

{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Microsoft Office Sessions:

=========================

========================= Memory info: ===================================

Percentage of memory in use: 30%

Total physical RAM: 1013.33 MB

Available physical RAM: 704.12 MB

Total Pagefile: 2961.79 MB

Available Pagefile: 2776.54 MB

Total Virtual: 2047.88 MB

Available Virtual: 1999.49 MB

========================= Partitions: =====================================

1 Drive c: (Main) (Fixed) (Total:137.78 GB) (Free:36.08 GB) NTFS

2 Drive d: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

3 Drive e: () (Removable) (Total:1.91 GB) (Free:0.34 GB) FAT

========================= Users: ========================================

User accounts for \\LITTLE1

Administrator ASPNET Guest

HelpAssistant Root SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini103111-01.dmp

**** End of log ****

Something odd here - I use the user account Root for pretty much everything, and I believe I had a disabled Guest account. I never used or set up any of these other user accounts.

aswMBR.exe does not start when I try to run it (apparently nothing happens). I tried running it renamed under the root, renamed, and the same thing, nothing happens.

When I tried to attach the Mini103111-01.dmp file, I get the error "you aren't permitted to upload this kind of file" so I renamed it with a .TXT extension so it could be attached.

Mini103111-01.dmp.txt

Jack&Jill · November 1, 2011

Hello six2 ,

I will only be able to analyze the dump file when I get home from work later today.

You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

--------------------

Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.

Please download GMER and save it to your desktop. Click here.

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
If you need help to disable your protection programs see here and here.
Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
In the right panel, you will see several boxes that have been checked (ticked).
- Uncheck IAT/EAT
- Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
- Uncheck Show All (don't miss this one)
[*]Then click the Scan button and wait for it to finish.
[*]Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
[*]Enable back your security softwares as soon as you completed the GMER steps.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

If you are having problems running GMER, retry with Devices unchecked as well. If you are still encountering difficulties, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.

--------------------

Please post back:

1. previous MBAM report

2. GMER log

six2 · November 1, 2011

Here are the last three MBAM logs. I think this is relevant because I tried to remove the rootkit with MBAM last week.

First log

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8021

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/25/2011 11:33:17 PM

mbam-log-2011-10-25 (23-33-17).txt

Scan type: Quick scan

Objects scanned: 32130

Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LowRegistry (Trojan.Agent) -> Value: LowRegistry -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Root\application data\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Second Log

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8021

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/25/2011 11:42:06 PM

mbam-log-2011-10-25 (23-42-06).txt

Scan type: Quick scan

Objects scanned: 173407

Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 9

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Third Log

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8021

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/26/2011 1:40:18 AM

mbam-log-2011-10-26 (01-40-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 258290

Time elapsed: 1 hour(s), 22 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

GMER starts with the error "LoadDriver("C:\DOCUME~1\Root\LOCALS~1\Temp\kgtdapow.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key" and when the program starts, the following options are greyed and cannot be selected: System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries, and Show All. Here's the GMER log:

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-10-31 21:29:52

Windows 5.1.2600 Service Pack 3

Running: lc045mw2.exe; Driver: C:\DOCUME~1\Root\LOCALS~1\Temp\kgtdapow.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

I will try GMER in safe mode and reply again if I can get any of the other options to work.

six2 · November 1, 2011

GMER makes no difference in safe mode, same limited options. I removed the automatic restart setting as you suggested.

Jack&Jill · November 1, 2011

Hello six2 ,

Scan with RogueKiller

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
Link 1
Link 2
Allow the download if prompted by your security software and please close all your programs.
Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
A program window will open. Type 1 for Scan and press Enter when prompted.
Once finished, Notepad will open with a log called RKreport.txt, located at the desktop.
Please copy and paste the contents of that log in your next reply.

--------------------

Please close all programs and do not run any others before and during the Rootkit Unhooker scan. Do not use the computer for anything else until after the scan is completed.

Please download Rootkit Unhooker and save it to your desktop. Click here.

Double click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Ensure the following are checked (ticked):
- Drivers
- Stealth Code
- Files
- Code Hooks
[*]Uncheck the rest, then click OK. An initial scan will be performed.
[*]When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
[*]Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
[*]Save the report somewhere you can find it. Click Close to exit.
[*]Copy the entire contents of the report and paste it in your next reply.

You may get a warning about parasite detection. Please click OK to continue.

--------------------

Please post back:

1. RogueKiller log

2. Rootkit Unhooker result

six2 · November 1, 2011

These scanners ran fine. Here is the log for Rogue Killer:

RogueKiller V6.1.5 [10/29/2011] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: hxxp://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Root [Admin rights]

Mode: Scan -- Date : 10/31/2011 23:03:29

Bad processes: 0

Registry Entries: 4

[] HKLM\[...]\Windows : () -> ACCESS DENIED

[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[] HKLM\[...]\Windows : () -> ACCESS DENIED

Particular Files / Folders:

Driver: [LOADED]

HOSTS File:

127.0.0.1 localhost

Finished : << RKreport[1].txt >>

RKreport[1].txt

Log for Rootkit Unhooker:

RkU Version: 3.8.389.593, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xAA1A4000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6144000 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xBF2E9000 C:\WINDOWS\System32\igxpdx32.DLL 3837952 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)

0xBF059000 C:\WINDOWS\System32\igxpdv32.DLL 2686976 bytes (Intel Corporation, Component GHAL Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2154496 bytes

0x804D7000 RAW 2154496 bytes

0x804D7000 WMIxWDM 2154496 bytes

0xBF800000 Win32k 1859584 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF6FCF000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 1753088 bytes (Intel Corporation, Intel Graphics Miniport Driver)

0xA9DD1000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 892928 bytes

0xF73A1000 iaStor.sys 892928 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)

0xF72CB000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xF6E9B000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)

0xA9F1F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF6DF2000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xAA004000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA8704000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xBF692000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xF6F0C000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 225280 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)

0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 217088 bytes (Intel Corporation, Intel Graphics 2D Driver)

0xF74C3000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xF729E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xA9F8F000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF6F93000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA9FDC000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xA8255000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xAA180000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF6F43000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF6E50000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xA9FBA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E5000 ACPI_HAL 134400 bytes

0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF7381000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF7493000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xA9EAB000 C:\WINDOWS\System32\Drivers\usbvideo.sys 122880 bytes (Microsoft Corporation, USB Video Class Driver)

0xF7284000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF7358000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF6E84000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xA8A82000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF6FBB000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xAA05D000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)

0xF736F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF74B2000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF6E73000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xA82C4000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xA8394000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF77F2000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xA92E0000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF77E2000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF77B2000 C:\WINDOWS\system32\DRIVERS\wsimd.sys 61440 bytes (Atheros Communications, Inc., Wireless Intermediate Miniport Driver)

0xF7752000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)

0xF7632000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF7742000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF7762000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF7612000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF7782000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF7852000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF7602000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF7772000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF75F2000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF77C2000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF7642000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF77A2000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF7622000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF7732000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xF7792000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF7822000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xA8424000 C:\WINDOWS\System32\Drivers\spider.SYS 36864 bytes (RKU Driver)

0xF7812000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF7942000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF78B2000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF7872000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF79C2000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)

0xF78D2000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF78DA000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF79CA000 C:\WINDOWS\system32\DRIVERS\pgeffect.sys 24576 bytes (TOSHIBA Corporation, TOSHIBA Universal Camera Filter Driver)

0xF788A000 thpdrv.sys 24576 bytes (TOSHIBA Corporation, TOSHIBA HDD Protection Driver)

0xF79BA000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF791A000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF7932000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF787A000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF799A000 C:\WINDOWS\System32\Drivers\pgsuspend.SYS 20480 bytes (Toshiba, Toshiba Web Camera Selective Suspend Drive)

0xF792A000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF795A000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF7922000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF7882000 TVALZ_O.SYS 20480 bytes (TOSHIBA Corporation, TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver)

0xF78AA000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF7A0A000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)

0xF7254000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)

0xF7213000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xA9CAD000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xA86E0000 C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys 16384 bytes (TOSHIBA Corporation., Toshiba ODD Writing Driver For x86. XP)

0xF7A0E000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)

0xF7A02000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF7A06000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)

0xAA074000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xF723C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xA9C99000 C:\WINDOWS\system32\DRIVERS\netdevio.sys 12288 bytes (TOSHIBA Corporation., Network Device Usermode I/O protocol)

0xF717F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF7AEA000 C:\WINDOWS\system32\drivers\TPwSav.sys 12288 bytes (TOSHIBA , IO Driver)

0xF7AF2000 00000035 8192 bytes

0xF7B08000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF7B04000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7AF2000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF7B0C000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF7B10000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF7BB6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF7AF6000 Thpevm.SYS 8192 bytes (TOSHIBA Corporation, TOSHIBA HDD Protection - Shock Sensor Driver)

0xF7BA6000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7AF4000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7CD7000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7C98000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7D21000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7BBB000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)

!!!!!!!!!!!Hidden driver: 0x86570F38 00000191 0 bytes

==============================================

>Stealth

==============================================

0x85BD8F70 Unknown page with executable code, 144 bytes

0x85BDB5F6 Unknown page with executable code, 2570 bytes

0x85BDB0C3 Unknown thread object [ ETHREAD 0x86560790 ] TID: 160, 600 bytes

0x85BDBB2D Unknown thread object [ ETHREAD 0x85ADF020 ] TID: 168, 600 bytes

0x85BDCA11 Unknown thread object [ ETHREAD 0x85ADFDA8 ] TID: 172, 600 bytes

==============================================

>Files

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]

[1732]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]

[1732]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]

Jack&Jill · November 1, 2011

Hello six2 ,

Please download maxlook and save it to your desktop. Click here.

The first step is to ensure you can get into Recovery Console. It was installed via ComboFix just now, so please check if it works.
How to install and use the Windows XP Recovery Console.
To start the computer and use the Recovery Console
Double click on maxlook.exe to execute it. <-- You must run it only once.
As instructed when the tool runs, restart the computer and log on to the Recovery Console.
At the command prompt window, please type the following:
```
batch look.bat
```
You will see 1 file(s) copied. many times.
When done, type Exit to restart the computer into Normal mode.
Please run maxlook.exe again. <-- You must run it only once.
A log will be produced on the desktop named looklog.txt. Please post the contents of this log.

--------------------

Please post back:

1. maxlook log

six2 · November 1, 2011

Recovery Console is working fine. Here's the looklog:

Run from C:\maxlook.exe on Tue 11/01/2011 at 12:27:12.71

No infected file found

Jack&Jill · November 2, 2011

Hello six2 ,

Looking at unsigned files

Go to Start > Run.... Copy and paste the following text into the white box:
```
maxlook -sig
```
Click OK.
A log will be produced on the desktop named looklog.txt. Please post the contents of this log.

--------------------

Please download OTL© by OldTimer from one of the links below and save it to your desktop.

Link 1

Link 2

Scan with OTL

Double click on OTL.exe to run it.
Make sure all the Use SafeList options is checked (ticked). There are five of them.
Under the Modules section, please select No Company Name.
Check Scan All Users.
At the lower right corner, check LOP Check and Purity Check.
Click on Run Scan at the top left hand corner. This might take a while.
When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
Note: These files are saved as OTL.txt and Extras.txt on the desktop.

--------------------

Please post back:

1. the maxlook log

2. the OTL logs (OTL.txt and Extras.txt)

six2 · November 2, 2011

Maxlook log:

Run from C:\maxlook.exe on Tue 11/01/2011 at 20:26:20.84

--------- maxlook unsigned files ---------

c:\windows\maxdrive\Netdevio.sys:
	Verified:	Unsigned
	File date:	4:35 PM 1/29/2003
	Publisher:	TOSHIBA Corporation.
	Description:	Network Device Usermode I/O protocol
	Product:	TOSHIBA Network Device Usermode I/O protocol
	Version:	5.00.01.00
	File version:	Version 5.00.01.00 built by: WinDDK
c:\windows\maxdrive\tdcmdpst.sys:
	Verified:	Unsigned
	File date:	5:10 PM 2/22/2007
	Publisher:	TOSHIBA Corporation.
	Description:	Toshiba ODD Writing Driver For x86. XP
	Product:	n/a
	Version:	2, 0, 0, 0
	File version:	2, 0, 0, 0

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\fbd.sys:
	Verified:	Unsigned
	File date:	12:17 PM 6/4/2010
	Publisher:	n/a
	Description:	n/a
	Product:	n/a
	Version:	n/a
	File version:	n/a
c:\windows\system32\drivers\Netdevio.sys:
	Verified:	Unsigned
	File date:	4:35 PM 1/29/2003
	Publisher:	TOSHIBA Corporation.
	Description:	Network Device Usermode I/O protocol
	Product:	TOSHIBA Network Device Usermode I/O protocol
	Version:	5.00.01.00
	File version:	Version 5.00.01.00 built by: WinDDK
c:\windows\system32\drivers\tdcmdpst.sys:
	Verified:	Unsigned
	File date:	5:10 PM 2/22/2007
	Publisher:	TOSHIBA Corporation.
	Description:	Toshiba ODD Writing Driver For x86. XP
	Product:	n/a
	Version:	2, 0, 0, 0
	File version:	2, 0, 0, 0

OTL Log 1

OTL logfile created on: 11/1/2011 8:34:02 PM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.33 Mb Total Physical Memory | 685.68 Mb Available Physical Memory | 67.67% Memory free

2.89 Gb Paging File | 2.70 Gb Available in Paging File | 93.18% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 137.78 Gb Total Space | 36.14 Gb Free Space | 26.23% Space Free | Partition Type: NTFS

Drive D: | 5.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive E: | 1.91 Gb Total Space | 0.34 Gb Free Space | 17.59% Space Free | Partition Type: FAT

Computer Name: LITTLE1 | User Name: Root | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/01 20:21:52 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\OTL.exe

PRC - [2009/10/08 02:10:36 | 000,471,129 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\Atheros\ACU.exe

PRC - [2009/10/08 02:10:02 | 000,499,797 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe

PRC - [2009/09/17 17:37:18 | 000,111,960 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

PRC - [2009/09/17 17:36:58 | 001,021,272 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

PRC - [2009/08/24 21:25:56 | 000,575,552 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\ThpSrv.exe

PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/11/21 19:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe

========== Modules (No Company Name) ==========

MOD - [2009/09/17 17:36:34 | 000,079,192 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)

SRV - [2011/06/26 00:45:56 | 000,256,000 | R--- | M] () [Auto | Stopped] -- C:\six2CF\pev.3XE -- (PEVSystemStart)

SRV - [2010/06/24 08:41:38 | 000,092,008 | ---- | M] (TomTom) [Disabled | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

SRV - [2009/10/08 02:10:02 | 000,499,797 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)

SRV - [2009/10/06 11:21:50 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [Disabled | Stopped] -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)

SRV - [2009/09/17 17:37:18 | 000,111,960 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)

SRV - [2009/08/24 21:25:56 | 000,575,552 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\ThpSrv.exe -- (Thpsrv)

SRV - [2009/08/13 13:08:14 | 000,210,304 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\TOSHIBA\ToshibaRegistration\TaisRegistPinger.exe -- (taisregispinger)

SRV - [2007/11/21 19:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)

SRV - [2005/01/17 18:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)

========== Driver Services (SafeList) ==========

DRV - [2009/11/16 20:34:26 | 005,955,072 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2009/11/06 20:55:56 | 000,177,024 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)

DRV - [2009/09/30 17:17:02 | 001,585,728 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)

DRV - [2009/09/22 19:40:48 | 000,174,592 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtsUStor.sys -- (RSUSBSTOR)

DRV - [2009/09/21 13:05:42 | 000,018,816 | ---- | M] (Toshiba) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pgsuspend.SYS -- (PGSUSFLT)

DRV - [2009/06/29 12:25:30 | 000,029,760 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\thpdrv.sys -- (Thpdrv)

DRV - [2009/06/22 18:04:58 | 000,024,064 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PGEffect.sys -- (PGEffect)

DRV - [2009/05/11 21:11:44 | 000,006,528 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Thpevm.SYS -- (Thpevm)

DRV - [2009/03/17 01:19:44 | 000,058,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)

DRV - [2009/03/12 17:09:54 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)

DRV - [2008/08/05 22:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)

DRV - [2008/07/24 16:40:58 | 000,017,192 | ---- | M] (TOSHIBA ) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPwSav.sys -- (TPwSav)

DRV - [2007/02/22 17:10:30 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)

DRV - [2006/01/04 17:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)

DRV - [2003/01/29 16:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB'>http://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB'>http://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig?brand=TSNB&bmod=TSNB'>http://www.google.com/ig?brand=TSNB&bmod=TSNB

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "file:///C:/NOnEWS.htm"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.652

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Root\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)

FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Root\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Root\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Root\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/26 00:03:39 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/26 00:03:36 | 000,000,000 | ---D | M]

[2010/08/05 18:29:47 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Root\Application Data\Mozilla\Extensions

[2010/08/05 18:29:47 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Root\Application Data\Mozilla\Extensions\home2@tomtom.com

[2011/10/08 19:26:00 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Root\Application Data\Mozilla\Firefox\Profiles\ng6sz46x.default\extensions

[2011/02/25 00:10:07 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Root\Application Data\Mozilla\Firefox\Profiles\ng6sz46x.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/08/23 23:28:33 | 000,000,000 | -H-D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\Root\Application Data\Mozilla\Firefox\Profiles\ng6sz46x.default\extensions\LogMeInClient@logmein.com

[2011/10/23 02:56:28 | 000,001,664 | -H-- | M] () -- C:\Documents and Settings\Root\Application Data\Mozilla\Firefox\Profiles\ng6sz46x.default\searchplugins\startingpage-https.xml

[2011/10/26 00:03:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

() (No name found) -- C:\DOCUMENTS AND SETTINGS\ROOT\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NG6SZ46X.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\ROOT\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NG6SZ46X.DEFAULT\EXTENSIONS\OVERBITEFF@FLOODGAP.COM.XPI

[2011/09/29 00:53:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011/09/28 18:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\gcswf32.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

CHR - plugin: Java Deployment Toolkit 6.0.140.8 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll

CHR - plugin: Java Platform SE 6 U14 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll

CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\pdf.dll

CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Root\Application Data\Mozilla\plugins\npgoogletalk.dll

CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Root\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

CHR - plugin: Winamp Application Detector (Enabled) = C:\Program Files\Mozilla Firefox 4\plugins\npwachk.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll

CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Root\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll

CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2008/04/14 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)

O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TUSBSleepChargeSrv] C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe (TOSHIBA)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0

O7 - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab (CTAdjust Class)

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C41DFA42-6DDF-478D-BE20-AF571F1DADDC}: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet32: DllName - (cryptnet32.dll) - File not found

O24 - Desktop WallPaper: C:\Documents and Settings\Root\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Root\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/11/19 00:26:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2006/05/11 16:13:39 | 000,000,279 | R--- | M] () - D:\autorun.inf -- [ CDFS ]

O33 - MountPoints2\{3c23becc-502b-11e0-934b-002622f45f78}\Shell - "" = AutoRun

O33 - MountPoints2\{3c23becc-502b-11e0-934b-002622f45f78}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{3c23becc-502b-11e0-934b-002622f45f78}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- [2006/04/18 16:33:36 | 000,950,272 | R--- | M] ()

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O35 - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKU\S-1-5-21-1165790669-4136001136-3081347017-1006\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/01 20:26:18 | 000,220,024 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\sigcheck.exe

[2011/11/01 20:22:59 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\OTL.exe

[2011/11/01 12:21:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\maxdrive

[2011/10/31 23:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Root\Desktop\RK_Quarantine

[2011/10/31 19:01:02 | 001,916,416 | ---- | C] (AVAST Software) -- C:\test.exe

[2011/10/31 13:14:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2011/10/31 00:42:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox

[2011/10/31 00:19:58 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2011/10/31 00:11:35 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2011/10/31 00:11:35 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2011/10/31 00:11:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2011/10/31 00:11:35 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2011/10/31 00:10:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2011/10/31 00:10:17 | 000,000,000 | --SD | C] -- C:\six2CF

[2011/10/31 00:08:28 | 004,278,520 | R--- | C] (Swearware) -- C:\six2CF.exe

[2011/10/26 23:01:22 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Root\Desktop\d-d_1_s.scr

[2011/10/26 22:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2011/10/26 22:08:45 | 000,000,000 | ---D | C] -- C:\Qoobox

[2011/10/26 22:08:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Root\Start Menu\Programs\Administrative Tools

[2011/10/26 19:45:46 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Root\Desktop\This.exe

[2011/10/26 19:45:29 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Root\Desktop\Repeal.exe

[2011/10/26 00:11:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinMerge

[2011/10/25 22:54:45 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Root\Recent

[2011/10/13 11:58:58 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/01 20:22:24 | 000,443,482 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/11/01 20:22:24 | 000,072,582 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011/11/01 20:21:52 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\OTL.exe

[2011/11/01 12:26:11 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/11/01 12:25:44 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2011/11/01 12:25:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/11/01 12:25:24 | 1062,625,280 | -HS- | M] () -- C:\hiberfil.sys

[2011/11/01 12:12:52 | 001,139,184 | ---- | M] () -- C:\maxlook.exe

[2011/10/31 23:11:12 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1165790669-4136001136-3081347017-1006UA.job

[2011/10/31 23:06:12 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2011/10/31 23:01:46 | 000,139,264 | ---- | M] () -- C:\spider.EXE

[2011/10/31 23:00:04 | 000,725,504 | ---- | M] () -- C:\RogueKiller.exe

[2011/10/31 21:11:01 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1165790669-4136001136-3081347017-1006Core.job

[2011/10/31 21:03:16 | 000,302,592 | ---- | M] () -- C:\lc045mw2.exe

[2011/10/31 18:56:06 | 000,380,805 | ---- | M] () -- C:\MiniToolBox.exe

[2011/10/31 00:20:16 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2011/10/31 00:02:48 | 004,278,520 | R--- | M] (Swearware) -- C:\six2CF.exe

[2011/10/30 19:39:12 | 000,459,264 | ---- | M] () -- C:\Documents and Settings\Root\Desktop\CKScanner.exe

[2011/10/30 19:39:08 | 001,916,416 | ---- | M] (AVAST Software) -- C:\test.exe

[2011/10/26 22:56:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Root\Desktop\d-d_1_s.scr

[2011/10/26 22:42:03 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Root\Desktop\settings.dat

[2011/10/26 21:15:42 | 000,000,211 | ---- | M] () -- C:\Boot.bak

[2011/10/26 19:54:59 | 000,007,168 | ---- | M] () -- C:\WINDOWS\System32\5CA0D027.exe

[2011/10/26 18:12:44 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Root\Desktop\This.exe

[2011/10/26 00:03:40 | 000,000,746 | ---- | M] () -- C:\Documents and Settings\Root\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/10/26 00:03:40 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2011/10/25 22:55:00 | 000,000,861 | ---- | M] () -- C:\Documents and Settings\Root\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk

[2011/10/13 13:19:45 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2011/10/13 13:19:04 | 000,185,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2011/10/13 11:51:53 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/10/11 21:51:06 | 000,217,901 | ---- | M] () -- C:\Documents and Settings\Root\My Documents\zach-beard.jpg

[2011/10/11 17:45:39 | 000,025,690 | ---- | M] () -- C:\Documents and Settings\Root\My Documents\Eels the Beard.jpg

[2011/10/05 11:34:16 | 000,000,372 | ---- | M] () -- C:\Documents and Settings\Root\My Documents\spider.sav

[2011/10/03 02:35:11 | 005,971,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/01 12:13:58 | 001,139,184 | ---- | C] () -- C:\maxlook.exe

[2011/10/31 23:02:30 | 000,725,504 | ---- | C] () -- C:\RogueKiller.exe

[2011/10/31 23:02:30 | 000,139,264 | ---- | C] () -- C:\spider.EXE

[2011/10/31 22:57:56 | 1062,625,280 | -HS- | C] () -- C:\hiberfil.sys

[2011/10/31 21:12:15 | 000,302,592 | ---- | C] () -- C:\lc045mw2.exe

[2011/10/31 19:01:02 | 000,380,805 | ---- | C] () -- C:\MiniToolBox.exe

[2011/10/31 00:40:19 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk

[2011/10/31 00:40:17 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Root\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

[2011/10/31 00:40:16 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\Root\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2011/10/31 00:40:15 | 000,001,795 | ---- | C] () -- C:\Documents and Settings\Root\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2011/10/31 00:20:14 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2011/10/31 00:20:02 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2011/10/31 00:11:35 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2011/10/31 00:11:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2011/10/31 00:11:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2011/10/31 00:11:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2011/10/31 00:11:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2011/10/30 19:46:54 | 000,459,264 | ---- | C] () -- C:\Documents and Settings\Root\Desktop\CKScanner.exe

[2011/10/26 22:42:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Root\Desktop\settings.dat

[2011/10/26 19:54:59 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\5CA0D027.exe

[2011/10/26 00:07:07 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Root\Start Menu\Programs\Malwarebytes' Anti-Malware.lnk

[2011/10/26 00:03:40 | 000,000,746 | ---- | C] () -- C:\Documents and Settings\Root\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/10/26 00:03:40 | 000,000,734 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk

[2011/10/26 00:03:40 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2011/10/26 00:02:46 | 000,000,887 | ---- | C] () -- C:\Documents and Settings\Root\Start Menu\Programs\Google Chrome.lnk

[2011/10/25 22:55:00 | 000,000,861 | ---- | C] () -- C:\Documents and Settings\Root\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk

[2011/10/11 21:51:06 | 000,217,901 | ---- | C] () -- C:\Documents and Settings\Root\My Documents\zach-beard.jpg

[2011/10/11 17:45:37 | 000,025,690 | ---- | C] () -- C:\Documents and Settings\Root\My Documents\Eels the Beard.jpg

[2011/08/05 12:08:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\f5unistall.INI

[2011/07/01 22:41:01 | 000,000,017 | ---- | C] () -- C:\WINDOWS\popcinfo.dat

[2011/06/02 00:44:59 | 000,000,091 | ---- | C] () -- C:\WINDOWS\CIV.INI

[2011/06/02 00:44:24 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\IYVU9_32.DLL

[2011/02/19 19:41:29 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CommonDL.dll

[2011/02/19 19:41:29 | 000,002,413 | ---- | C] () -- C:\WINDOWS\System32\lgAxconfig.ini

[2010/12/08 02:17:43 | 000,295,573 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll

[2010/12/08 02:17:43 | 000,026,112 | ---- | C] () -- C:\WINDOWS\System32\dll.dll

[2010/10/25 19:37:59 | 000,001,544 | -H-- | C] () -- C:\Documents and Settings\Root\Application Data\wklnhst.dat

[2010/10/16 01:42:04 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/06/19 13:39:11 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Root\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/05 20:10:22 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2010/06/05 00:52:12 | 000,067,584 | ---- | C] () -- C:\WINDOWS\unlite2.exe

[2010/06/05 00:51:56 | 000,777,728 | ---- | C] () -- C:\WINDOWS\System32\SSLSVC.DLL

[2010/06/05 00:51:56 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll

[2010/06/05 00:51:56 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\cfmsg.dll

[2010/06/05 00:51:56 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll

[2010/06/05 00:51:55 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\lang_cfml.dll

[2010/06/05 00:51:55 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\xml_datagrove.dll

[2010/06/04 17:48:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010/06/04 12:17:13 | 000,000,013 | RHS- | C] () -- C:\WINDOWS\System32\drivers\fbd.sys

[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll

[2009/12/06 02:06:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2009/12/06 02:02:49 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

[2009/12/06 01:57:08 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TDispVol.dll

[2009/12/06 01:53:02 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\EBLib.DLL

[2009/12/06 01:51:32 | 000,262,217 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll

[2009/12/06 01:46:09 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTEQEX0.dat

[2009/11/19 15:51:56 | 000,000,353 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2009/11/19 15:43:41 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2009/11/19 15:43:24 | 000,443,482 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2009/11/19 15:43:24 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2009/11/19 15:43:24 | 000,072,582 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2009/11/19 15:43:24 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2009/11/19 15:43:20 | 000,004,631 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2009/11/19 15:43:19 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2009/11/19 15:43:13 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2009/11/19 15:42:53 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2009/11/19 15:42:51 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2009/11/19 15:42:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2009/11/19 15:41:47 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2009/11/19 01:15:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI

[2009/11/19 00:27:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2009/11/19 00:24:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2009/11/18 16:21:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2009/11/18 16:21:04 | 000,185,016 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2009/06/06 03:42:40 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll

[2009/05/01 11:27:48 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\HWS_Ctrl.dll

[2009/04/28 06:37:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\SPCtl.dll

[2009/04/02 11:35:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\EKECioCtl.dll

[2005/03/25 23:00:00 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\FORMATUFD.EXE

========== LOP Check ==========

[2009/11/19 01:13:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\toshiba

[2009/11/19 00:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinBatch

[2011/09/22 21:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Easybits GO

[2011/10/25 23:52:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F5 Networks

[2011/02/19 19:41:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LGMOBILEAX

[2010/10/17 22:38:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn

[2010/06/04 18:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Partner

[2011/09/24 23:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SWATH

[2010/08/05 18:30:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom

[2009/11/19 01:41:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Toshiba

[2009/12/06 01:56:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista32

[2009/12/06 01:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista64

[2009/12/06 02:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\XP

[2009/11/19 01:13:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\toshiba

[2009/11/19 00:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\WinBatch

[2010/06/05 01:00:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\DeLorme

[2011/04/21 02:11:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\FileZilla

[2011/09/22 16:04:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\go

[2011/09/17 21:58:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\gtk-2.0

[2010/12/17 20:17:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\OverDrive

[2010/10/25 02:46:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\Philipp Winterberg

[2010/10/25 19:38:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\Template

[2010/08/05 18:29:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\TomTom

[2009/11/19 01:13:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\toshiba

[2010/11/04 23:34:03 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\uqm

[2009/11/19 00:30:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Root\Application Data\WinBatch

========== Purity Check ==========

< End of report >

six2 · November 2, 2011

OTL Extras Log

OTL Extras logfile created on: 11/1/2011 8:34:02 PM - Run 1