1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

kdirectory.co.uk Redirect Problem + Generic Host Process Win32 error

Discussion in 'Virus & Other Malware Removal' started by canucks85, Dec 27, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
    Hi there,

    I believe I am currently infected with some malware. Any help would be greatly appreciated! (Especially over this holiday season). Over the past day, an error has been popping up for "Generic Host Processes for Win32". I have been having issues opening Firefox and my laptop is considerably slower. Periodically, on Google, some of the links redirect to kdirectory.co.uk, while other times it acts normally. I also had the Security Shield virus appear yesterday, which I "removed" with Malwarebytes' Anti-Malware.

    Again, any help would be greatly appreciated! Thanks in advance. Below are my files posted:

    HIJACKTHIS
    --------------
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:27:43 PM, on 27/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\FelixBackups\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TDispVol.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\DNA\btdna.exe
    C:\Documents and Settings\Matthew\Local Settings\Application Data\NFS HD Waterfall03\pmcloader.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Down2Home\Down2Home.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
    C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:60020
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    R3 - URLSearchHook: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
    O3 - Toolbar: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll
    O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [Start Menu 7] "C:\Documents and Settings\Matthew\Local Settings\Application Data\NFS HD Waterfall03\pmcloader.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
    O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Down2Home.lnk = C:\Program Files\Down2Home\Down2Home.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://matthewyan.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157454824343
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\FelixBackups\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

    --
    End of file - 15619 bytes













    DDS.TXT
    ------------

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Matthew at 15:37:43.92 on 27/12/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.348 [GMT -8:00]

    AV: Norton Internet Security *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\FelixBackups\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\WINDOWS\system32\TDispVol.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Down2Home\Down2Home.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Matthew\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyServer = http=127.0.0.1:60020
    uInternet Settings,ProxyOverride = *.local;<local>
    uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBit0.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
    BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
    BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBit0.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
    TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBit0.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
    uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
    uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
    uRun: [Start Menu 7] "c:\documents and settings\matthew\local settings\application data\nfs hd waterfall03\pmcloader.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
    mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
    mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
    mRun: [TFncKy] TFncKy.exe
    mRun: [TDispVol] TDispVol.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [TPSMain] TPSMain.exe
    mRun: [CFSServ.exe] CFSServ.exe -NoClient
    mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
    mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\matthew\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\down2h~1.lnk - c:\program files\down2home\Down2Home.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://matthewyan.spaces.live.com//PhotoUpload/MsnPUpld.cab
    DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157454824343
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\matthew\applic~1\mozilla\firefox\profiles\h5xpkywf.default\
    FF - prefs.js: browser.startup.homepage - www.med.ubc.ca/medicol/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60020
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\picasa2\npPicasa2.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false

    ============= SERVICES / DRIVERS ===============

    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
    R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090525.024\NAVENG.SYS [2009-5-25 89104]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090525.024\NAVEX15.SYS [2009-5-25 876144]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
    R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-5-23 1251720]
    S0 weibda;weibda; [x]
    S1 MpKsl83ef15ea;MpKsl83ef15ea;\??\c:\windows\system32\mpenginestore\mpksl83ef15ea.sys --> c:\windows\system32\mpenginestore\MpKsl83ef15ea.sys [?]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

    =============== File Associations ===============

    inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

    =============== Created Last 30 ================

    2010-12-27 23:36:56 -------- d-s---w- C:\ComboFix
    2010-12-26 21:33:32 -------- d-----w- c:\docume~1\matthew\applic~1\unqypgxubg
    2010-12-16 06:49:10 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 06:48:21 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK1032GSX rev.AS021G -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F27555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f2d7b0]; MOV EAX, [0x86f2d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86EF3AB8]
    3 CLASSPNP[0xF785EFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000009c[0x86F6A9E8]
    5 ACPI[0xF77B5620] -> nt!IofCallDriver[0x804E13B9] -> [0x86EF6940]
    \Driver\atapi[0x86F6C030] -> IRP_MJ_CREATE -> 0x86F27555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1032GSX_______________________AS021G__#5&35291d97&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86F2739B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 15:38:50.07 ===============














    ARK.TXT
    --------
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-27 16:27:07
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1032GSX rev.AS021G
    Running: ugcmbf8p.exe; Driver: C:\DOCUME~1\Matthew\LOCALS~1\Temp\uxliakow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 86AD0A78 ZwConnectPort

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF38ADEBF]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\wuauclt.exe[440] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0119000A
    .text C:\WINDOWS\system32\wuauclt.exe[440] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011A000A
    .text C:\WINDOWS\system32\wuauclt.exe[440] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0118000C
    .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
    .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)
    Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86EB639B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86EB639B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86EB639B

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1032GSX_______________________AS021G__#5&35291d97&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1
    Reg HKLM\SOFTWARE\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}
    Reg HKLM\SOFTWARE\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}@S6KI1YERXJTIP3T5RVDI41UR2G1 0x01 0x00 0x01 0x00 ...

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
  3. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
  4. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
  5. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
  6. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
    Last bump attempt.
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya canucks85,

    Proceed as follows please :-

    Step 1

    Please re-open HiJackThis and scan only.**Check the boxes next to all the entries listed below.

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:60020

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot

    Step 2

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop. <--Very important

    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

    [​IMG]

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection


    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Step 3

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Post the logs from Combofix and Security Checks in your reply please.

    Kevin
     
  8. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
    Hey Kevin,

    Thank you so much for your help! I did all 3 steps as requested. When running ComboFix, an error popped up stating "PEV.cfxxe encountered a problem and needs to close". I closed it, and ComboFix proceeded running.



    ComboFix 11-01-14.01 - Matthew 14/01/2011 16:58:02.9.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.704 [GMT -8:00]
    Running from: c:\documents and settings\Matthew\Desktop\Gotcha.exe
    AV: Norton Internet Security *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Matthew\Application Data\PriceGong
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Matthew\Application Data\PriceGong\Data\z.xml

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
    .

    2010-12-26 21:33 . 2010-12-26 21:44 -------- d-----w- c:\documents and settings\Matthew\Application Data\unqypgxubg
    2010-12-16 06:49 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 06:48 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 02:09 . 2010-04-21 00:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 02:08 . 2010-04-21 00:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-18 18:12 . 2006-02-21 10:33 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2006-02-21 08:37 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2006-02-21 08:37 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2006-02-21 08:37 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2006-02-21 08:37 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2006-02-21 08:37 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2006-02-21 08:37 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2006-02-21 08:37 1853312 ----a-w- c:\windows\system32\win32k.sys
    2007-08-25 03:52 . 2008-05-24 03:37 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-25 3911776]

    [HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    2010-12-25 19:24 3911776 ----a-w- c:\program files\BitTorrentBar\tbBit0.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-25 3911776]

    [HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-25 3911776]

    [HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-08-18 307200]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
    "Start Menu 7"="c:\documents and settings\Matthew\Local Settings\Application Data\NFS HD Waterfall03\pmcloader.exe" [2010-04-12 331776]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CFSServ.exe"="CFSServ.exe -NoClient" [X]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
    "RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
    "Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
    "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
    "TFncKy"="TFncKy.exe" [BU]
    "TDispVol"="TDispVol.exe" [2005-03-11 73728]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
    "TPSMain"="TPSMain.exe" [2005-06-01 282624]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
    "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [N/A]

    c:\documents and settings\Matthew\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-4-2 25214]
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-2-6 113664]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Down2Home.lnk - c:\program files\Down2Home\Down2Home.exe [2003-3-11 307200]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-21 155648]
    VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-7-30 6144]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-06 06:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 10:01 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 10:01 AM 74480]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [24/08/2007 9:07 PM 149352]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [17/12/2009 2:32 PM 497856]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [25/02/2009 4:49 PM 101936]
    S0 weibda;weibda; [x]
    S1 MpKsl83ef15ea;MpKsl83ef15ea;\??\c:\windows\system32\MpEngineStore\MpKsl83ef15ea.sys --> c:\windows\system32\MpEngineStore\MpKsl83ef15ea.sys [?]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [29/05/2007 12:55 PM 23888]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 10:01 AM 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-14 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Matthew.job
    - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

    2011-01-13 c:\windows\Tasks\Norton Security Scan for Matthew.job
    - c:\program files\Norton Security Scan\Nss.exe [2008-09-19 12:18]

    2006-09-01 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2006-02-21 00:12]

    2006-09-01 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2006-02-21 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local;<local>
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\h5xpkywf.default\
    FF - prefs.js: browser.startup.homepage - www.med.ubc.ca/medicol/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60020
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    ------- File Associations -------
    .
    inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-14 17:12
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK1032GSX rev.AS021G -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F1F555]<<
    c:\docume~1\Matthew\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f257b0]; MOV EAX, [0x86f2582c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86EDFAB8]
    3 CLASSPNP[0xF785EFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000009d[0x86F7E9E8]
    5 ACPI[0xF77B5620] -> nt!IofCallDriver[0x804E13B9] -> [0x86EE3D98]
    \Driver\atapi[0x86F51030] -> IRP_MJ_CREATE -> 0x86F1F555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1032GSX_______________________AS021G__#5&35291d97&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86F1F39B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}*]
    "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
    9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    @DACL=(02 0000)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1732)
    c:\windows\system32\WININET.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    - - - - - - - > 'lsass.exe'(1792)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-01-14 17:17:24
    ComboFix-quarantined-files.txt 2011-01-15 01:17
    ComboFix2.txt 2010-12-26 22:45

    Pre-Run: 9,724,964,864 bytes free
    Post-Run: 9,996,165,120 bytes free

    - - End Of File - - 688E59183A20734989684E51A7A0657A














    SECURITY CHECKUP

    Results of screen317's Security Check version 0.99.8
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Norton AntiVirus
    Norton AntiVirus Help
    Norton Internet Security (Symantec Corporation)
    Norton Internet Security
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    HijackThis 2.0.2
    CCleaner
    Adobe Flash Player 10.1.102.64
    Adobe Reader 7.0.9
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    ``````````End of Log````````````
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya canucks85,

    Proceed as follows please :-

    Step 1

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


      [​IMG]

    • If an infected file is detected, the default action will be Cure, click on Continue.


      [​IMG]

    • If a suspicious file is detected, the default action will be Skip, click on Continue.


      [​IMG]

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


      [​IMG]

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    Step 2

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    KillAll::
    File::
    c:\windows\system32\MpEngineStore\MpKsl83ef 15ea.sys
    Folder::
    c:\documents and settings\Matthew\Application Data\unqypgxubg
    c:\program files\BitTorrentBar
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=-
    [-HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    [-HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    Driver::
    weibda
    MpKsl83ef15ea
    Firefox::
    FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\h5xpkywf.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60020
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}*]
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents]
    @DACL=(02 0000)
    
    Save this as CFScript.txt, in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Post the logs from TDSSKiller and Combofix in your reply please,

    Kevin
     
  10. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
    Hey Kevin,

    I did the steps. Once again the same error popped up with ComboFix, but it continued running after I closed the error. Thanks again for all of your help. Greatly appreciated!



    TDSSKiller
    -------------
    2011/01/14 18:39:03.0968 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
    2011/01/14 18:39:03.0968 ================================================================================
    2011/01/14 18:39:03.0968 SystemInfo:
    2011/01/14 18:39:03.0968
    2011/01/14 18:39:03.0968 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/14 18:39:03.0968 Product type: Workstation
    2011/01/14 18:39:03.0968 ComputerName: MATTHEW-YAN
    2011/01/14 18:39:03.0968 UserName: Matthew
    2011/01/14 18:39:03.0968 Windows directory: C:\WINDOWS
    2011/01/14 18:39:03.0968 System windows directory: C:\WINDOWS
    2011/01/14 18:39:03.0968 Processor architecture: Intel x86
    2011/01/14 18:39:03.0968 Number of processors: 2
    2011/01/14 18:39:03.0968 Page size: 0x1000
    2011/01/14 18:39:03.0968 Boot type: Normal boot
    2011/01/14 18:39:03.0968 ================================================================================
    2011/01/14 18:39:04.0093 Initialize success
    2011/01/14 18:39:22.0671 ================================================================================
    2011/01/14 18:39:22.0671 Scan started
    2011/01/14 18:39:22.0671 Mode: Manual;
    2011/01/14 18:39:22.0671 ================================================================================
    2011/01/14 18:39:23.0609 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/14 18:39:23.0640 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/01/14 18:39:23.0718 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/14 18:39:23.0765 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2011/01/14 18:39:23.0843 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/14 18:39:23.0921 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2011/01/14 18:39:24.0109 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/14 18:39:24.0218 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/14 18:39:24.0281 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/14 18:39:24.0343 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/14 18:39:24.0375 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/14 18:39:24.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/14 18:39:24.0625 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/14 18:39:24.0703 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/14 18:39:24.0734 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/14 18:39:24.0812 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/14 18:39:24.0875 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/01/14 18:39:24.0937 COH_Mon (6186b6b953bdc884f0f379b84b3e3a98) C:\WINDOWS\system32\Drivers\COH_Mon.sys
    2011/01/14 18:39:24.0984 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/01/14 18:39:25.0031 CO_Mon (73f5d6835bfa66019c03e316d99649da) C:\WINDOWS\system32\drivers\CO_Mon.sys
    2011/01/14 18:39:25.0125 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    2011/01/14 18:39:25.0234 CVPNDRVA (5ba042bcab6246c6bba51606afd7b488) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
    2011/01/14 18:39:25.0343 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/14 18:39:25.0375 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
    2011/01/14 18:39:25.0406 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
    2011/01/14 18:39:25.0437 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
    2011/01/14 18:39:25.0468 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
    2011/01/14 18:39:25.0500 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
    2011/01/14 18:39:25.0609 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
    2011/01/14 18:39:25.0656 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
    2011/01/14 18:39:25.0687 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
    2011/01/14 18:39:25.0750 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
    2011/01/14 18:39:25.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/14 18:39:25.0906 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/14 18:39:25.0953 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/14 18:39:26.0000 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/14 18:39:26.0046 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
    2011/01/14 18:39:26.0093 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/14 18:39:26.0171 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
    2011/01/14 18:39:26.0218 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
    2011/01/14 18:39:26.0265 E100B (2646883e6dd867cd872d5b51b6036710) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/01/14 18:39:26.0406 eeCtrl (70aeac5d481b2904b40f2173e280b1b5) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/01/14 18:39:26.0453 EraserUtilRebootDrv (00bd6fc4a873d3341dcf9aef2d3c841e) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2011/01/14 18:39:26.0625 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/14 18:39:26.0703 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/01/14 18:39:26.0781 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/14 18:39:26.0968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/01/14 18:39:27.0046 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/01/14 18:39:27.0078 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/14 18:39:27.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/14 18:39:27.0203 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/01/14 18:39:27.0265 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/14 18:39:27.0343 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/14 18:39:27.0359 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/01/14 18:39:27.0453 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/14 18:39:27.0546 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\I8042PRT.SYS
    2011/01/14 18:39:27.0718 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/01/14 18:39:27.0890 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/14 18:39:28.0156 IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/01/14 18:39:28.0625 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/14 18:39:28.0671 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/01/14 18:39:28.0703 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/14 18:39:28.0796 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/14 18:39:28.0875 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/14 18:39:28.0953 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/14 18:39:28.0984 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/14 18:39:29.0031 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/14 18:39:29.0078 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
    2011/01/14 18:39:29.0109 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/14 18:39:29.0140 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/14 18:39:29.0218 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/14 18:39:29.0312 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
    2011/01/14 18:39:29.0375 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/14 18:39:29.0421 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/14 18:39:29.0453 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/14 18:39:29.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/01/14 18:39:29.0546 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/14 18:39:29.0687 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/14 18:39:29.0812 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/14 18:39:29.0859 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/14 18:39:29.0906 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/14 18:39:29.0937 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/14 18:39:29.0953 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/14 18:39:30.0000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/14 18:39:30.0078 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/14 18:39:30.0234 NAVENG (494c4ebfee40baaff49492b97abaf18c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090525.024\NAVENG.SYS
    2011/01/14 18:39:30.0281 NAVEX15 (f4a95d6d20767a5f1f2b2fed261a1b23) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090525.024\NAVEX15.SYS
    2011/01/14 18:39:30.0484 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/14 18:39:30.0531 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/14 18:39:30.0562 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/14 18:39:30.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/14 18:39:30.0640 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/14 18:39:30.0718 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/14 18:39:30.0781 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/14 18:39:30.0828 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
    2011/01/14 18:39:30.0859 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/14 18:39:30.0906 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/14 18:39:30.0968 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/14 18:39:31.0015 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/14 18:39:31.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/14 18:39:31.0187 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/14 18:39:31.0250 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/14 18:39:31.0296 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/01/14 18:39:31.0343 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/14 18:39:31.0359 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/14 18:39:31.0406 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/14 18:39:31.0453 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/14 18:39:31.0562 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/01/14 18:39:31.0703 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
    2011/01/14 18:39:31.0765 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/14 18:39:31.0781 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/14 18:39:31.0843 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/14 18:39:31.0890 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/14 18:39:32.0015 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/14 18:39:32.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/14 18:39:32.0078 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/14 18:39:32.0109 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/14 18:39:32.0187 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/14 18:39:32.0312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/14 18:39:32.0359 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/14 18:39:32.0421 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/14 18:39:32.0468 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
    2011/01/14 18:39:32.0546 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/01/14 18:39:32.0578 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2011/01/14 18:39:32.0625 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2011/01/14 18:39:32.0703 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2011/01/14 18:39:32.0765 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/14 18:39:32.0875 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/01/14 18:39:32.0921 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
    2011/01/14 18:39:32.0953 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
    2011/01/14 18:39:33.0000 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/14 18:39:33.0171 SPBBCDrv (dc4dc886d3779c446f9b0e9d6b006e72) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    2011/01/14 18:39:33.0328 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/14 18:39:33.0406 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/14 18:39:33.0500 SRTSP (655773f2f1a3730c6cf20280a49f4ee1) C:\WINDOWS\system32\Drivers\SRTSP.SYS
    2011/01/14 18:39:33.0578 SRTSPL (2a0aaf370d4c6574a34ae2f4a0709cae) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    2011/01/14 18:39:33.0625 SRTSPX (3104bdceace2d5710776dd05e6a286c1) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
    2011/01/14 18:39:33.0687 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/14 18:39:33.0750 ssm_bus (df5c19f053eff7f8ba25d73aea899656) C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
    2011/01/14 18:39:33.0796 ssm_mdfl (5347169fa449eabc4d0728ae39fab926) C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
    2011/01/14 18:39:33.0843 ssm_mdm (7aae23dd105eed15c4f45fc269fa42a9) C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
    2011/01/14 18:39:33.0875 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
    2011/01/14 18:39:33.0921 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/14 18:39:34.0078 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/14 18:39:34.0171 SYMDNS (fe9f8b3a8bc22d85332b42e92308ddf9) C:\WINDOWS\System32\Drivers\SYMDNS.SYS
    2011/01/14 18:39:34.0218 SymEvent (06b95820df51502099a8a15c93e87986) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2011/01/14 18:39:34.0265 SYMFW (a0ea9d273889e53cfaabf2444692ccbf) C:\WINDOWS\System32\Drivers\SYMFW.SYS
    2011/01/14 18:39:34.0281 SYMIDS (23527b9cd4f7b9e31160e98d340e7e85) C:\WINDOWS\System32\Drivers\SYMIDS.SYS
    2011/01/14 18:39:34.0421 SYMIDSCO (1902efb9e0901a62a31458ad90d3fed3) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20090519.005\SymIDSCo.sys
    2011/01/14 18:39:34.0484 SymIM (b54f7959afb4aaf1a8c589b0aa7fde02) C:\WINDOWS\system32\DRIVERS\SymIM.sys
    2011/01/14 18:39:34.0484 SymIMMP (b54f7959afb4aaf1a8c589b0aa7fde02) C:\WINDOWS\system32\DRIVERS\SymIM.sys
    2011/01/14 18:39:34.0531 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
    2011/01/14 18:39:34.0562 SYMNDIS (d605af3a380a83f4a562f1ad3ee19ecd) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
    2011/01/14 18:39:34.0593 SYMREDRV (7c6505ea598e58099d3b7e1f70426864) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    2011/01/14 18:39:34.0671 SYMTDI (e6ff7ace71d07ca90119f2c6ab592ba4) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    2011/01/14 18:39:34.0875 SynTP (a6cc8c28d5aad4179ef32f05bed55e91) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/01/14 18:39:34.0953 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/14 18:39:35.0000 TBiosDrv (1f26d86828039c0b594399f7f2ffef09) C:\WINDOWS\system32\Drivers\Tbiosdrv.sys
    2011/01/14 18:39:35.0109 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/14 18:39:35.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/14 18:39:35.0187 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/14 18:39:35.0250 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/14 18:39:35.0312 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
    2011/01/14 18:39:35.0375 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
    2011/01/14 18:39:35.0390 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
    2011/01/14 18:39:35.0437 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
    2011/01/14 18:39:35.0468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/14 18:39:35.0578 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/14 18:39:35.0640 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/01/14 18:39:35.0765 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/14 18:39:35.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/14 18:39:35.0875 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/14 18:39:35.0921 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/14 18:39:35.0968 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/14 18:39:36.0015 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/14 18:39:36.0062 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/14 18:39:36.0109 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/14 18:39:36.0187 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/14 18:39:36.0234 vpnva (e1f2333a88ec4a5c8ea6be357323b72d) C:\WINDOWS\system32\DRIVERS\vpnva.sys
    2011/01/14 18:39:36.0296 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
    2011/01/14 18:39:36.0406 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
    2011/01/14 18:39:36.0468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/14 18:39:36.0609 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/14 18:39:36.0718 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/14 18:39:36.0765 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/14 18:39:36.0812 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/01/14 18:39:36.0812 ================================================================================
    2011/01/14 18:39:36.0812 Scan finished
    2011/01/14 18:39:36.0812 ================================================================================
    2011/01/14 18:39:36.0828 Detected object count: 1
    2011/01/14 18:39:40.0484 \HardDisk0 - will be cured after reboot
    2011/01/14 18:39:40.0484 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/01/14 18:39:44.0359 Deinitialize success












    ComboFix
    ---------

    ComboFix 11-01-14.01 - Matthew 14/01/2011 18:48:28.10.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.583 [GMT -8:00]
    Running from: c:\documents and settings\Matthew\Desktop\Gotcha.exe
    Command switches used :: c:\documents and settings\Matthew\Desktop\CFScript.txt
    AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    FILE ::
    "c:\windows\system32\MpEngineStore\MpKsl83ef 15ea.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Matthew\Application Data\unqypgxubg
    c:\program files\BitTorrentBar
    c:\program files\BitTorrentBar\BitTorrentBarToolbarHelper.exe
    c:\program files\BitTorrentBar\GottenAppsContextMenu.xml
    c:\program files\BitTorrentBar\INSTALL.LOG
    c:\program files\BitTorrentBar\OtherAppsContextMenu.xml
    c:\program files\BitTorrentBar\SharedAppsContextMenu.xml
    c:\program files\BitTorrentBar\tbBit0.dll
    c:\program files\BitTorrentBar\tbBit1.dll
    c:\program files\BitTorrentBar\tbBitT.dll
    c:\program files\BitTorrentBar\toolbar.cfg
    c:\program files\BitTorrentBar\ToolbarContextMenu.xml
    c:\program files\BitTorrentBar\UNWISE.EXE

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MPKSL83EF15EA
    -------\Legacy_WEIBDA
    -------\Service_MpKsl83ef15ea
    -------\Service_weibda


    ((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
    .

    2010-12-16 06:49 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 06:48 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 02:09 . 2010-04-21 00:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 02:08 . 2010-04-21 00:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-18 18:12 . 2006-02-21 10:33 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2006-02-21 08:37 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2006-02-21 08:37 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2006-02-21 08:37 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2006-02-21 08:37 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2006-02-21 08:37 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2006-02-21 08:37 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2006-02-21 08:37 1853312 ----a-w- c:\windows\system32\win32k.sys
    2007-08-25 03:52 . 2008-05-24 03:37 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-08-18 307200]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
    "Start Menu 7"="c:\documents and settings\Matthew\Local Settings\Application Data\NFS HD Waterfall03\pmcloader.exe" [2010-04-12 331776]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CFSServ.exe"="CFSServ.exe -NoClient" [X]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 88203]
    "RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
    "Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
    "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
    "TFncKy"="TFncKy.exe" [BU]
    "TDispVol"="TDispVol.exe" [2005-03-11 73728]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
    "TPSMain"="TPSMain.exe" [2005-06-01 282624]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
    "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [N/A]

    c:\documents and settings\Matthew\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-4-2 25214]
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-2-6 113664]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Down2Home.lnk - c:\program files\Down2Home\Down2Home.exe [2003-3-11 307200]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-21 155648]
    VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-7-30 6144]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-06 06:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 10:01 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 10:01 AM 74480]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [24/08/2007 9:07 PM 149352]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [17/12/2009 2:32 PM 497856]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [25/02/2009 4:49 PM 101936]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [29/05/2007 12:55 PM 23888]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 10:01 AM 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-14 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Matthew.job
    - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

    2011-01-13 c:\windows\Tasks\Norton Security Scan for Matthew.job
    - c:\program files\Norton Security Scan\Nss.exe [2008-09-19 12:18]

    2006-09-01 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2006-02-21 00:12]

    2006-09-01 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2006-02-21 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local;<local>
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\h5xpkywf.default\
    FF - prefs.js: browser.startup.homepage - www.med.ubc.ca/medicol/
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-BitTorrentBar Toolbar - c:\progra~1\BITTOR~3\UNWISE.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-14 18:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    @DACL=(02 0000)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1736)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3828)
    c:\windows\system32\WININET.dll
    c:\windows\system32\TDispVol.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\TPwrCfg.DLL
    c:\windows\system32\TPwrReg.dll
    c:\windows\system32\TPSTrace.DLL
    c:\program files\WinSCP3\DragExt.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\felixbackups\Cisco Systems\VPN Client\cvpnd.exe
    c:\windows\system32\DVDRAMSV.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
    c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    c:\windows\system32\TDispVol.exe
    c:\program files\Synaptics\SynTP\Toshiba.exe
    c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
    c:\windows\system32\TPSBattM.exe
    c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-14 19:05:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-15 03:05
    ComboFix2.txt 2011-01-15 01:17
    ComboFix3.txt 2010-12-26 22:45

    Pre-Run: 10,024,501,248 bytes free
    Post-Run: 9,917,956,096 bytes free

    - - End Of File - - 11856282DE25E22F4943FC21B616B67E
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Logs look better, how is system responding OK?

    Run following online AV scan to double check system:

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take several hours to complete depending on the size of your
    system.

    Post log from ESET, let me know of any specific issues that remain...

    Kevin
     
  12. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
    Hey Kevin,

    Thanks for all of your help. My system seems to be running a lot better. The Win32 error is no longer popping up. Below is the log file from ESET. I didn't remove any of the threats as requested.

    C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.val-272eba0e-19d0e336.zip probably a variant of Win32/Agent.FXHNPDJ trojan
    C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.val-372586b2-15ab757b.zip probably a variant of Win32/Agent.FXHNPDJ trojan
    C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\des.jar-267754e8-187eb3bd.zip Java/TrojanDownloader.Agent.NAM trojan
    C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j1_cal.jar-5d4c4b7a-10f35579.zip multiple threats
    C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j2_gsb.jar-6353f7a3-41eb4a21.zip a variant of Java/Exploit.Agent.NAC trojan
    C:\Documents and Settings\Matthew\Local Settings\Application Data\NFS HD Waterfall03\pmcloader.exe probably a variant of Win32/TrojanDownloader.Agent.CBOJYHD trojan
    C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP349\A0075416.dll a variant of Win32/Kryptik.GVH trojan
    C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP349\A0075417.dll a variant of Win32/Cimag.CK trojan
    C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP349\A0075419.bat BAT/Agent.NFC trojan
    C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP404\A0082594.exe Win32/Kryptik.JFK.Gen trojan
    Operating memory probably a variant of Win32/TrojanDownloader.Agent.CBOJYHD trojan
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya canucks85,

    Proceed as folllows please:-

    Step1

    Please download OTM by OldTimer.
    Alternative Mirror
    Save it to your desktop.
    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      -------------------------------------------------------------------

      :Files
      ipconfig /flushdns /c
      C:\Documents and Settings\Matthew\Local Settings\Application Data\NFS HD Waterfall03\pmcloader.exe

      :Commands
      [ClearAllRestorePoints]
      [EmptyFlash]
      [EmptyTemp]
      [Purity]
      [ResetHosts]

      ---------------------------------------------------------------------
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run. Save log to a text file somewhere handy (Desktop) as all files related to OTM will be removed when we clean up.


    Step 2

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.

    Step 3

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose run as administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.

    Step 4

    Remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet via Start > Control Panel, select the ESET Online Scanner entry and click Remove. This will happen very quickly, only re-boot if requested.

    Whilst in Add/Remove programs also remove the following:

    Adobe Reader 7.0.9

    Step 5

    Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

    Please go to the link below to update.

    Adobe Reader Untick the Free McAfee® Security Scan Plus (optional).

    Step 6

    I see you have CCleaner installed, make sure the program is updated then run the cleaner section.

    Post the log from OTM in your reply,

    Let me know if the above steps completed OK, also if any issues remain...

    Kevin
     
  14. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
    Hey Kevin,

    Here is the log from OTM. Currently no other issues exist. Thanks!!

    All processes killed
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Matthew\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Matthew\Desktop\cmd.txt deleted successfully.
    C:\Documents and Settings\Matthew\Local Settings\Application Data\NFS HD Waterfall03\pmcloader.exe moved successfully.
    ========== COMMANDS ==========

    Restore points cleared and new OTM Restore Point set!

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Intel

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 7700614 bytes
    ->Flash cache emptied: 4020 bytes

    User: Matthew
    ->Temp folder emptied: 878249 bytes
    ->Temporary Internet Files folder emptied: 393618 bytes
    ->Java cache emptied: 1399415 bytes
    ->FireFox cache emptied: 103948082 bytes
    ->Flash cache emptied: 1023244 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 8536198 bytes
    ->Flash cache emptied: 15024 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 4370961 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1522 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 122.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTM by OldTimer - Version 3.1.17.2 log created on 01162011_110538

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  15. canucks85

    canucks85 Thread Starter

    Joined:
    Nov 21, 2009
    Messages:
    16
    Hey Kevin,

    I am actually encountering an issue when trying to install Adobe Acrobat. I get this error during installation:

    "Error 1402. Could not open key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS."
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/971050

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice