1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Browser redirect/virus/malware issues that I can't solve on my own

Discussion in 'Virus & Other Malware Removal' started by repub, Dec 30, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    My older Mother has issues with browser redirect, very slow computer system, possible virus/malware?. She keeps rebooting but her computer freezes up and won't shut down. Below are the various logs:

    Tech Support Guy System Info Utility version 1.0.0.1
    OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
    Processor: AMD Athlon(tm) 64 Processor 3800+, x86 Family 15 Model 95 Stepping 2
    Processor Count: 1
    RAM: 446 Mb
    Graphics Card: NVIDIA GeForce 6150 LE , 256 Mb
    Hard Drives: C: Total - 143846 MB, Free - 125707 MB; D: Total - 8762 MB, Free - 568 MB;
    Motherboard: ASUSTek Computer INC., NAOS, 1.05, MS1C6AS00302402
    Antivirus: AVG Anti-Virus Free, Updated: Yes, On-Demand Scanner: Enabled

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:04:40 PM, on 12/29/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Compaq_Administrator\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198798139828
    O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    --
    End of file - 8822 bytes

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Compaq_Administrator at 22:05:34.87 on Wed 12/29/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.122 [GMT -6:00]
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: Norton Internet Worm Protection *Disabled*
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mWinlogon: Userinit=userinit.exe
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn5\YTSingleInstance.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: trymedia.com
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198798139828
    DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    ============= SERVICES / DRIVERS ===============
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-21 243024]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-28 38224]
    =============== Created Last 30 ================
    2010-12-28 23:49:08 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
    2010-12-28 23:48:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-28 23:48:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-12-28 23:48:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-28 23:48:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-16 03:42:49 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 03:42:24 45568 ------w- c:\windows\system32\dllcache\wab.exe
    ==================== Find3M ====================
    2010-12-25 06:48:17 398744 ----a-r- c:\windows\system32\cpnprt2.cid
    2010-11-18 18:12:44 81920 ------w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ------w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    =================== ROOTKIT ====================
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160812AS rev.3.AHH -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-5
    device: opened successfully
    user: MBR read successfully
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84B15555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x84b1b7b0]; MOV EAX, [0x84b1b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x84B3F4D8]
    3 CLASSPNP[0xF74FCFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000068[0x84BCFF18]
    5 ACPI[0xF7373620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x84B88678]
    \Driver\atapi[0x84A2FD30] -> IRP_MJ_CREATE -> 0x84B15555
    kernel: MBR read successfully
    _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3160812AS_____________________________3.AHH___#5&8b35f09&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x84B1539B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    ============= FINISH: 22:07:26.54 ===============

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-30 00:08:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3160812AS rev.3.AHH
    Running: pqtx3i7u.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\axdcruob.sys

    ---- Kernel code sections - GMER 1.0.15 ----
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF4FF6360, 0x20574D, 0xE8000020]
    ? C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
    ---- User code sections - GMER 1.0.15 ----
    .text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A8000A
    .text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A9000A
    .text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A7000C
    .text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0095000A
    .text C:\WINDOWS\System32\svchost.exe[1152] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00F0000A
    .text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 84B1539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 84B1539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 84B1539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 84B1539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 84B1539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 84B1539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-16 84B1539B
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    Device \Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3160812AS_____________________________3.AHH___#5&8b35f09&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    ---- Disk sectors - GMER 1.0.15 ----
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    ---- EOF - GMER 1.0.15 ----

    Thank you for your assistance.
     
  2. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    Here's the Attach that I was supposed to send (hoping it's attached) :(
     

    Attached Files:

  3. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    bump
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,669
    Hiya


    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Remember to re-enable the protection again afterwards before connecting to the Internet.
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    eddie
     
  5. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    I disabled the resident shield on AVG anti-virus software and installed ComboFix and saved as username123.exe. I to the message "ComboFix cannot run when AVG is installed. This is due to AVG's targeting of ComboFix's files/processes. It would be dangerous to continue. Please uninstall AVG or use another tool.

    How should I proceed?

    Thanks.
     
  6. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,669
    Okay, looks like good old AVG is causing problems again :(

    We need to temporarily remove your Anti-Virus, as it interferes with the fix I want to run. You can reinstall it again later. If you are not happy about doing this, please let me know before proceding

    Download AppRemover and run it.

    Click Next >>
    [​IMG]


    Ensure "Remove Security Application" is collected and click Next >>
    [​IMG]


    AppRemover will scan all the security applications on your PC
    [​IMG]

    Select Any AVG entries from the applications offered and click Next >> twice.
    [​IMG]

    Follow any further on-screen instructions. If asked to reboot,please do so.

    Note: Please do not browse the internet or open any email attachments until your Anti-Virus is re-installed



    When that's done, try ComboFix again.

    eddie
     
  7. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    ComboFix 10-12-29.02 - Compaq_Administrator 01/03/2011 9:33.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.186 [GMT -6:00]
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\username123.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\system32\Oeminfo.ini
    D:\Autorun.inf
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
    .
    2010-12-28 23:49 . 2010-12-28 23:49 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
    2010-12-28 23:48 . 2010-12-28 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-12-28 23:48 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-28 23:48 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-28 23:48 . 2010-12-28 23:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-24 18:52 . 2010-12-24 18:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2010-12-16 03:42 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 03:42 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-25 06:48 . 2008-05-26 01:48 398744 ----a-r- c:\windows\system32\cpnprt2.cid
    2010-11-18 18:12 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-10 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-10 04:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-10 04:00 290048 ------w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-10 04:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-29 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-29 27136]
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    2005-08-03 06:19 77312 ------w- c:\windows\arpwrmsg.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    2007-10-31 02:57 1095256 ----a-w- c:\program files\DISC\DISCover.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
    2004-06-07 21:05 106496 ------w- c:\windows\system32\ftutil2.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 13:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2005-07-23 05:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2006-06-14 03:05 16239616 ----a-w- c:\windows\RTHDCPL.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
    2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"=
    "c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"=

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    2010-12-03 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: trymedia.com
    DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
    .
    - - - - ORPHANS REMOVED - - - -
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
    Notify-avgrsstarter - (no file)
    MSConfigStartUp-Antispyware - c:\program files\Antispyware\Antispyware.exe
    MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
    AddRemove-My HP Game Console - c:\program files\WildTangent\Apps\My HP Game Console\Uninstall.exe
    AddRemove-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\CDAUninstall.exe
    AddRemove-WT008879 - c:\program files\HP Games\Jewel Quest\Uninstall.exe
    AddRemove-WT008887 - c:\program files\HP Games\Mah Jong Quest\Uninstall.exe
    AddRemove-WT008891 - c:\program files\HP Games\Mystery Case Files\Uninstall.exe
    AddRemove-WT008895 - c:\program files\HP Games\Ricochet Lost Worlds\Uninstall.exe
    AddRemove-WT008903 - c:\program files\HP Games\Slingo Deluxe\Uninstall.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-03 09:46
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-01-03 09:49:17
    ComboFix-quarantined-files.txt 2011-01-03 15:48
    Pre-Run: 132,095,512,576 bytes free
    Post-Run: 133,079,900,160 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    - - End Of File - - 86FCFF173C2D279A65B43F64753CDB36
     
  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,669
    Download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.



    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.

    Please include the MBAM log and, SUPERAntiSpyware Scan Log and a fresh HijackThis log in your next reply

    eddie
     
  9. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5448
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    1/3/2011 12:32:58 PM
    mbam-log-2011-01-03 (12-32-57).txt
    Scan type: Quick scan
    Objects scanned: 149722
    Time elapsed: 4 minute(s), 53 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com
    Generated 01/03/2011 at 01:44 PM
    Application Version : 4.47.1000
    Core Rules Database Version : 6118
    Trace Rules Database Version: 3930
    Scan type : Complete Scan
    Total Scan Time : 01:01:00
    Memory items scanned : 384
    Memory threats detected : 0
    Registry items scanned : 6681
    Registry threats detected : 0
    File items scanned : 109986
    File threats detected : 139
    Adware.Tracking Cookie
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][4].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][5].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:04:18 PM, on 1/3/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Documents and Settings\Compaq_Administrator\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198798139828
    O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    --
    End of file - 6924 bytes
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,669
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    eddie
     

    Attached Files:

  11. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    ComboFix 10-12-29.02 - Compaq_Administrator 01/03/2011 15:55:53.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.179 [GMT -6:00]
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\username123.exe
    Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    FILE ::
    "c:\windows\system32\cpnprt2.cid"
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\system32\cpnprt2.cid
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
    .
    2011-01-03 18:38 . 2011-01-03 18:38 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
    2011-01-03 18:38 . 2011-01-03 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-01-03 18:38 . 2011-01-03 18:38 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-28 23:49 . 2010-12-28 23:49 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
    2010-12-28 23:48 . 2010-12-28 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-12-28 23:48 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-28 23:48 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-28 23:48 . 2011-01-03 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-24 18:52 . 2010-12-24 18:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2010-12-16 03:42 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 03:42 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-10 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-10 04:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-10 04:00 290048 ------w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-10 04:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .
    ((((((((((((((((((((((((((((( [email protected]_15.46.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-03 19:57 . 2011-01-03 19:57 16384 c:\windows\Temp\Perflib_Perfdata_e8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-29 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-29 27136]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    2005-08-03 06:19 77312 ------w- c:\windows\arpwrmsg.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    2007-10-31 02:57 1095256 ----a-w- c:\program files\DISC\DISCover.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
    2004-06-07 21:05 106496 ------w- c:\windows\system32\ftutil2.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 13:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2005-07-23 05:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2006-06-14 03:05 16239616 ----a-w- c:\windows\RTHDCPL.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
    2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"=
    "c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"=
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    2010-12-03 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: trymedia.com
    DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-03 16:02
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(700)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-01-03 16:05:03
    ComboFix-quarantined-files.txt 2011-01-03 22:05
    ComboFix2.txt 2011-01-03 15:49
    Pre-Run: 133,050,671,104 bytes free
    Post-Run: 133,050,986,496 bytes free
    - - End Of File - - BADC5D765CAC6C716C85B193A7C801C4

    Thanks :)
     
  12. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,669
    Okay, lets look at something that appeared in the initial scans you ran :)

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


      [​IMG]

    • If an infected file is detected, the default action will be Cure, click on Continue.


      [​IMG]

    • If a suspicious file is detected, the default action will be Skip, click on Continue.


      [​IMG]

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


      [​IMG]

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    eddie
     
  13. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    There was a folder that appeared on the desktop prior to me working with you named 70, -On. Copies of the My Documents folder were somehow sent here. It doesn't show on the desktop anymore, but when I saved the TDSS software to the desktop, this 70, -On folder was listed in the options to save the software. I don't know the relevance of this - my Mother said she didn't create this folder.


    2011/01/04 14:55:48.0859 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2011/01/04 14:55:48.0859 ================================================================================
    2011/01/04 14:55:48.0859 SystemInfo:
    2011/01/04 14:55:48.0859
    2011/01/04 14:55:48.0859 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/04 14:55:48.0859 Product type: Workstation
    2011/01/04 14:55:48.0859 ComputerName: SYLVIA-NEW
    2011/01/04 14:55:48.0859 UserName: Compaq_Administrator
    2011/01/04 14:55:48.0859 Windows directory: C:\WINDOWS
    2011/01/04 14:55:48.0859 System windows directory: C:\WINDOWS
    2011/01/04 14:55:48.0859 Processor architecture: Intel x86
    2011/01/04 14:55:48.0859 Number of processors: 1
    2011/01/04 14:55:48.0859 Page size: 0x1000
    2011/01/04 14:55:48.0859 Boot type: Normal boot
    2011/01/04 14:55:48.0859 ================================================================================
    2011/01/04 14:55:49.0109 Initialize success
    2011/01/04 14:55:53.0484 ================================================================================
    2011/01/04 14:55:53.0484 Scan started
    2011/01/04 14:55:53.0484 Mode: Manual;
    2011/01/04 14:55:53.0484 ================================================================================
    2011/01/04 14:55:55.0906 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/04 14:55:55.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/04 14:55:56.0203 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/04 14:55:56.0328 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/04 14:55:56.0609 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2011/01/04 14:55:56.0734 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
    2011/01/04 14:55:56.0781 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
    2011/01/04 14:55:56.0812 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
    2011/01/04 14:55:56.0843 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
    2011/01/04 14:55:56.0906 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/04 14:55:56.0984 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
    2011/01/04 14:55:57.0171 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/04 14:55:57.0296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/04 14:55:57.0437 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/04 14:55:57.0546 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/04 14:55:57.0625 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
    2011/01/04 14:55:57.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/04 14:55:58.0046 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/04 14:55:58.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/04 14:55:58.0265 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/04 14:55:58.0343 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/04 14:55:58.0796 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/04 14:55:58.0937 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/04 14:55:59.0062 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/04 14:55:59.0125 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/04 14:55:59.0187 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/04 14:55:59.0312 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/04 14:55:59.0421 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/04 14:55:59.0562 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/01/04 14:55:59.0625 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/04 14:55:59.0703 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/01/04 14:55:59.0796 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/01/04 14:55:59.0937 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/04 14:55:59.0984 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/04 14:56:00.0015 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
    2011/01/04 14:56:00.0109 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/04 14:56:00.0250 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/04 14:56:00.0328 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/01/04 14:56:00.0593 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/01/04 14:56:00.0687 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/01/04 14:56:00.0828 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/01/04 14:56:00.0968 HSXHWBS2 (1f5c64b0c6b2e2f48735a77ae714ccb8) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
    2011/01/04 14:56:01.0062 HSX_DP (a7f8c9228898a1e871d2ae7082f50ac3) C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
    2011/01/04 14:56:01.0171 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/04 14:56:01.0328 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/04 14:56:01.0453 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/04 14:56:01.0781 IntcAzAudAddService (ab2fe0faa519880bd16e4a0792d633d2) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/01/04 14:56:02.0109 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/01/04 14:56:02.0187 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/04 14:56:02.0234 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/01/04 14:56:02.0343 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/04 14:56:02.0453 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/04 14:56:02.0515 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/04 14:56:02.0656 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/04 14:56:02.0734 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/04 14:56:02.0875 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/04 14:56:03.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/04 14:56:03.0187 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/04 14:56:03.0296 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/04 14:56:03.0531 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/01/04 14:56:03.0671 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    2011/01/04 14:56:03.0796 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/04 14:56:03.0906 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/04 14:56:04.0000 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/04 14:56:04.0093 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/01/04 14:56:04.0156 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/04 14:56:04.0296 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/04 14:56:04.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/04 14:56:04.0546 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/04 14:56:04.0609 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/04 14:56:04.0656 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/04 14:56:04.0703 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/04 14:56:04.0765 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/04 14:56:04.0859 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/04 14:56:04.0953 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/04 14:56:05.0015 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/04 14:56:05.0078 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/04 14:56:05.0140 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/04 14:56:05.0218 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/04 14:56:05.0250 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/04 14:56:05.0328 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/04 14:56:05.0484 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/04 14:56:05.0625 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/04 14:56:05.0781 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/04 14:56:05.0921 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/04 14:56:06.0109 nv (642a87877f83313eb5302749cd479024) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/01/04 14:56:06.0265 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2011/01/04 14:56:06.0343 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2011/01/04 14:56:06.0406 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/04 14:56:06.0437 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/04 14:56:06.0531 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/04 14:56:06.0687 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/01/04 14:56:06.0796 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/04 14:56:06.0859 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/04 14:56:06.0906 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/04 14:56:06.0984 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/04 14:56:07.0046 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/04 14:56:07.0687 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/04 14:56:07.0843 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/01/04 14:56:07.0953 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/04 14:56:07.0984 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/04 14:56:08.0140 PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/04 14:56:08.0390 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/04 14:56:08.0500 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/04 14:56:08.0562 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/04 14:56:08.0593 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/04 14:56:08.0703 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/04 14:56:08.0734 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/04 14:56:08.0859 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/01/04 14:56:08.0984 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/04 14:56:09.0140 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/04 14:56:09.0265 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/01/04 14:56:09.0390 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/01/04 14:56:09.0421 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/01/04 14:56:09.0609 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/04 14:56:09.0750 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/01/04 14:56:09.0890 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/04 14:56:10.0062 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/04 14:56:10.0156 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/04 14:56:10.0218 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/04 14:56:10.0296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/04 14:56:10.0343 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/04 14:56:10.0703 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/04 14:56:10.0875 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/04 14:56:11.0015 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/04 14:56:11.0156 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/04 14:56:11.0250 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/04 14:56:11.0390 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/04 14:56:11.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/04 14:56:11.0671 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/04 14:56:11.0765 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/04 14:56:11.0812 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/04 14:56:11.0921 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/01/04 14:56:12.0031 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/04 14:56:12.0171 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/04 14:56:12.0218 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/04 14:56:12.0328 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/04 14:56:12.0406 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/04 14:56:12.0437 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/01/04 14:56:12.0484 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/04 14:56:12.0593 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/04 14:56:12.0781 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/04 14:56:12.0906 winachsx (11ec1afceb5c917ce73d3c301ff4291e) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
    2011/01/04 14:56:13.0062 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/04 14:56:13.0109 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/04 14:56:13.0234 ================================================================================
    2011/01/04 14:56:13.0234 Scan finished
    2011/01/04 14:56:13.0234 ================================================================================
     
  14. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,669
    Well, the good news is it looks like the rootkit may be gone, but I want to have a deeper look, plus for this folder you mentioned.

    Firstly, can you do this:


    Download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic



    -------------------

    Then, lets have a look to see where this folder is:


    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:

      Code:
      :folderfind
      70, -On
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found at on your Desktop entitled SystemLook.txt

    It may take a while to scan.

    eddie
     
  15. repub

    repub Thread Starter

    Joined:
    Sep 30, 2009
    Messages:
    61
    I got an error message when trying to run SystemLook (I tried to download from both mirror sites) - 'This application has failed to start because the application configuration is incorrect. Reinstalling this application may fix this problem.'

    OTL:
    OTL logfile created on: 1/4/2011 6:38:20 PM - Run 1
    OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Compaq_Administrator\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    446.00 Mb Total Physical Memory | 138.00 Mb Available Physical Memory | 31.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
    Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 140.48 Gb Total Space | 124.14 Gb Free Space | 88.37% Space Free | Partition Type: NTFS
    Drive D: | 8.56 Gb Total Space | 0.55 Gb Free Space | 6.48% Space Free | Partition Type: FAT32

    Computer Name: SYLVIA-NEW | User Name: Compaq_Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/01/04 18:37:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe
    PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/08/03 00:19:16 | 000,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/01/04 18:37:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe
    MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2005/08/03 00:19:16 | 000,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
    SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/05/10 12:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/02/17 12:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
    DRV - [2008/04/13 10:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2006/06/14 12:04:12 | 004,299,264 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2006/05/09 16:50:00 | 003,535,680 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2006/03/03 16:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
    DRV - [2006/03/03 16:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
    DRV - [2005/12/06 12:20:50 | 000,241,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
    DRV - [2005/12/06 12:20:42 | 000,670,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsx)
    DRV - [2005/12/06 12:20:40 | 000,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DP.sys -- (HSX_DP)
    DRV - [2005/06/29 18:03:18 | 000,175,104 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
    DRV - [2005/03/09 15:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
    DRV - [2004/08/03 15:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
    DRV - [2003/11/05 08:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com [binary data]

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    O1 HOSTS File: ([2011/01/03 16:02:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
    O2 - BHO: (hpWebHelper Class) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (Hewlett-Packard)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
    O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
    O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab (Office Genuine Advantage Validation Tool)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198798139828 (MUWebControl Class)
    O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} http://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab (CPlayFirstdreamControl Object)
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (PopCapLoader Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.142.182.250 209.142.136.220
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O24 - Desktop WallPaper: C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/08/30 22:02:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2001/07/27 08:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/01/04 18:37:35 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe
    [2011/01/04 14:53:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Administrator\Desktop\tdds
    [2011/01/03 12:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
    [2011/01/03 12:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2011/01/03 12:38:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
    [2011/01/03 12:38:13 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2011/01/03 12:11:33 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\TFC.exe
    [2011/01/03 09:30:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/01/03 09:28:05 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/01/03 09:28:05 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/01/03 09:28:05 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/01/03 09:28:05 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/01/03 09:27:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/01/03 09:19:50 | 005,473,272 | ---- | C] (OPSWAT, Inc.) -- C:\Documents and Settings\Compaq_Administrator\Desktop\AppRemover.exe
    [2011/01/03 07:49:11 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/01/03 07:25:30 | 002,069,344 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Compaq_Administrator\My Documents\avgtray.exe
    [2010/12/30 00:16:18 | 000,508,416 | ---- | C] (Tech Support Guy System) -- C:\Documents and Settings\Compaq_Administrator\Desktop\SysInfo.exe
    [2010/12/29 22:04:01 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Compaq_Administrator\Desktop\HijackThis.exe
    [2010/12/28 20:58:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/12/28 17:49:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
    [2010/12/28 17:48:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/12/28 17:48:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2010/12/28 17:48:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/12/28 17:48:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/12/28 17:48:45 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/12/24 12:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/12/24 12:53:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/12/24 12:52:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
    [2010/12/16 09:47:52 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Compaq_Administrator\Desktop\TDSSKiller.exe

    ========== Files - Modified Within 30 Days ==========

    [2011/01/04 18:37:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\OTL.exe
    [2011/01/04 14:53:29 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Compaq_Administrator\Desktop\TDSSKiller.exe
    [2011/01/04 14:52:37 | 001,232,020 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\tdsskiller.zip
    [2011/01/03 16:02:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/01/03 13:57:07 | 000,043,531 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
    [2011/01/03 13:56:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/01/03 13:56:53 | 468,242,432 | -HS- | M] () -- C:\hiberfil.sys
    [2011/01/03 12:38:16 | 000,001,686 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2011/01/03 12:25:21 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/01/03 12:11:34 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\Desktop\TFC.exe
    [2011/01/03 09:30:59 | 000,000,325 | RHS- | M] () -- C:\boot.ini
    [2011/01/03 09:19:50 | 005,473,272 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\Compaq_Administrator\Desktop\AppRemover.exe
    [2011/01/03 07:31:15 | 003,999,600 | R--- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\username123.exe
    [2010/12/31 18:22:57 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/12/30 17:37:34 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\Microsoft Word.lnk
    [2010/12/30 00:16:19 | 000,508,416 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\Compaq_Administrator\Desktop\SysInfo.exe
    [2010/12/29 22:49:39 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\pqtx3i7u.exe
    [2010/12/29 22:04:01 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Compaq_Administrator\Desktop\HijackThis.exe
    [2010/12/24 23:01:37 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\My Documents\SILLOUTTE TEMPTATION BOOK LIST.xls
    [2010/12/24 22:56:03 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\Microsoft Excel.lnk
    [2010/12/24 21:53:00 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator\My Documents\SILOUTTE DESIRE.xls
    [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/12/17 12:15:02 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/12/16 03:25:02 | 000,271,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/12/16 03:08:25 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

    ========== Files Created - No Company Name ==========

    [2011/01/04 14:52:29 | 001,232,020 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\tdsskiller.zip
    [2011/01/03 12:38:16 | 000,001,686 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2011/01/03 12:25:21 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/01/03 09:28:05 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/01/03 09:28:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/01/03 09:28:05 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/01/03 09:28:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/01/03 09:28:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/01/03 07:31:15 | 003,999,600 | R--- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\username123.exe
    [2010/12/29 22:49:39 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Desktop\pqtx3i7u.exe
    [2010/12/24 12:54:27 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2008/11/02 18:22:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
    [2008/02/04 17:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
    [2007/01/06 13:57:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2007/01/06 12:42:22 | 000,000,143 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\fusioncache.dat
    [2006/09/29 08:07:28 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2006/09/29 07:47:08 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
    [2006/09/29 07:41:27 | 000,012,989 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
    [2006/09/29 07:41:21 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
    [2006/09/29 07:38:17 | 000,000,174 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
    [2006/09/29 07:28:05 | 000,000,108 | ---- | C] () -- C:\WINDOWS\WININIT.INI
    [2006/09/29 07:26:44 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
    [2006/09/29 07:22:10 | 000,001,212 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
    [2006/09/29 07:21:11 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2006/09/29 07:17:50 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2006/09/29 07:17:50 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2006/09/29 07:17:50 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2006/09/29 07:17:50 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
    [2006/09/29 07:17:50 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2006/09/29 07:17:50 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
    [2006/09/29 07:17:50 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
    [2006/09/29 07:16:24 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2006/09/29 06:54:44 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
    [2006/09/29 06:54:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
    [2006/09/29 06:54:27 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
    [2006/06/16 12:58:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2005/08/30 22:01:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/08/05 22:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2005/08/03 00:19:16 | 000,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
    [1999/01/22 12:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
    [1998/01/12 02:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

    ========== LOP Check ==========

    [2006/09/29 07:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
    [2009/03/19 18:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
    [2007/07/04 13:49:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
    [2008/03/30 08:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
    [2008/11/02 18:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Template
    [2010/12/02 23:30:00 | 000,000,290 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job

    ========== Purity Check ==========


    < End of report >
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Browser redirect virus
  1. Brigham
    Replies:
    1
    Views:
    424
  2. JimHebert
    Replies:
    9
    Views:
    793
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/971530

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice