1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT, DDS, GMER logs entered here. Virus Burst?

Discussion in 'Virus & Other Malware Removal' started by steevow, Jan 6, 2011.

Thread Status:
Not open for further replies.
  1. steevow

    steevow Thread Starter

    Joined:
    Jan 5, 2011
    Messages:
    4
    I hope the DDS Attach is attached as I followed the 'manage attachments' window at the bottom and it said it was uploaded. If it didn't I'll figure it out and reply with that post.

    1st) this is the same Steevow with the "Virus Burst? Nightmare" post on 1-5-11. You can read that and delete it, just so you have an idea what's been happening....... I had no idea if the redirecting would prevent me from reaching this site again, which is the problem with msn.com email and sbcglobal.net email on reaching the other site that ''was'' helping me out. I'll stay here.

    One more thing after running an updated SuperAntiSpyware scan this morning it found the usual adware tracking, but it also found this HKU\S entry in the registry (hmmm....doesn't this resemble the proper HKUS\ log in HJT?) Anyway it found the following: Rogue.Pallidium HKU\S-1-5-21-823518204-1123561945-725345543-1003\software\microsoft\currentversion\internetsettings#WaronPostredirect. SAS didn't/couldn't quarantine it or clean it because I ran it twice in a row.
    **after the # sign it starts with War......that's the first 3 initials to my last name. Coincidence???
    Don't know what those numbers mean, but I did find 2 folders with this type of numbering (not the same but ending in 1003 like the above) in C/Documents&Settings/Administrator/Application/Microsoft/Protect.
    May be irellevant, but after a month of this headache I hope anything will help resolve.

    ********HJT log:***********
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:24:25 AM, on 1/6/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\steve r warner\Desktop\HijackThis\HijackThis.exe
    O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - Startup: V CAST Media Monitor.lnk = C:\Program Files\V CAST Media Manager\MEMonitor.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://svca.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
    O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
    --
    End of file - 7708 bytes

    DDS Logs************************************
    !!!!!!!!! Notice the (AV: VirusRanger 3.6 On-access scanning enabled) Is this the Virus Burst infection?


    DDS (Ver_10-11-27.01) - NTFSx86
    Run by steve r warner at 11:30:50.90 on 01/06/2011 Thu
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1535.1016 [GMT -8:00]
    AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: VirusRanger 3.6 *On-access scanning enabled* (Outdated) {BED2903C-5EE3-4973-9679-828AE087DAE6}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Documents and Settings\steve r warner\Desktop\dds.scr
    C:\WINDOWS\system32\conime.exe
    ============== Pseudo HJT Report ===============
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: {F35CE83E-9EBF-40D5-AE87-53F982389740} - No File
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion deluxe 3.0\calcheck.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\stever~1\startm~1\programs\startup\vcastm~1.lnk - c:\program files\v cast media manager\MEMonitor.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: microsoft.com\www
    Trusted Zone: msn.com\www
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://svca.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    AppInit_DLLs: c:\windows\system32\cssdll32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    ============= SERVICES / DRIVERS ===============
    R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-14 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-14 68865]
    R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-14 151297]
    R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
    R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-14 52056]
    S0 fdghlcg;fdghlcg;c:\windows\system32\drivers\qlti.sys --> c:\windows\system32\drivers\qlti.sys [?]
    S0 ihmrecc;ihmrecc;c:\windows\system32\drivers\qyqfxol.sys --> c:\windows\system32\drivers\qyqfxol.sys [?]
    S0 lodwu;lodwu;c:\windows\system32\drivers\sgnm.sys --> c:\windows\system32\drivers\sgnm.sys [?]
    S0 mlfd;mlfd;c:\windows\system32\drivers\omwvg.sys --> c:\windows\system32\drivers\omwvg.sys [?]
    S0 tnwxvpep;tnwxvpep;c:\windows\system32\drivers\domkaljp.sys --> c:\windows\system32\drivers\domkaljp.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 135664]
    =============== Created Last 30 ================
    2011-01-04 05:04:49 -------- d-----w- c:\program files\roguescanfix
    2011-01-04 01:46:25 98816 ----a-w- c:\windows\sed.exe
    2011-01-04 01:46:25 89088 ----a-w- c:\windows\MBR.exe
    2011-01-04 01:46:25 256512 ----a-w- c:\windows\PEV.exe
    2011-01-04 01:46:25 161792 ----a-w- c:\windows\SWREG.exe
    2011-01-03 18:42:53 -------- dc-h--w- c:\windows\ie8
    2010-12-30 16:35:19 -------- d-----w- c:\program files\Netscape Internet Service
    2010-12-30 16:35:19 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Netscape Internet Service
    2010-12-30 16:35:05 -------- d--h--w- c:\windows\PIF
    2010-12-29 02:06:10 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2010-12-24 06:23:50 709456 ----a-w- c:\windows\isRS-000.tmp
    2010-12-16 03:05:45 -------- d-----w- c:\docume~1\stever~1\applic~1\Registry Mechanic
    2010-12-16 02:33:46 -------- d-----w- c:\docume~1\stever~1\applic~1\Uniblue
    2010-12-16 02:32:45 -------- d-----w- c:\docume~1\stever~1\locals~1\applic~1\PackageAware
    2010-12-15 15:34:51 -------- d-----w- c:\docume~1\stever~1\applic~1\Intuit
    2010-12-15 15:34:49 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Intuit
    2010-12-15 14:52:47 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-15 06:50:20 -------- d-sha-r- C:\cmdcons
    2010-12-11 15:56:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-12-11 15:56:52 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-11 15:55:32 -------- d-----w- c:\program files\Bonjour
    2010-12-11 15:54:13 -------- d-----w- c:\program files\Xiph.Org
    2010-12-10 02:44:09 61440 ----a-w- c:\windows\system32\dnssd.dll
    ==================== Find3M ====================
    2010-11-30 22:28:29 253688 ----a-w- c:\windows\system32\cssdll32.dll
    2009-06-20 16:24:43 714136 ----a-w- c:\program files\JavaSetup6u14.exe
    2009-05-25 16:37:29 476696 ----a-w- c:\program files\RealPlayer11GOLD.exe
    2005-12-08 03:19:46 774144 ----a-w- c:\program files\RngInterstitial.dll
    =================== ROOTKIT ====================
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2000JD-98HBB0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-17
    device: opened successfully
    user: MBR read successfully
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A307555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a30d7b0]; MOV EAX, [0x8a30d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A332AB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x8A3E64D0]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A376D98]
    \Driver\atapi[0x8A375A08] -> IRP_MJ_CREATE -> 0x8A307555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-17 -> \??\IDE#DiskWDC_WD2000JD-98HBB0_____________________08.02D08#4457572d4143384c383136333433_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A30739B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    ============= FINISH: 11:32:14.35 ===============

    GMER*********

    DDS (Ver_10-11-27.01) - NTFSx86
    Run by steve r warner at 11:30:50.90 on 01/06/2011 Thu
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1535.1016 [GMT -8:00]
    AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: VirusRanger 3.6 *On-access scanning enabled* (Outdated) {BED2903C-5EE3-4973-9679-828AE087DAE6}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Documents and Settings\steve r warner\Desktop\dds.scr
    C:\WINDOWS\system32\conime.exe
    ============== Pseudo HJT Report ===============
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: {F35CE83E-9EBF-40D5-AE87-53F982389740} - No File
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion deluxe 3.0\calcheck.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\stever~1\startm~1\programs\startup\vcastm~1.lnk - c:\program files\v cast media manager\MEMonitor.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: microsoft.com\www
    Trusted Zone: msn.com\www
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://svca.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    AppInit_DLLs: c:\windows\system32\cssdll32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    ============= SERVICES / DRIVERS ===============
    R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-14 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-14 68865]
    R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-14 151297]
    R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
    R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-14 52056]
    S0 fdghlcg;fdghlcg;c:\windows\system32\drivers\qlti.sys --> c:\windows\system32\drivers\qlti.sys [?]
    S0 ihmrecc;ihmrecc;c:\windows\system32\drivers\qyqfxol.sys --> c:\windows\system32\drivers\qyqfxol.sys [?]
    S0 lodwu;lodwu;c:\windows\system32\drivers\sgnm.sys --> c:\windows\system32\drivers\sgnm.sys [?]
    S0 mlfd;mlfd;c:\windows\system32\drivers\omwvg.sys --> c:\windows\system32\drivers\omwvg.sys [?]
    S0 tnwxvpep;tnwxvpep;c:\windows\system32\drivers\domkaljp.sys --> c:\windows\system32\drivers\domkaljp.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 135664]
    =============== Created Last 30 ================
    2011-01-04 05:04:49 -------- d-----w- c:\program files\roguescanfix
    2011-01-04 01:46:25 98816 ----a-w- c:\windows\sed.exe
    2011-01-04 01:46:25 89088 ----a-w- c:\windows\MBR.exe
    2011-01-04 01:46:25 256512 ----a-w- c:\windows\PEV.exe
    2011-01-04 01:46:25 161792 ----a-w- c:\windows\SWREG.exe
    2011-01-03 18:42:53 -------- dc-h--w- c:\windows\ie8
    2010-12-30 16:35:19 -------- d-----w- c:\program files\Netscape Internet Service
    2010-12-30 16:35:19 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Netscape Internet Service
    2010-12-30 16:35:05 -------- d--h--w- c:\windows\PIF
    2010-12-29 02:06:10 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2010-12-29 02:06:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2010-12-24 06:23:50 709456 ----a-w- c:\windows\isRS-000.tmp
    2010-12-16 03:05:45 -------- d-----w- c:\docume~1\stever~1\applic~1\Registry Mechanic
    2010-12-16 02:33:46 -------- d-----w- c:\docume~1\stever~1\applic~1\Uniblue
    2010-12-16 02:32:45 -------- d-----w- c:\docume~1\stever~1\locals~1\applic~1\PackageAware
    2010-12-15 15:34:51 -------- d-----w- c:\docume~1\stever~1\applic~1\Intuit
    2010-12-15 15:34:49 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Intuit
    2010-12-15 14:52:47 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-15 06:50:20 -------- d-sha-r- C:\cmdcons
    2010-12-11 15:56:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-12-11 15:56:52 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-11 15:55:32 -------- d-----w- c:\program files\Bonjour
    2010-12-11 15:54:13 -------- d-----w- c:\program files\Xiph.Org
    2010-12-10 02:44:09 61440 ----a-w- c:\windows\system32\dnssd.dll
    ==================== Find3M ====================
    2010-11-30 22:28:29 253688 ----a-w- c:\windows\system32\cssdll32.dll
    2009-06-20 16:24:43 714136 ----a-w- c:\program files\JavaSetup6u14.exe
    2009-05-25 16:37:29 476696 ----a-w- c:\program files\RealPlayer11GOLD.exe
    2005-12-08 03:19:46 774144 ----a-w- c:\program files\RngInterstitial.dll
    =================== ROOTKIT ====================
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2000JD-98HBB0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-17
    device: opened successfully
    user: MBR read successfully
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A307555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a30d7b0]; MOV EAX, [0x8a30d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A332AB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x8A3E64D0]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A376D98]
    \Driver\atapi[0x8A375A08] -> IRP_MJ_CREATE -> 0x8A307555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-17 -> \??\IDE#DiskWDC_WD2000JD-98HBB0_____________________08.02D08#4457572d4143384c383136333433_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A30739B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    ============= FINISH: 11:32:14.35 ===============
     

    Attached Files:

  2. steevow

    steevow Thread Starter

    Joined:
    Jan 5, 2011
    Messages:
    4
    I figured I should post the latest ESET Scan, TDSSKiller Scan (which may be of no consequence anymore) and yesterday's ComboFix Scan.
    Almost didn't make it to this page due to the redirection infection -- "System Error.....please scan...blah blah....." This is the problem that was mentioned as a possible commercial version of VirusBurst. It is why I cannot log in to the other tech site that was helping me. Why Gmail worked on this site is a good question.
    The ESET and TDSSKiller found infections in Dec. more than once, but all seems clean now (unless we're being fooled). There's nothing now, but just in case you may see something I posted those scans. I have older ones showing the infections if you're interested. The ComboFix I ran 3 days ago allowed me to re-connect to the internet. At that point I really didn't care if my hard drive gets destroyed by running it without guidance, but I had nothing to lose.

    FYI...MalwareBytes finds ZERO infections with complete scan. Avira will notify me of TR/Crypt.XPACK.Gen2 detections. SAS in the previous post. Hope that helps some so we can kill this infection that's causing me to lose business through word of mouth who then contacts me through my email.

    **********esets_scanner_update returned -1 esets_gle=49153
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=c690de05c0d0fd45a7b5e4ee0e5700b4
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-01-07 02:07:52
    # local_time=2011-01-06 06:07:52 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 58088535 58088535 0 0
    # compatibility_mode=1280 16777215 100 0 0 0 0 0
    # compatibility_mode=1792 16777175 100 0 59631729 59631729 0 0
    # compatibility_mode=3586 16764926 0 1 119557000 119557000 0 0
    # compatibility_mode=8192 67108863 100 0 2179164 2179164 0 0
    # scanned=125981
    # found=0
    # cleaned=0
    # scan_time=5232

    ******TDSSKiller
    2011/01/06 18:48:36.0765 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
    2011/01/06 18:48:36.0765 ================================================================================
    2011/01/06 18:48:36.0765 SystemInfo:
    2011/01/06 18:48:36.0765
    2011/01/06 18:48:36.0765 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/06 18:48:36.0765 Product type: Workstation
    2011/01/06 18:48:36.0765 ComputerName: STEVE-0B6026E53
    2011/01/06 18:48:36.0765 UserName: steve r warner
    2011/01/06 18:48:36.0765 Windows directory: C:\WINDOWS
    2011/01/06 18:48:36.0765 System windows directory: C:\WINDOWS
    2011/01/06 18:48:36.0765 Processor architecture: Intel x86
    2011/01/06 18:48:36.0765 Number of processors: 2
    2011/01/06 18:48:36.0765 Page size: 0x1000
    2011/01/06 18:48:36.0765 Boot type: Normal boot
    2011/01/06 18:48:36.0765 ================================================================================
    2011/01/06 18:48:36.0937 Initialize success

    *******Combofix
    ComboFix 11-01-03.01 - steve r warner 4/2011 Tue 18:52:15.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1535.1157 [GMT -8:00]
    Running from: c:\documents and settings\steve r warner\Desktop\ComboFix.exe
    AV: Avira AntiVir PersonalEdition *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: VirusRanger 3.6 *Enabled/Outdated* {BED2903C-5EE3-4973-9679-828AE087DAE6}
    .
    Error: Cfiles.dat
    ((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
    .
    2011-01-05 02:41 . 2011-01-05 02:42 -------- d-----w- C:\32788R22FWJFW
    2011-01-04 05:04 . 2011-01-04 19:03 -------- d-----w- c:\program files\roguescanfix
    2011-01-03 20:20 . 2011-01-03 20:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
    2011-01-03 20:10 . 2011-01-03 20:10 -------- d-----w- c:\documents and settings\steve r warner\Application Data\AdobeUM
    2011-01-03 18:42 . 2011-01-03 18:45 -------- dc-h--w- c:\windows\ie8
    2010-12-30 16:35 . 2010-12-30 16:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Netscape Internet Service
    2010-12-30 16:35 . 2010-12-30 16:35 -------- d-----w- c:\program files\Netscape Internet Service
    2010-12-30 16:35 . 2010-12-30 16:35 -------- d--h--w- c:\windows\PIF
    2010-12-29 02:06 . 2010-12-29 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2010-12-29 02:06 . 2010-12-29 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2010-12-29 02:06 . 2010-12-29 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2010-12-29 02:06 . 2010-12-29 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2010-12-29 02:06 . 2010-12-29 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2010-12-29 02:06 . 2010-12-29 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2010-12-29 02:06 . 2010-12-29 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2010-12-24 06:23 . 2010-12-24 06:23 709456 ----a-w- c:\windows\isRS-000.tmp
    2010-12-16 03:05 . 2010-12-16 03:06 -------- d-----w- c:\documents and settings\steve r warner\Application Data\Registry Mechanic
    2010-12-16 02:33 . 2010-12-16 02:33 -------- d-----w- c:\documents and settings\steve r warner\Application Data\Uniblue
    2010-12-16 02:32 . 2010-12-16 02:32 -------- d-----w- c:\documents and settings\steve r warner\Local Settings\Application Data\PackageAware
    2010-12-15 15:34 . 2010-12-15 15:34 -------- d-----w- c:\documents and settings\steve r warner\Application Data\Intuit
    2010-12-15 15:34 . 2010-12-15 15:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Intuit
    2010-12-15 14:52 . 2011-01-04 23:10 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-11 15:56 . 2010-12-11 15:56 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-11 15:55 . 2010-12-11 15:55 -------- d-----w- c:\program files\Bonjour
    2010-12-11 15:54 . 2010-12-11 15:54 -------- d-----w- c:\program files\Xiph.Org
    2010-12-10 02:44 . 2008-12-12 19:11 61440 ----a-w- c:\windows\system32\dnssd.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 02:09 . 2009-02-19 03:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 02:08 . 2009-02-19 03:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-30 22:28 . 2009-02-14 21:30 253688 ----a-w- c:\windows\system32\cssdll32.dll
    2010-10-16 02:19 . 2010-10-16 02:19 53248 ----a-r- c:\documents and settings\steve r warner\Application Data\Microsoft\Installer\{08DEC21F-F7E5-46F9-81D1-3ED30BD3AEC9}\ARPPRODUCTICON.exe
    2009-06-20 16:24 . 2009-06-20 16:24 714136 ----a-w- c:\program files\JavaSetup6u14.exe
    2009-05-25 16:37 . 2009-05-25 16:37 476696 ----a-w- c:\program files\RealPlayer11GOLD.exe
    2005-12-08 03:19 . 2005-12-08 03:19 774144 ----a-w- c:\program files\RngInterstitial.dll
    .
    ((((((((((((((((((((((((((((( [email protected]_07.15.04 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2006-10-19 04:47 . 2006-10-19 04:47 38400 c:\windows\system32\wpdshextres.dll
    + 2006-10-19 04:47 . 2006-10-19 05:47 38400 c:\windows\system32\wpdshextres.dll
    - 2008-02-24 01:44 . 2009-01-08 01:21 26144 c:\windows\system32\spupdsvc.exe
    + 2008-02-24 01:44 . 2009-01-08 02:21 26144 c:\windows\system32\spupdsvc.exe
    + 2011-01-03 18:33 . 2009-01-08 02:20 16928 c:\windows\system32\spmsg.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 46592 c:\windows\system32\pngfilt.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 46592 c:\windows\system32\pngfilt.dll
    + 2006-06-29 16:05 . 2009-01-08 02:20 23552 c:\windows\system32\normaliz.dll
    - 2006-06-29 16:05 . 2009-01-08 01:20 23552 c:\windows\system32\normaliz.dll
    + 2006-06-29 01:59 . 2009-01-08 02:20 24576 c:\windows\system32\nlsdl.dll
    - 2006-06-29 01:59 . 2009-01-08 01:20 24576 c:\windows\system32\nlsdl.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 48128 c:\windows\system32\mshtmler.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 48128 c:\windows\system32\mshtmler.dll
    - 2004-08-04 12:00 . 2010-09-10 05:58 66560 c:\windows\system32\mshtmled.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 66560 c:\windows\system32\mshtmled.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 45568 c:\windows\system32\mshta.exe
    + 2004-08-04 12:00 . 2009-03-08 12:31 45568 c:\windows\system32\mshta.exe
    - 2007-08-14 01:36 . 2009-03-08 11:31 13312 c:\windows\system32\msfeedssync.exe
    + 2007-08-14 01:36 . 2009-03-08 12:31 13312 c:\windows\system32\msfeedssync.exe
    - 2007-08-14 01:54 . 2010-09-10 05:58 55296 c:\windows\system32\msfeedsbs.dll
    + 2007-08-14 01:54 . 2009-03-08 12:31 55296 c:\windows\system32\msfeedsbs.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 43008 c:\windows\system32\licmgr10.dll
    - 2004-08-04 12:00 . 2010-09-10 05:58 25600 c:\windows\system32\jsproxy.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 25600 c:\windows\system32\jsproxy.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 94720 c:\windows\system32\inseng.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 94720 c:\windows\system32\inseng.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 34816 c:\windows\system32\imgutil.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 34816 c:\windows\system32\imgutil.dll
    + 2007-08-14 02:39 . 2009-03-08 12:32 36864 c:\windows\system32\ieudinit.exe
    - 2007-08-14 02:39 . 2009-03-08 11:32 36864 c:\windows\system32\ieudinit.exe
    + 2004-08-04 12:00 . 2009-03-08 12:32 71680 c:\windows\system32\iesetup.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 71680 c:\windows\system32\iesetup.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 55808 c:\windows\system32\iernonce.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 55808 c:\windows\system32\iernonce.dll
    + 2006-06-29 16:05 . 2009-01-08 02:20 26112 c:\windows\system32\idndl.dll
    - 2006-06-29 16:05 . 2009-01-08 01:20 26112 c:\windows\system32\idndl.dll
    + 2007-08-14 01:36 . 2009-03-08 12:31 59904 c:\windows\system32\icardie.dll
    - 2007-08-14 01:36 . 2009-03-08 11:31 59904 c:\windows\system32\icardie.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 46592 c:\windows\system32\dllcache\pngfilt.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 46592 c:\windows\system32\dllcache\pngfilt.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 48128 c:\windows\system32\dllcache\mshtmler.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 48128 c:\windows\system32\dllcache\mshtmler.dll
    - 2004-08-04 12:00 . 2010-09-10 05:58 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 66560 c:\windows\system32\dllcache\mshtmled.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 45568 c:\windows\system32\dllcache\mshta.exe
    + 2004-08-04 12:00 . 2009-03-08 12:31 45568 c:\windows\system32\dllcache\mshta.exe
    - 2008-02-24 16:45 . 2010-09-10 05:58 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    + 2008-02-24 16:45 . 2009-03-08 12:31 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 43008 c:\windows\system32\dllcache\licmgr10.dll
    - 2004-08-04 12:00 . 2010-09-10 05:58 25600 c:\windows\system32\dllcache\jsproxy.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 25600 c:\windows\system32\dllcache\jsproxy.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 94720 c:\windows\system32\dllcache\inseng.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 94720 c:\windows\system32\dllcache\inseng.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 34816 c:\windows\system32\dllcache\imgutil.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 34816 c:\windows\system32\dllcache\imgutil.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 71680 c:\windows\system32\dllcache\iesetup.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 71680 c:\windows\system32\dllcache\iesetup.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 55808 c:\windows\system32\dllcache\iernonce.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 55808 c:\windows\system32\dllcache\iernonce.dll
    + 2008-02-24 16:45 . 2009-03-08 12:31 59904 c:\windows\system32\dllcache\icardie.dll
    - 2008-02-24 16:45 . 2009-03-08 11:31 59904 c:\windows\system32\dllcache\icardie.dll
    - 2004-11-15 21:42 . 2009-03-08 11:24 68608 c:\windows\system32\dllcache\hmmapi.dll
    + 2004-11-15 21:42 . 2009-03-08 12:24 68608 c:\windows\system32\dllcache\hmmapi.dll
    + 2009-03-08 12:33 . 2009-03-08 12:33 18944 c:\windows\system32\dllcache\corpol.dll
    - 2009-03-08 11:33 . 2009-03-08 11:33 18944 c:\windows\system32\dllcache\corpol.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 72704 c:\windows\system32\dllcache\admparse.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 72704 c:\windows\system32\dllcache\admparse.dll
    - 2004-08-04 12:00 . 2009-03-08 11:33 18944 c:\windows\system32\corpol.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 18944 c:\windows\system32\corpol.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 72704 c:\windows\system32\admparse.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 72704 c:\windows\system32\admparse.dll
    + 2011-01-03 20:08 . 2011-01-03 20:08 65536 c:\windows\Installer\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}\NewShortcut3_4BDFD2CE632942E498019B3D1F10D79B.exe
    + 2011-01-03 20:08 . 2011-01-03 20:08 65536 c:\windows\Installer\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}\NewShortcut2_4BDFD2CE632942E498019B3D1F10D79B.exe
    + 2011-01-03 20:08 . 2011-01-03 20:08 65536 c:\windows\Installer\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}\ARPPRODUCTICON.exe
    + 2011-01-03 18:44 . 2009-03-08 22:23 58464 c:\windows\ie8\spuninst\iecustom.dll
    - 2009-06-27 17:05 . 2009-03-08 21:23 58464 c:\windows\ie8\spuninst\iecustom.dll
    - 2009-06-27 17:03 . 2009-04-29 04:56 44544 c:\windows\ie8\pngfilt.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 44544 c:\windows\ie8\pngfilt.dll
    + 2011-01-03 18:42 . 2007-08-14 01:01 48128 c:\windows\ie8\mshtmler.dll
    - 2009-06-27 17:03 . 2007-08-14 01:01 48128 c:\windows\ie8\mshtmler.dll
    + 2011-01-03 18:42 . 2007-08-14 01:32 45568 c:\windows\ie8\mshta.exe
    - 2009-06-27 17:03 . 2007-08-14 01:32 45568 c:\windows\ie8\mshta.exe
    + 2011-01-03 18:42 . 2007-08-14 01:36 12288 c:\windows\ie8\msfeedssync.exe
    - 2009-06-27 17:03 . 2007-08-14 01:36 12288 c:\windows\ie8\msfeedssync.exe
    - 2009-06-27 17:03 . 2009-04-29 04:55 52224 c:\windows\ie8\msfeedsbs.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 52224 c:\windows\ie8\msfeedsbs.dll
    + 2011-01-03 18:42 . 2007-08-14 01:44 40960 c:\windows\ie8\licmgr10.dll
    - 2009-06-27 17:03 . 2007-08-14 01:44 40960 c:\windows\ie8\licmgr10.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 27648 c:\windows\ie8\jsproxy.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 27648 c:\windows\ie8\jsproxy.dll
    - 2009-06-27 17:03 . 2007-08-14 01:39 92672 c:\windows\ie8\inseng.dll
    + 2011-01-03 18:42 . 2007-08-14 01:39 92672 c:\windows\ie8\inseng.dll
    + 2011-01-03 18:42 . 2007-08-14 01:36 36352 c:\windows\ie8\imgutil.dll
    - 2009-06-27 17:03 . 2007-08-14 01:36 36352 c:\windows\ie8\imgutil.dll
    + 2011-01-03 18:42 . 2007-08-14 01:39 55296 c:\windows\ie8\iesetup.dll
    - 2009-06-27 17:03 . 2007-08-14 01:39 55296 c:\windows\ie8\iesetup.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 44544 c:\windows\ie8\iernonce.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 44544 c:\windows\ie8\iernonce.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 78336 c:\windows\ie8\ieencode.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 78336 c:\windows\ie8\ieencode.dll
    - 2009-06-27 17:03 . 2009-04-28 09:05 70656 c:\windows\ie8\ie4uinit.exe
    + 2011-01-03 18:42 . 2009-04-28 09:05 70656 c:\windows\ie8\ie4uinit.exe
    + 2011-01-03 18:42 . 2009-04-29 04:55 63488 c:\windows\ie8\icardie.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 63488 c:\windows\ie8\icardie.dll
    + 2011-01-03 18:42 . 2007-08-14 01:18 60416 c:\windows\ie8\hmmapi.dll
    - 2009-06-27 17:03 . 2007-08-14 01:18 60416 c:\windows\ie8\hmmapi.dll
    - 2009-06-27 17:03 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll
    + 2011-01-03 18:42 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll
    - 2009-06-27 17:03 . 2007-08-14 01:39 71680 c:\windows\ie8\admparse.dll
    + 2011-01-03 18:42 . 2007-08-14 01:39 71680 c:\windows\ie8\admparse.dll
    - 2008-02-24 16:43 . 2009-01-08 01:21 121856 c:\windows\system32\xmllite.dll
    + 2008-02-24 16:43 . 2009-01-08 02:21 121856 c:\windows\system32\xmllite.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 914944 c:\windows\system32\wininet.dll
    + 2007-08-14 01:45 . 2009-03-08 12:34 208384 c:\windows\system32\WinFXDocObj.exe
    - 2007-08-14 01:45 . 2009-03-08 11:34 208384 c:\windows\system32\WinFXDocObj.exe
    - 2004-08-04 12:00 . 2009-03-08 11:34 236544 c:\windows\system32\webcheck.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 236544 c:\windows\system32\webcheck.dll
    - 2004-08-04 12:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 420352 c:\windows\system32\vbscript.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 105984 c:\windows\system32\url.dll
    - 2004-08-04 12:00 . 2009-03-08 11:34 105984 c:\windows\system32\url.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 109568 c:\windows\system32\occache.dll
    - 2004-08-04 12:00 . 2010-09-10 05:58 611840 c:\windows\system32\mstime.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 611840 c:\windows\system32\mstime.dll
    - 2004-08-04 12:00 . 2009-03-08 11:34 193536 c:\windows\system32\msrating.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 193536 c:\windows\system32\msrating.dll
    + 2004-08-04 12:00 . 2009-03-08 12:22 156160 c:\windows\system32\msls31.dll
    - 2004-08-04 12:00 . 2009-03-08 11:22 156160 c:\windows\system32\msls31.dll
    + 2007-08-14 01:54 . 2009-03-08 12:32 594432 c:\windows\system32\msfeeds.dll
    + 2009-01-08 01:20 . 2009-01-08 02:20 265720 c:\windows\system32\msdbg2.dll
    - 2009-01-08 01:20 . 2009-01-08 01:20 265720 c:\windows\system32\msdbg2.dll
    - 2004-08-04 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 726528 c:\windows\system32\jscript.dll
    - 2007-08-14 01:54 . 2009-03-08 11:22 164352 c:\windows\system32\ieui.dll
    + 2007-08-14 01:54 . 2009-03-08 12:22 164352 c:\windows\system32\ieui.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 183808 c:\windows\system32\iepeers.dll
    + 2004-08-04 12:00 . 2009-03-08 22:09 391536 c:\windows\system32\iedkcs32.dll
    + 2007-07-11 19:27 . 2009-03-08 12:11 445952 c:\windows\system32\ieapfltr.dll
    - 2007-07-11 19:27 . 2009-03-08 11:11 445952 c:\windows\system32\ieapfltr.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\ieakui.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 163840 c:\windows\system32\ieakui.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 229376 c:\windows\system32\ieaksie.dll
    - 2004-08-04 12:00 . 2009-03-08 11:33 229376 c:\windows\system32\ieaksie.dll
    - 2004-08-04 12:00 . 2009-03-08 11:33 125952 c:\windows\system32\ieakeng.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 125952 c:\windows\system32\ieakeng.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 173056 c:\windows\system32\ie4uinit.exe
    - 2004-08-04 12:00 . 2010-08-26 12:22 173056 c:\windows\system32\ie4uinit.exe
    + 2008-02-14 16:45 . 2011-01-04 01:54 163528 c:\windows\system32\FNTCACHE.DAT
    + 2004-08-04 12:00 . 2009-03-08 12:31 216064 c:\windows\system32\dxtrans.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 216064 c:\windows\system32\dxtrans.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 348160 c:\windows\system32\dxtmsft.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 348160 c:\windows\system32\dxtmsft.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 914944 c:\windows\system32\dllcache\wininet.dll
    - 2004-08-04 12:00 . 2009-03-08 11:34 236544 c:\windows\system32\dllcache\webcheck.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 236544 c:\windows\system32\dllcache\webcheck.dll
    - 2004-11-15 21:42 . 2009-03-08 11:33 759296 c:\windows\system32\dllcache\VGX.dll
    + 2004-11-15 21:42 . 2009-03-08 12:33 759296 c:\windows\system32\dllcache\VGX.dll
    + 2008-05-09 10:53 . 2009-03-08 12:33 420352 c:\windows\system32\dllcache\vbscript.dll
    - 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 105984 c:\windows\system32\dllcache\url.dll
    - 2004-08-04 12:00 . 2009-03-08 11:34 105984 c:\windows\system32\dllcache\url.dll
    - 2009-01-08 01:20 . 2009-01-08 01:20 134144 c:\windows\system32\dllcache\sqmapi.dll
    + 2009-01-08 02:20 . 2009-01-08 02:20 134144 c:\windows\system32\dllcache\sqmapi.dll
    + 2009-01-08 02:20 . 2009-01-08 02:20 474112 c:\windows\system32\dllcache\shlwapi.dll
    - 2009-01-08 01:20 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 109568 c:\windows\system32\dllcache\occache.dll
    - 2004-08-04 12:00 . 2010-09-10 05:58 611840 c:\windows\system32\dllcache\mstime.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 611840 c:\windows\system32\dllcache\mstime.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 193536 c:\windows\system32\dllcache\msrating.dll
    - 2004-08-04 12:00 . 2009-03-08 11:34 193536 c:\windows\system32\dllcache\msrating.dll
    + 2004-08-04 12:00 . 2009-03-08 12:22 156160 c:\windows\system32\dllcache\msls31.dll
    - 2004-08-04 12:00 . 2009-03-08 11:22 156160 c:\windows\system32\dllcache\msls31.dll
    + 2008-02-24 16:45 . 2009-03-08 12:32 594432 c:\windows\system32\dllcache\msfeeds.dll
    + 2008-05-09 10:53 . 2009-03-08 12:33 726528 c:\windows\system32\dllcache\jscript.dll
    - 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
    - 2004-11-15 21:42 . 2009-03-08 21:09 638816 c:\windows\system32\dllcache\iexplore.exe
    + 2004-11-15 21:42 . 2009-03-08 22:09 638816 c:\windows\system32\dllcache\iexplore.exe
    + 2004-08-04 12:00 . 2009-03-08 12:31 183808 c:\windows\system32\dllcache\iepeers.dll
    + 2004-08-04 12:00 . 2009-03-08 22:09 391536 c:\windows\system32\dllcache\iedkcs32.dll
    + 2008-02-24 16:45 . 2009-03-08 12:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
    - 2008-02-24 16:45 . 2009-03-08 11:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 163840 c:\windows\system32\dllcache\ieakui.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\dllcache\ieakui.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 229376 c:\windows\system32\dllcache\ieaksie.dll
    - 2004-08-04 12:00 . 2009-03-08 11:33 229376 c:\windows\system32\dllcache\ieaksie.dll
    - 2004-08-04 12:00 . 2009-03-08 11:33 125952 c:\windows\system32\dllcache\ieakeng.dll
    + 2004-08-04 12:00 . 2009-03-08 12:33 125952 c:\windows\system32\dllcache\ieakeng.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
    - 2004-08-04 12:00 . 2010-08-26 12:22 173056 c:\windows\system32\dllcache\ie4uinit.exe
    - 2004-08-04 12:00 . 2009-03-08 11:31 216064 c:\windows\system32\dllcache\dxtrans.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 216064 c:\windows\system32\dllcache\dxtrans.dll
    + 2004-08-04 12:00 . 2009-03-08 12:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
    - 2004-08-04 12:00 . 2009-03-08 11:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 128512 c:\windows\system32\dllcache\advpack.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 128512 c:\windows\system32\dllcache\advpack.dll
    - 2004-08-04 12:00 . 2009-03-08 11:32 128512 c:\windows\system32\advpack.dll
    + 2004-08-04 12:00 . 2009-03-08 12:32 128512 c:\windows\system32\advpack.dll
    + 2011-01-03 20:08 . 2011-01-03 20:08 809984 c:\windows\Installer\4b4916.msi
    + 2010-12-29 02:03 . 2010-12-29 02:03 807936 c:\windows\Installer\21a6b6.msi
    + 2009-11-19 02:17 . 2010-12-30 22:14 307200 c:\windows\Installer\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}\SafariIco.exe
    - 2009-11-19 02:17 . 2009-11-19 02:17 307200 c:\windows\Installer\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}\SafariIco.exe
    - 2009-06-27 17:03 . 2009-04-29 04:56 827392 c:\windows\ie8\wininet.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 827392 c:\windows\ie8\wininet.dll
    - 2009-06-27 17:03 . 2007-08-14 01:45 206336 c:\windows\ie8\winfxdocobj.exe
    + 2011-01-03 18:42 . 2007-08-14 01:45 206336 c:\windows\ie8\winfxdocobj.exe
    - 2009-06-27 17:03 . 2009-04-29 04:56 233472 c:\windows\ie8\webcheck.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 233472 c:\windows\ie8\webcheck.dll
    + 2011-01-03 18:42 . 2008-05-27 17:23 765952 c:\windows\ie8\vgx.dll
    - 2009-06-27 17:03 . 2008-05-27 17:23 765952 c:\windows\ie8\vgx.dll
    + 2011-01-03 18:42 . 2008-05-09 10:53 430080 c:\windows\ie8\vbscript.dll
    - 2009-06-27 17:03 . 2008-05-09 10:53 430080 c:\windows\ie8\vbscript.dll
    - 2009-06-27 17:03 . 2009-04-29 04:56 105984 c:\windows\ie8\url.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 105984 c:\windows\ie8\url.dll
    + 2011-01-03 18:44 . 2009-01-08 02:21 382496 c:\windows\ie8\spuninst\updspapi.dll
    - 2009-06-27 17:05 . 2009-01-08 01:21 382496 c:\windows\ie8\spuninst\updspapi.dll
    - 2009-06-27 17:05 . 2009-01-08 01:20 231456 c:\windows\ie8\spuninst\spuninst.exe
    + 2011-01-03 18:44 . 2009-01-08 02:20 231456 c:\windows\ie8\spuninst\spuninst.exe
    - 2009-06-27 17:03 . 2006-09-07 00:43 213216 c:\windows\ie8\spuninst.exe
    + 2011-01-03 18:42 . 2006-09-07 00:43 213216 c:\windows\ie8\spuninst.exe
    - 2009-06-27 17:03 . 2009-04-29 04:56 102912 c:\windows\ie8\occache.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 102912 c:\windows\ie8\occache.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 671232 c:\windows\ie8\mstime.dll
    - 2009-06-27 17:03 . 2009-04-29 04:56 671232 c:\windows\ie8\mstime.dll
    - 2009-06-27 17:03 . 2009-04-29 04:56 193024 c:\windows\ie8\msrating.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 193024 c:\windows\ie8\msrating.dll
    - 2009-06-27 17:03 . 2007-08-14 01:54 156160 c:\windows\ie8\msls31.dll
    + 2011-01-03 18:42 . 2007-08-14 01:54 156160 c:\windows\ie8\msls31.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 477696 c:\windows\ie8\mshtmled.dll
    - 2009-06-27 17:03 . 2009-04-29 04:56 477696 c:\windows\ie8\mshtmled.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 459264 c:\windows\ie8\msfeeds.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 459264 c:\windows\ie8\msfeeds.dll
    - 2009-06-27 17:03 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
    + 2011-01-03 18:42 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
    - 2009-06-27 17:03 . 2009-04-25 05:27 636088 c:\windows\ie8\iexplore.exe
    + 2011-01-03 18:42 . 2009-04-25 05:27 636088 c:\windows\ie8\iexplore.exe
    + 2011-01-03 18:42 . 2007-08-14 01:54 180736 c:\windows\ie8\ieui.dll
    - 2009-06-27 17:03 . 2007-08-14 01:54 180736 c:\windows\ie8\ieui.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 268288 c:\windows\ie8\iertutil.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 268288 c:\windows\ie8\iertutil.dll
    - 2009-06-27 17:03 . 2007-08-14 01:54 287744 c:\windows\ie8\ieproxy.dll
    + 2011-01-03 18:42 . 2007-08-14 01:54 287744 c:\windows\ie8\ieproxy.dll
    - 2009-06-27 17:03 . 2007-08-14 01:54 191488 c:\windows\ie8\iepeers.dll
    + 2011-01-03 18:42 . 2007-08-14 01:54 191488 c:\windows\ie8\iepeers.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 385024 c:\windows\ie8\iedkcs32.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 385024 c:\windows\ie8\iedkcs32.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 383488 c:\windows\ie8\ieapfltr.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 383488 c:\windows\ie8\ieapfltr.dll
    - 2009-06-27 17:03 . 2009-04-25 05:26 161792 c:\windows\ie8\ieakui.dll
    + 2011-01-03 18:42 . 2009-04-25 05:26 161792 c:\windows\ie8\ieakui.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 230400 c:\windows\ie8\ieaksie.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 230400 c:\windows\ie8\ieaksie.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 153088 c:\windows\ie8\ieakeng.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 153088 c:\windows\ie8\ieakeng.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 214528 c:\windows\ie8\dxtrans.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 214528 c:\windows\ie8\dxtrans.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 347136 c:\windows\ie8\dxtmsft.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 347136 c:\windows\ie8\dxtmsft.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 124928 c:\windows\ie8\advpack.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 124928 c:\windows\ie8\advpack.dll
    + 2004-08-04 12:00 . 2009-03-08 12:34 1206784 c:\windows\system32\urlmon.dll
    + 2008-02-16 01:15 . 2010-12-30 16:35 2577992 c:\windows\system32\Restore\rstrlog.dat
    + 2004-08-04 12:00 . 2009-03-08 12:41 5937152 c:\windows\system32\mshtml.dll
    + 2007-08-14 01:34 . 2009-03-08 12:32 1985024 c:\windows\system32\iertutil.dll
    - 2007-02-12 23:10 . 2009-02-07 04:07 3698584 c:\windows\system32\ieapfltr.dat
    + 2007-02-12 23:10 . 2009-02-07 05:07 3698584 c:\windows\system32\ieapfltr.dat
    + 2004-08-04 12:00 . 2009-03-08 12:34 1206784 c:\windows\system32\dllcache\urlmon.dll
    + 2009-01-08 02:20 . 2009-01-08 02:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
    - 2009-01-08 01:20 . 2009-01-08 01:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
    + 2004-08-04 12:00 . 2009-03-08 12:41 5937152 c:\windows\system32\dllcache\mshtml.dll
    + 2008-02-24 16:45 . 2009-03-08 12:32 1985024 c:\windows\system32\dllcache\iertutil.dll
    + 2008-02-24 16:45 . 2009-02-07 05:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
    - 2008-02-24 16:45 . 2009-02-07 04:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
    - 2009-01-08 01:20 . 2009-01-08 01:20 1022976 c:\windows\system32\dllcache\browseui.dll
    + 2009-01-08 02:20 . 2009-01-08 02:20 1022976 c:\windows\system32\dllcache\browseui.dll
    + 2010-12-29 02:05 . 2010-12-29 02:05 9472000 c:\windows\Installer\21a97a.msi
    + 2010-12-30 22:14 . 2010-12-30 22:14 2449408 c:\windows\Installer\11eac1.msi
    - 2009-06-27 17:03 . 2009-04-29 04:56 1159680 c:\windows\ie8\urlmon.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 1159680 c:\windows\ie8\urlmon.dll
    + 2011-01-03 18:42 . 2009-04-29 04:56 3596288 c:\windows\ie8\mshtml.dll
    - 2009-06-27 17:03 . 2009-04-29 04:56 3596288 c:\windows\ie8\mshtml.dll
    + 2011-01-03 18:42 . 2009-04-29 04:55 6066176 c:\windows\ie8\ieframe.dll
    - 2009-06-27 17:03 . 2009-04-29 04:55 6066176 c:\windows\ie8\ieframe.dll
    - 2009-06-27 17:03 . 2008-07-09 14:25 2455488 c:\windows\ie8\ieapfltr.dat
    + 2011-01-03 18:42 . 2008-07-09 14:25 2455488 c:\windows\ie8\ieapfltr.dat
    + 2010-10-22 04:04 . 2010-10-22 04:04 2827728 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
    + 2010-12-22 06:00 . 2011-01-03 20:08 6809228 c:\windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi
    + 2007-08-14 01:54 . 2009-03-08 12:39 11063808 c:\windows\system32\ieframe.dll
    + 2008-02-24 16:45 . 2009-03-08 12:39 11063808 c:\windows\system32\dllcache\ieframe.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-30 68856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-04 2424560]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PhotoExplosionCalCheck"="c:\program files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe" [2006-05-10 69632]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
    "SoundMan"="SOUNDMAN.EXE" [2004-10-21 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    c:\documents and settings\steve r warner\Start Menu\Programs\Startup\
    V CAST Media Monitor.lnk - c:\program files\V CAST Media Manager\MEMonitor.exe [N/A]
    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\cssdll32.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
    R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
    S0 fdghlcg;fdghlcg;c:\windows\system32\drivers\qlti.sys --> c:\windows\system32\drivers\qlti.sys [?]
    S0 ihmrecc;ihmrecc;c:\windows\system32\drivers\qyqfxol.sys --> c:\windows\system32\drivers\qyqfxol.sys [?]
    S0 lodwu;lodwu;c:\windows\system32\drivers\sgnm.sys --> c:\windows\system32\drivers\sgnm.sys [?]
    S0 mlfd;mlfd;c:\windows\system32\drivers\omwvg.sys --> c:\windows\system32\drivers\omwvg.sys [?]
    S0 tnwxvpep;tnwxvpep;c:\windows\system32\drivers\domkaljp.sys --> c:\windows\system32\drivers\domkaljp.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/27/2010 8:25 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 20:34]
    2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-28 04:25]
    2011-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-28 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Trusted Zone: microsoft.com\www
    Trusted Zone: msn.com\www
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-04 19:05
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2000JD-98HBB0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-17
    device: opened successfully
    user: MBR read successfully
    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A307555]<<
    c:\docume~1\STEVER~1\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a30d7b0]; MOV EAX, [0x8a30d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A332AB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x8A3E64D0]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A376D98]
    \Driver\atapi[0x8A375988] -> IRP_MJ_CREATE -> 0x8A307555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-17 -> \??\IDE#DiskWDC_WD2000JD-98HBB0_____________________08.02D08#4457572d4143384c383136333433_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A30739B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed"="1"
    @=""
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "NoChange"="1"
    "Installed"="1"
    @=""
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed"="1"
    @=""
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
    @DACL=(02 0000)
    @="Wireless"
    "ProcessGroupPolicy"="ProcessWIRELESSPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
    @DACL=(02 0000)
    @="Folder Redirection"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "DllName"=expand:"fdeploy.dll"
    "NoMachinePolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "EventSources"=multi:"(Folder Redirection,Application)\00\00"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
    @DACL=(02 0000)
    @="Microsoft Disk Quota"
    "NoMachinePolicy"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "RequiresSuccessfulRegistry"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000000
    "DllName"=expand:"dskquota.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
    @DACL=(02 0000)
    @="QoS Packet Scheduler"
    "ProcessGroupPolicy"="ProcessPSCHEDPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
    @DACL=(02 0000)
    @="Scripts"
    "ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
    "ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
    "DllName"=expand:"gptext.dll"
    "NoSlowLink"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "NotifyLinkTransition"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
    @DACL=(02 0000)
    @="Internet Explorer Zonemapping"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
    "NoGPOListChanges"=dword:00000001
    "RequiresSucessfulRegistry"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "RequiresSuccessfulRegistry"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
    @DACL=(02 0000)
    @="Internet Explorer User Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
    "GenerateGroupPolicy"="SceGenerateGroupPolicy"
    "ExtensionRsopPlanningDebugLevel"=dword:00000001
    "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
    "ExtensionDebugLevel"=dword:00000001
    "DllName"=expand:"scecli.dll"
    @="Security"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000001
    "MaxNoGPOListChangesInterval"=dword:000003c0
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
    @DACL=(02 0000)
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    @="Internet Explorer Branding"
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000001
    "NoMachinePolicy"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
    "DllName"=expand:"scecli.dll"
    @="EFS recovery"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "RequiresSuccessfulRegistry"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
    @DACL=(02 0000)
    @="802.3 Group Policy"
    "DisplayName"=expand:"@dot3gpclnt.dll,-100"
    "ProcessGroupPolicyEx"="ProcessLANPolicyEx"
    "GenerateGroupPolicy"="GenerateLANPolicy"
    "DllName"=expand:"dot3gpclnt.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
    @DACL=(02 0000)
    @="Microsoft Offline Files"
    "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
    "EnableAsynchronousProcessing"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000000
    "NoMachinePolicy"=dword:00000000
    "NoSlowLink"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "RequiresSuccessfulRegistry"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
    @DACL=(02 0000)
    @="Software Installation"
    "DllName"=expand:"appmgmts.dll"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "NoBackgroundPolicy"=dword:00000000
    "RequiresSucessfulRegistry"=dword:00000000
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
    @DACL=(02 0000)
    @="Internet Explorer Machine Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
    @DACL=(02 0000)
    @="IP Security"
    "ProcessGroupPolicy"="ProcessIPSECPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    @DACL=(02 0000)
    "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
    "Logon"="SABWINLOLogon"
    "Logoff"="SABWINLOLogoff"
    "Startup"="SABWINLOStartup"
    "Shutdown"="SABWINLOShutdown"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"crypt32.dll"
    "Logoff"="ChainWlxLogoffEvent"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"cryptnet.dll"
    "Logoff"="CryptnetWlxLogoffEvent"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    @DACL=(02 0000)
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000001
    "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
    "Startup"="WlDimsStartup"
    "Shutdown"="WlDimsShutdown"
    "Logon"="WlDimsLogon"
    "Logoff"="WlDimsLogoff"
    "StartShell"="WlDimsStartShell"
    "Lock"="WlDimsLock"
    "Unlock"="WlDimsUnlock"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    @DACL=(02 0000)
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=expand:"sclgntfy.dll"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    @DACL=(02 0000)
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    @DACL=(02 0000)
    "Logon"="WLEventLogon"
    "Logoff"="WLEventLogoff"
    "Startup"="WLEventStartup"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Lock"="WLEventLock"
    "Unlock"="WLEventUnlock"
    "StartShell"="WLEventStartShell"
    "PostShell"="WLEventPostShell"
    "Disconnect"="WLEventDisconnect"
    "Reconnect"="WLEventReconnect"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000000
    "SafeMode"=dword:00000001
    "MaxWait"=dword:ffffffff
    "DllName"=expand:"WgaLogon.dll"
    "Event"=dword:00000002
    "EulaAccepted"=dword:00000001
    "InstallEvent"="1.9.0040.0"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
    @DACL=(02 0000)
    "HelpAssistant"=dword:00000000
    "TsInternetUser"=dword:00000000
    "SQLAgentCmdExec"=dword:00000000
    "NetShowServices"=dword:00000000
    "IWAM_"=dword:00010000
    "IUSR_"=dword:00010000
    "VUSR_"=dword:00010000
    .
    Completion time: 2011-01-04 19:09:47
    ComboFix-quarantined-files.txt 2011-01-05 03:09
    ComboFix2.txt 2011-01-04 02:22
    ComboFix3.txt 2010-12-15 07:19
    Pre-Run: 150,543,388,672 bytes free
    Post-Run: 150,629,376,000 bytes free
    - - End Of File - - 3AADBB0E5BE45A9465BC7A57916E0319

    Thanks, Guys/Gals!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/973044

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice