# Hijacked + Rootkit infection?



## PALV (Mar 10, 2011)

PC has been hit with "XP Internet Security 2011" hijack. Malwarebytes scan identified 4 registry keys and 3 registry data items that were infected. This seemed to permit access to desired websites without redirect (when logged in as another user). However, subsequent scans by tools recommended here also indicate possible TDL3 rootkit infection?

HijackThis and DDS Log files are posted below. Will post ark.txt and attach.txt separately.

Thanks, in advance, for any assistance.

-----
OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: Intel(R) Pentium(R) D CPU 2.66GHz, x86 Family 15 Model 4 Stepping 7
Processor Count: 2
RAM: 1022 Mb
Graphics Card: RADEON X300 SE 128MB HyperMemory, 1 Mb
Hard Drives: C: Total - 147769 MB, Free - 73811 MB; 
Motherboard: Dell Inc. , 0HJ054, , ..CN6986166D0518.
Antivirus: Symantec AntiVirus Corporate Edition, Updated: Yes, On-Demand Scanner: Enabled
-----
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:01:28 PM, on 3/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Weather] C:\Program Files\weatherbug\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - HKUS\S-1-5-21-557553071-4085620527-1413547295-1006\..\Run: [SetDefaultMIDI] MIDIDef.exe (User <removed by moderator>)
O4 - HKUS\S-1-5-21-557553071-4085620527-1413547295-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User <removed by moderator>)
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Go PlaySushi! - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webportal.hunterdonhealthcare.org/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: Codifnet - {4ACC49F0-1D95-4BFB-B8B4-ACD14EB72C19} - C:\WINDOWS\system32\cpyidimg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
----
DDS (Ver_11-03-05.01) - NTFSx86 
Run by 2.Kristin at 22:05:47.57 on Fri 03/11/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.245 [GMT -5:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\2.Kristin\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Weather] c:\program files\weatherbug\weatherbug\Weather.exe 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\222f6~1.kri\startm~1\programs\startup\memoni~1.lnk - c:\program files\verizon wireless\v cast music manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://webportal.hunterdonhealthcare.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: Codifnet - {4ACC49F0-1D95-4BFB-B8B4-ACD14EB72C19} - c:\windows\system32\cpyidimg.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Reporting;Reporting Agents;c:\program files\common files\symantec shared\reporting agents\win32\ReporterSvc.exe [2006-9-27 1324808]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110310.003\naveng.sys [2011-3-11 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110310.003\navex15.sys [2011-3-11 1360760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-18 135664]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-12 01:56:49 -------- d-----w- c:\docume~1\222f6~1.kri\applic~1\Malwarebytes
2011-02-27 20:01:32 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2011-02-20 15:33:39 -------- d-----w- C:\d8b200d1d071d8ad2e
2011-02-20 15:31:03 -------- d-----w- C:\c032cdf8429271c9ca
.
==================== Find3M ====================
.
2011-03-03 12:56:04 21314 ----a-w- c:\windows\system32\avididoc.dll
2011-02-04 15:51:42 256 ----a-w- c:\windows\system32\pool.bin
2008-02-10 19:36:50 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
2006-09-23 02:33:59 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-09-23 02:20:14 359112 ----a-w- c:\program files\LimeWire.exe
2006-09-20 00:39:55 1454005 ----a-w- c:\program files\aresfree.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160812AS rev.3.ADH -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86C3EEC5]<< 
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8569b872; SUB DWORD [EBP-0x4], 0x8569b12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86FCEAB8]
3 CLASSPNP[0xF75D2FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86D50F18]
[0x86CD5F10] -> IRP_MJ_CREATE -> 0x86C3EEC5
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160812AS_____________________________3.ADH___#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86C3EAEA
user & kernel MBR OK 
sectors 312499998 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:08:32.33 ===============


----------



## PALV (Mar 10, 2011)

ark.txt log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-11 22:44:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST3160812AS rev.3.ADH
Running: m5gyuq9t.exe; Driver: C:\DOCUME~1\222F6~1.KRI\LOCALS~1\Temp\pxtdypog.sys

---- System - GMER 1.0.15 ----
SSDT 86E8D098 ZwAlertResumeThread
SSDT 86E8D0D0 ZwAlertThread
SSDT 86D24190 ZwAllocateVirtualMemory
SSDT 86EB3728 ZwConnectPort
SSDT 86FC8098 ZwCreateMutant
SSDT 86D58188 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF452F350]
SSDT 86CEB7A0 ZwFreeVirtualMemory
SSDT 86FC8158 ZwImpersonateAnonymousToken
SSDT 86D7C8D8  ZwImpersonateThread
SSDT 86CD3158 ZwMapViewOfSection
SSDT 86E42198 ZwOpenEvent
SSDT 86DCB0C8 ZwOpenProcessToken
SSDT 86E3E110 ZwOpenThreadToken
SSDT 86E420C8 ZwQueryValueKey
SSDT 86D264E0 ZwResumeThread
SSDT 86E85008 ZwSetContextThread
SSDT 86D50088 ZwSetInformationProcess
SSDT 86E85090 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF452F580]
SSDT 86D5A198 ZwSuspendProcess
SSDT 86D100A0 ZwSuspendThread
SSDT 86E36AC0 ZwTerminateProcess
SSDT 86D10160 ZwTerminateThread
SSDT 86D50008 ZwUnmapViewOfSection
SSDT 86CEB820 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C00 8050449C 8 Bytes CALL 69211527 
.rsrc C:\WINDOWS\system32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF78D6E14]
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xF4680F80]
? C:\DOCUME~1\222F6~1.KRI\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\ctfmon.exe[200] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!recv  71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[200] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!DialogBoxParamA  7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[224] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A 
.text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A 
.text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C0000C 
.text C:\WINDOWS\Explorer.EXE[320] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\Explorer.EXE[320] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[400] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!WSASend  71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[1112] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A 
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A6000A 
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C 
.text C:\WINDOWS\System32\svchost.exe[1204] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00F6000A 
.text C:\WINDOWS\System32\svchost.exe[1204] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FD000A 
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!getaddrinfo  71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2128] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!WSARecvFrom  71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[2172] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\ctfmon.exe[2504] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!closesocket  71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[2624] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!WSARecvFrom  71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[2768] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2904] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 018C000A 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0192000A 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 017A000C 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2980] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\taskmgr.exe[3072] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] Secur32.dll!EncryptMessage  77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3256] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!recv  71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3284] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3296] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\Explorer.EXE[3336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF000A 
.text C:\WINDOWS\Explorer.EXE[3336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0118000A 
.text C:\WINDOWS\Explorer.EXE[3336] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 001A000C 
.text C:\WINDOWS\Explorer.EXE[3336] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\Explorer.EXE[3336] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text  C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe[3532] ws2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!connect  71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3568] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\wscntfy.exe[4060] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] ntdll.dll!NtCreateFile  7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 30F8D300 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[6436] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe[6772] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[6896] WS2_32.dll!WSAGetOverlappedResult  71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe[8140] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!closesocket  71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8368] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 3A25E354 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 3A25E5C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 3A27D524 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 3A25E8F4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] Secur32.dll!EncryptMessage 77FEA68D 5 Bytes JMP 3A2817C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] Secur32.dll!DecryptMessage 77FEA6DC 5 Bytes JMP 3A27D6E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 3A254184 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3A254084 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 3A2820C4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 3A27DBA4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 3A281A14 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 3A283E44 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 3A281E04 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 3A282964 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 3A281BC4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!recv 71AB676F 5 Bytes JMP 3A282374 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 3A2826D4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 3A27DD84 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 3A281AD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 3A27E0E4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 3A27DFD4 C:\WINDOWS\system32\urigamon.dll
.text C:\WINDOWS\system32\notepad.exe[8644] WS2_32.dll!WSAGetOverlappedResult  71AC0D1B 5 Bytes JMP 3A27DF24 C:\WINDOWS\system32\urigamon.dll
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86C3EAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86C3EAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86C3EAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 86C3EAEA
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160812AS_____________________________3.ADH___#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Processes - GMER 1.0.15 ----
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [200] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [224] 0x3A220000 
Library C:\WINDOWS\system32\cpyidimg.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [320] 0x10000000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [320] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [400] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [1112] 0x3A220000 
Library C:\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll (*** hidden *** ) @ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [1112] 0x05290000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2128] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [2172] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2504] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\taskmgr.exe [2624] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [2768] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2904] 0x3A220000  
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\IEXPLORE.EXE [2980] 0x3A220000 
Library C:\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\IEXPLORE.EXE [2980] 0x052A0000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\taskmgr.exe [3072] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe [3256] 0x3A220000 
Library C:\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll (*** hidden *** ) @ C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe [3256] 0x12770000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [3284] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\NOTEPAD.EXE [3296] 0x3A220000 
Library C:\WINDOWS\system32\cpyidimg.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3336] 0x10000000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3336] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe [3532] 0x3A220000 
Library C:\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll (*** hidden *** ) @ C:\Documents and Settings\William\Local Settings\Application Data\pwg.exe [3532] 0x10000000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [3568] 0x3A220000  
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [4060] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE [6436] 0x3A220000 
Library C:\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll (*** hidden *** ) @ C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE [6436] 0x06CF0000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Documents and Settings\2.Kristin\Desktop\HijackThis.exe [6772] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\NOTEPAD.EXE [6896] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\Documents and Settings\2.Kristin\Desktop\m5gyuq9t.exe [8140] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [8368] 0x3A220000 
Library C:\WINDOWS\system32\urigamon.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [8644] 0x3A220000 
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sectors 312499744 (+254): rootkit-like behavior; 
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\DRIVERS\kbdclass.sys suspicious modification; TDL3 <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----


----------



## PALV (Mar 10, 2011)

Bumping, as its been a few days w/ no reply. I understand there are LOTS of folks here with various problems, and there are limited volunteers to assist. I'm trying to be patient - just hoping someone can give me some direction.

Please let me know if there is more info needed, or what my next steps should be. Thanks.

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Proceed as follows please :-

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

*Combofix*

Don`t forget *Combofix* must be saved to your desktop, do not save to or run from anywhere else. *<--Very important*

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:










Ensure you have *disabledyour Firewall and all anti virus and anti malware programs* so they do not interfere with the running of ComboFix. *<---Very important*

Please include the *C:\ComboFix.txt* in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

*Disable realtime protection*

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply,

Kevin...


----------



## PALV (Mar 10, 2011)

Thanks, Kevin. Will do and respond shortly.

Bill


----------



## kevinf80 (Mar 21, 2006)

OK, post the log when you`re ready...


----------



## PALV (Mar 10, 2011)

Kevin -
Combofix log is posted below. 
When reconnecting to the internet via IE to post this, browser was again hijacked to a "Congrats, you've won a $1000 WalMart GiftCard" site. (in case it matters, before connecting, I DID turn back on virus and firewall protection.)

One last thing, there's a Windows Security Alert in the taskbar indicating that my Automatic Windows Update status is off. A Windows Security Center window refers me to Control Panel to make the adjustment - but Automatic Updates appears already selected there. ????

Bill

----
ComboFix 11-03-13.02 - 2.Kristin 03/14/2011 17:00:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.388 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\2.Kristin\Recent\Thumbs.db
c:\documents and settings\William\Local Settings\Application Data\pwg.exe
c:\windows\system32\Data
c:\windows\TEMP\pdk-SYSTEM-532\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-532\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-532\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-532\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-532\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-532\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-532\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-532\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-532\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-532\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-532\b2774d247dfbf0abe8539e577ee59b4c.dll
.
Infected copy of c:\windows\system32\DRIVERS\mouclass.sys was found and disinfected 
Restored copy from - Kitty had a snack  
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2011-02-20 15:33 . 2011-02-20 15:33 -------- d-----w- C:\d8b200d1d071d8ad2e
2011-02-20 15:31 . 2011-02-20 15:31 -------- d-----w- C:\c032cdf8429271c9ca
2011-02-17 11:19 . 2011-02-17 11:19 -------- d-----w- c:\documents and settings\William\Local Settings\Application Data\Help
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-08-15 17:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-15 17:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
2006-09-23 02:33 . 2006-09-23 02:33 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-09-23 02:20 . 2006-09-23 02:20 359112 ----a-w- c:\program files\LimeWire.exe
2006-09-20 00:39 . 2006-09-20 00:39 1454005 ----a-w- c:\program files\aresfree.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Aim6"="c:\program files\AIM6\aim6.exe" [N/A]
"Weather"="c:\program files\weatherbug\WeatherBug\Weather.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-25 2356088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
.
c:\documents and settings\2.Kristin\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-2-10 951640]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Codifnet"= {4ACC49F0-1D95-4BFB-B8B4-ACD14EB72C19} - c:\windows\system32\cpyidimg.dll [2009-11-12 917504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 19:23]
.
2011-03-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-14 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Ocean Express Deluxe - c:\program files\Zylom Games\Ocean Express Deluxe\GameInstlr.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 18:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160812AS rev.3.ADH -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E56EC5]<< 
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8569b872; SUB DWORD [EBP-0x4], 0x8569b12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x871CEAB8]
3 CLASSPNP[0xF7692FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x870344D8]
[0x870E5030] -> IRP_MJ_CREATE -> 0x86E56EC5
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160812AS_____________________________3.ADH___#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86E56AEA
user & kernel MBR OK 
sectors 312499998 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(7712)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\cpyidimg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\urigamon.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2011-03-14 19:07:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-14 23:07
.
Pre-Run: 81,228,627,968 bytes free
Post-Run: 86,272,110,592 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 20C4E080EE511DCADD31C0800BB2EFE8


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

As follows please :-

*Please read carefully and follow these steps.*

Download *TDSSKiller* and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on *TDSSKiller.exe* to run the application, then on *Start Scan.*










If an infected file is detected, the default action will be *Cure*, click on *Continue.*










If a suspicious file is detected, the default action will be *Skip*, click on *Continue.*










It may ask you to reboot the computer to complete the process. Click on *Reboot Now*.










If no reboot is require, click on *Report*. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.

Kevin


----------



## PALV (Mar 10, 2011)

Here you go, Kevin.

BTW - noticed on last 2 reboots that a New Hardware Wizard pops up - and I haven't installed anything new on computer. Opened it just to see what it "found" (but didn't execute anything) - and there is only a random character listed under what it wants to install. Closed it out without proceeding. 

Something "else" to worry about, or just part of the current infection?

Bill




-------
2011/03/15 05:33:27.0362 8676 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/15 05:33:27.0487 8676 ================================================================================
2011/03/15 05:33:27.0487 8676 SystemInfo:
2011/03/15 05:33:27.0487 8676 
2011/03/15 05:33:27.0487 8676 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/15 05:33:27.0487 8676 Product type: Workstation
2011/03/15 05:33:27.0487 8676 ComputerName: FAMILY
2011/03/15 05:33:27.0487 8676 UserName: 2.Kristin
2011/03/15 05:33:27.0487 8676 Windows directory: C:\WINDOWS
2011/03/15 05:33:27.0487 8676 System windows directory: C:\WINDOWS
2011/03/15 05:33:27.0487 8676 Processor architecture: Intel x86
2011/03/15 05:33:27.0487 8676 Number of processors: 2
2011/03/15 05:33:27.0487 8676 Page size: 0x1000
2011/03/15 05:33:27.0487 8676 Boot type: Normal boot
2011/03/15 05:33:27.0487 8676 ================================================================================
2011/03/15 05:33:27.0815 8676 Initialize success
2011/03/15 05:33:38.0893 8708 ================================================================================
2011/03/15 05:33:38.0893 8708 Scan started
2011/03/15 05:33:38.0893 8708 Mode: Manual; 
2011/03/15 05:33:38.0893 8708 ================================================================================
2011/03/15 05:33:39.0377 8708 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/03/15 05:33:39.0471 8708 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/15 05:33:39.0534 8708 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/15 05:33:39.0596 8708 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/03/15 05:33:39.0659 8708 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/15 05:33:39.0705 8708 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/15 05:33:39.0768 8708 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/15 05:33:39.0815 8708 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/03/15 05:33:39.0909 8708 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/03/15 05:33:39.0971 8708 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/03/15 05:33:40.0018 8708 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/03/15 05:33:40.0112 8708 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/15 05:33:40.0174 8708 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/03/15 05:33:40.0268 8708 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/03/15 05:33:40.0330 8708 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/03/15 05:33:40.0362 8708 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/03/15 05:33:40.0409 8708 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/03/15 05:33:40.0440 8708 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/03/15 05:33:40.0487 8708 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/03/15 05:33:40.0565 8708 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/15 05:33:40.0627 8708 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/15 05:33:40.0737 8708 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/15 05:33:40.0955 8708 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/15 05:33:41.0018 8708 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/15 05:33:41.0065 8708 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/15 05:33:41.0190 8708 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/03/15 05:33:41.0252 8708 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/15 05:33:41.0330 8708 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/15 05:33:41.0393 8708 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/03/15 05:33:41.0455 8708 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/15 05:33:41.0502 8708 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/15 05:33:41.0549 8708 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/15 05:33:41.0705 8708 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/03/15 05:33:41.0784 8708 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/03/15 05:33:41.0877 8708 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/03/15 05:33:41.0955 8708 CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys
2011/03/15 05:33:42.0018 8708 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/03/15 05:33:42.0049 8708 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/03/15 05:33:42.0127 8708 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/15 05:33:42.0221 8708 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/03/15 05:33:42.0299 8708 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/03/15 05:33:42.0346 8708 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/03/15 05:33:42.0409 8708 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/03/15 05:33:42.0455 8708 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/03/15 05:33:42.0518 8708 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/03/15 05:33:42.0627 8708 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/03/15 05:33:42.0659 8708 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/03/15 05:33:42.0690 8708 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/03/15 05:33:42.0799 8708 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/15 05:33:42.0924 8708 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/15 05:33:42.0955 8708 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/15 05:33:43.0018 8708 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/15 05:33:43.0065 8708 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/03/15 05:33:43.0143 8708 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/15 05:33:43.0205 8708 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/03/15 05:33:43.0237 8708 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/03/15 05:33:43.0377 8708 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/03/15 05:33:43.0471 8708 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/03/15 05:33:43.0518 8708 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/03/15 05:33:43.0612 8708 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/03/15 05:33:43.0705 8708 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/03/15 05:33:43.0893 8708 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/15 05:33:43.0955 8708 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/15 05:33:44.0018 8708 FilterService (bcef16e3aedd1b44bca45f748d975d73) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/03/15 05:33:44.0080 8708 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/15 05:33:44.0143 8708 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/15 05:33:44.0221 8708 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/15 05:33:44.0252 8708 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/15 05:33:44.0299 8708 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/15 05:33:44.0377 8708 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/03/15 05:33:44.0424 8708 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/15 05:33:44.0487 8708 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/15 05:33:44.0549 8708 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/15 05:33:44.0643 8708 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/03/15 05:33:44.0721 8708 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/15 05:33:44.0784 8708 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/15 05:33:44.0846 8708 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/15 05:33:44.0924 8708 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/03/15 05:33:45.0034 8708 HSF_DP (668629c3b9ca8ef07cf2ccbd86bb6b2b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/03/15 05:33:45.0174 8708 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/15 05:33:45.0221 8708 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/03/15 05:33:45.0268 8708 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/03/15 05:33:45.0299 8708 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/15 05:33:45.0424 8708 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/15 05:33:45.0502 8708 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/03/15 05:33:45.0612 8708 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/15 05:33:45.0659 8708 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/15 05:33:45.0705 8708 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/15 05:33:45.0768 8708 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/15 05:33:45.0830 8708 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/15 05:33:45.0924 8708 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/15 05:33:45.0955 8708 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/15 05:33:46.0002 8708 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/15 05:33:46.0065 8708 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/15 05:33:46.0096 8708 Kbdclass (0395e7c581225efd1dbf46e09086fb20) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/15 05:33:46.0096 8708 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 0395e7c581225efd1dbf46e09086fb20, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2011/03/15 05:33:46.0112 8708 Kbdclass - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/03/15 05:33:46.0143 8708 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/15 05:33:46.0174 8708 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/15 05:33:46.0252 8708 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/15 05:33:46.0440 8708 LVcKap (8113133ec42dd6c566908008ce913edd) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
2011/03/15 05:33:46.0721 8708 LVMVDrv (0dd5b8af4917a2821047450195c511b3) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
2011/03/15 05:33:46.0955 8708 lvpopflt (e1158b0cb852db0573922c92e6e564de) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
2011/03/15 05:33:47.0143 8708 LVPr2Mon (406b1d186f75b4b4832d6237859e1b00) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/03/15 05:33:47.0237 8708 LVUSBSta (be5e104be263921d6842c555db6a5c23) C:\WINDOWS\system32\drivers\LVUSBSta.sys
2011/03/15 05:33:47.0393 8708 LVUVC (eacd1eb2d82ed2adc753afeee1d4d660) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/03/15 05:33:47.0596 8708 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/03/15 05:33:47.0690 8708 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/03/15 05:33:47.0768 8708 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/15 05:33:47.0862 8708 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/15 05:33:47.0924 8708 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/03/15 05:33:48.0034 8708 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/03/15 05:33:48.0112 8708 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/15 05:33:48.0190 8708 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/15 05:33:48.0252 8708 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/15 05:33:48.0315 8708 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/03/15 05:33:48.0393 8708 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/15 05:33:48.0518 8708 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/15 05:33:48.0627 8708 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/15 05:33:48.0705 8708 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/15 05:33:48.0768 8708 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/15 05:33:48.0862 8708 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/15 05:33:48.0924 8708 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/15 05:33:48.0971 8708 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/15 05:33:49.0018 8708 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/15 05:33:49.0065 8708 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/15 05:33:49.0205 8708 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\naveng.sys
2011/03/15 05:33:49.0284 8708 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\navex15.sys
2011/03/15 05:33:49.0502 8708 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/15 05:33:49.0549 8708 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/15 05:33:49.0612 8708 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/15 05:33:49.0674 8708 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/15 05:33:49.0721 8708 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/15 05:33:49.0799 8708 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/15 05:33:49.0846 8708 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/15 05:33:49.0909 8708 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/15 05:33:50.0002 8708 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/15 05:33:50.0065 8708 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/15 05:33:50.0127 8708 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/15 05:33:50.0237 8708 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/15 05:33:50.0409 8708 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/15 05:33:50.0471 8708 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/15 05:33:50.0565 8708 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/03/15 05:33:50.0627 8708 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2011/03/15 05:33:50.0674 8708 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/15 05:33:50.0721 8708 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/15 05:33:50.0768 8708 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/15 05:33:50.0784 8708 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/15 05:33:50.0815 8708 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/15 05:33:50.0877 8708 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/15 05:33:51.0112 8708 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/03/15 05:33:51.0174 8708 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/03/15 05:33:51.0284 8708 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/15 05:33:51.0315 8708 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/15 05:33:51.0471 8708 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/15 05:33:51.0549 8708 PxHelp20 (0c8da0a8b0d227319c285e0eae65defd) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/15 05:33:51.0596 8708 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/03/15 05:33:51.0643 8708 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/03/15 05:33:51.0690 8708 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/03/15 05:33:51.0721 8708 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/03/15 05:33:51.0752 8708 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/03/15 05:33:51.0799 8708 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/15 05:33:51.0862 8708 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/15 05:33:52.0034 8708 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/15 05:33:52.0096 8708 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/15 05:33:52.0174 8708 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/15 05:33:52.0252 8708 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/15 05:33:52.0362 8708 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/15 05:33:52.0455 8708 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/15 05:33:52.0534 8708 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/15 05:33:52.0659 8708 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/03/15 05:33:52.0737 8708 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/03/15 05:33:52.0830 8708 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/03/15 05:33:52.0924 8708 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/03/15 05:33:52.0971 8708 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/03/15 05:33:53.0112 8708 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/15 05:33:53.0205 8708 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/15 05:33:53.0284 8708 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/15 05:33:53.0393 8708 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/15 05:33:53.0518 8708 sigfilt (6bd3976b881888ac9a0ed3eb94e7fd38) C:\WINDOWS\system32\drivers\sigfilt.sys
2011/03/15 05:33:53.0752 8708 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/03/15 05:33:53.0846 8708 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/15 05:33:54.0002 8708 SMNDIS5 (4ef5ea44583c37383c289d4b8c354698) C:\PROGRA~1\VERIZO~2\VZACCE~1\SMNDIS5.SYS
2011/03/15 05:33:54.0174 8708 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/03/15 05:33:54.0268 8708 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/03/15 05:33:54.0424 8708 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/15 05:33:54.0487 8708 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/15 05:33:54.0580 8708 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/15 05:33:54.0659 8708 STHDA (b95480c92c4c9c311be47b8a1ad73770) C:\WINDOWS\system32\drivers\sthda.sys
2011/03/15 05:33:54.0705 8708 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/15 05:33:54.0752 8708 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/15 05:33:54.0799 8708 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/15 05:33:54.0846 8708 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/03/15 05:33:54.0877 8708 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/03/15 05:33:54.0955 8708 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
2011/03/15 05:33:55.0065 8708 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/03/15 05:33:55.0112 8708 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/03/15 05:33:55.0174 8708 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/03/15 05:33:55.0205 8708 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/03/15 05:33:55.0284 8708 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/15 05:33:55.0424 8708 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/15 05:33:55.0455 8708 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/15 05:33:55.0502 8708 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/15 05:33:55.0549 8708 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/15 05:33:55.0612 8708 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/03/15 05:33:55.0690 8708 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/15 05:33:55.0768 8708 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/03/15 05:33:55.0846 8708 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/15 05:33:55.0987 8708 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/15 05:33:56.0049 8708 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/15 05:33:56.0112 8708 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/03/15 05:33:56.0174 8708 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/15 05:33:56.0237 8708 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/03/15 05:33:56.0299 8708 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/15 05:33:56.0362 8708 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/15 05:33:56.0455 8708 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/03/15 05:33:56.0502 8708 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/15 05:33:56.0549 8708 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/15 05:33:56.0596 8708 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/15 05:33:56.0643 8708 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/15 05:33:56.0674 8708 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/15 05:33:56.0721 8708 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/15 05:33:56.0768 8708 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/15 05:33:56.0815 8708 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/15 05:33:56.0862 8708 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/15 05:33:56.0987 8708 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/03/15 05:33:57.0159 8708 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/15 05:33:57.0268 8708 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/03/15 05:33:57.0440 8708 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/03/15 05:33:57.0502 8708 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/15 05:33:57.0596 8708 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/15 05:33:57.0674 8708 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/15 05:33:57.0721 8708 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/15 05:33:57.0799 8708 ================================================================================
2011/03/15 05:33:57.0799 8708 Scan finished
2011/03/15 05:33:57.0799 8708 ================================================================================
2011/03/15 05:33:57.0815 8700 Detected object count: 1
2011/03/15 05:34:50.0127 8700 Kbdclass (0395e7c581225efd1dbf46e09086fb20) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/15 05:34:50.0127 8700 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 0395e7c581225efd1dbf46e09086fb20, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2011/03/15 05:34:51.0659 8700 Backup copy found, using it..
2011/03/15 05:34:51.0705 8700 C:\WINDOWS\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2011/03/15 05:34:51.0705 8700 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure 
2011/03/15 05:37:07.0862 8660 Deinitialize success


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

TDSSkiller just nailed an infected driver for your Keyboard, probably why you got the Hardware install prompt. OK delete Combofix from your Desktop and download a fresh copy from either of the following links:

*Link 1*
*Link 2*

Re-name and run as before.. Let me see the log in next reply please, also an update on any remaining issues

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Latest Combofix log, below.

As far as remaining issues :

- New Hardware Wizard no longer loads upon reboot/start up.

- Redirects/hijacks "seem" to be gone (hopefully!)

- Windows Security Center still reporting Auto Updates not turned on (red shield in taskbar). When opened and attempt to turn on Updates, secondary window opens indicating Security Center cannot turn on and refers to using Control Panel -> System to activate. Doing so shows Auto Updates ARE active. Your thoughts on whether the taskbar icon a false warning, an error in Windows Security Center, or another malware/virus infection?

Bill

----

ComboFix 11-03-14.06 - 2.Kristin 03/15/2011 7:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.325 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\TEMP\pdk-SYSTEM-1104\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-1104\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-1104\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-1104\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-1104\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-1104\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-1104\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-1104\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-1104\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-1104\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-1104\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2011-02-20 15:33 . 2011-02-20 15:33 -------- d-----w- C:\d8b200d1d071d8ad2e
2011-02-20 15:31 . 2011-02-20 15:31 -------- d-----w- C:\c032cdf8429271c9ca
2011-02-17 11:19 . 2011-02-17 11:19 -------- d-----w- c:\documents and settings\William\Local Settings\Application Data\Help
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-12-20 23:09 . 2010-08-15 17:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-15 17:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
2006-09-23 02:33 . 2006-09-23 02:33 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-09-23 02:20 . 2006-09-23 02:20 359112 ----a-w- c:\program files\LimeWire.exe
2006-09-20 00:39 . 2006-09-20 00:39 1454005 ----a-w- c:\program files\aresfree.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Aim6"="c:\program files\AIM6\aim6.exe" [N/A]
"Weather"="c:\program files\weatherbug\WeatherBug\Weather.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-25 2356088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
.
c:\documents and settings\2.Kristin\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-2-10 951640]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Codifnet"= {4ACC49F0-1D95-4BFB-B8B4-ACD14EB72C19} - c:\windows\system32\cpyidimg.dll [2009-11-12 917504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-15 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 19:23]
.
2011-03-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-15 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 07:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\cpyidimg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\urigamon.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\zipahfat\usbabdev\polottbl.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2011-03-15 07:45:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-15 11:45
ComboFix2.txt 2011-03-14 23:07
.
Pre-Run: 86,310,957,056 bytes free
Post-Run: 86,295,662,592 bytes free
.
- - End Of File - - EF55CD4D0A1491B06E9E78AA09A6ED40


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

There is still a lot of bad stuff on your system. Proceed as follows please :-

*Step 1*

I need you to show hidden files and folders, follow the instructions *Here* unless you already know how.

*Step 2*

*Upload a File to Virustotal*
Please visit *Virustotal*

 Click the *Browse...* button
 Navigate to the file *C:\WINDOWS\system32\urigamon.dll*
 Click the *Open* button
 Click the *Send* button
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.
 Repeat the above steps for the following files
*C:\WINDOWS\system32\cpyidimg.dll
C:\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll*

*Step 3*

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from *here* or *here*, and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT

Press 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

What i`d like in your reply :-


 Results from VirusTotal on the 3 suspect files
 Log from FindAWF

Kevin..


----------



## PALV (Mar 10, 2011)

Kevin - 
Hidden and System files now shown. After accessing VirusTotal, locating the files and hitting "send" - a short window (against a black screen) flashes, but too fast for me to read it entirely (something about not closing until upload ends.....) Screen then quickly returns to where I was - no mention about reanalyzing and no type of report results. Happens for all 3 files noted. Not sure if there's something else I need to do or if the files are causing the problem - but no progress with VirusTotal at this point. Suggestions?


----------



## kevinf80 (Mar 21, 2006)

OK Bill, lets try with Jotti....

We need to upload a file to *Jotti*

1. Click *HERE* to get to Jotti's site.

2. At the top of the Jotti window, use the *Browse* button to locate the following file on your system:

*C:\WINDOWS\system32\urigamon.dll*

3. Once you have located the file, click *SUBMIT* and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

5. Please repeat steps 2-4 for the following files:

*C:\WINDOWS\system32\cpyidimg.dll
C:\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll*

Kevin


----------



## PALV (Mar 10, 2011)

OK - using Jotti, all three files result in a status of "File is empty (0 bytes)!" and no upload progress occurs.


----------



## kevinf80 (Mar 21, 2006)

OK Bill proceed as follows please :-

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::

File::
C:\WINDOWS\system32\cpyidimg.dll
C:\WINDOWS\system32\urigamon.dll
Folder::
C:\d8b200d1d071d8ad2e
C:\c032cdf8429271c9ca
C:\WINDOWS\system32\zipahfat
c:\program files\Ask.com
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
```
Save this as *CFScript.txt*, and as Type: *All Files* [(*.*)[/b] in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Next,








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post logs from Combofix and Malwarebytes in next reply,

Kevin


----------



## PALV (Mar 10, 2011)

Kevin - 
Latest ComboFix + Mbam logs:

ComboFix 11-03-14.06 - 2.Kristin 03/15/2011 17:59:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.474 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\2.Kristin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
FILE ::
"c:\windows\system32\cpyidimg.dll"
"c:\windows\system32\urigamon.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\c032cdf8429271c9ca
c:\c032cdf8429271c9ca\$shtdwn$.req
c:\c032cdf8429271c9ca\install.exe
c:\c032cdf8429271c9ca\install.res.dll
c:\c032cdf8429271c9ca\silverlight.7z
c:\c032cdf8429271c9ca\silverlight.msi
C:\d8b200d1d071d8ad2e
c:\d8b200d1d071d8ad2e\$shtdwn$.req
c:\d8b200d1d071d8ad2e\install.exe
c:\d8b200d1d071d8ad2e\install.res.dll
c:\d8b200d1d071d8ad2e\silverlight.7z
c:\d8b200d1d071d8ad2e\silverlight.msi
c:\program files\Ask.com
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_55.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\windows\system32\cpyidimg.dll
c:\windows\system32\urigamon.dll
c:\windows\system32\zipahfat
c:\windows\system32\zipahfat\1B26CB114CB624D028E20CDCB98229EBF6D0542A.suv
c:\windows\system32\zipahfat\83A9FA0F56E3804472DFD64FE36BEFBD919C6FCA.suv
c:\windows\system32\zipahfat\A04E5C46EB08A694C02D501EAF081B44E82354FE.suv
c:\windows\system32\zipahfat\A90E8C9866D1A31855801A1D2CF48E10817C38DB.suv
c:\windows\system32\zipahfat\BF2D4C074445D040FF46287841F09F6526B126E7.suv
c:\windows\system32\zipahfat\DD78291977670C0AC312835DABB25F4DB5F1B459.suv
c:\windows\system32\zipahfat\dlgaberr.ocx
c:\windows\system32\zipahfat\F1A5C7E71C16FE12AF9BE306043CE5E9D91D5EF7.suv
c:\windows\system32\zipahfat\usbabdev\polottbl.dll
c:\windows\TEMP\pdk-SYSTEM-392\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-392\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-392\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-392\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-392\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-392\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-392\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-392\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-392\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-392\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-392\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2011-02-17 11:19 . 2011-02-17 11:19 -------- d-----w- c:\documents and settings\William\Local Settings\Application Data\Help
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-12-20 23:09 . 2010-08-15 17:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-15 17:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
2006-09-23 02:33 . 2006-09-23 02:33 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-09-23 02:20 . 2006-09-23 02:20 359112 ----a-w- c:\program files\LimeWire.exe
2006-09-20 00:39 . 2006-09-20 00:39 1454005 ----a-w- c:\program files\aresfree.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
2007-05-11 07:06 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 03:16 . 2008-01-12 03:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
2006-08-11 12:38 . 2005-08-06 01:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
.
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
.
2006-08-11 12:40 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
.
2006-08-11 12:39 . 2005-09-15 13:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
.
2006-08-11 12:40 . 2005-09-19 11:42 1159168 c:\program files\Creative\VoiceCenter\bak\AndreaVC.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-11-02 23:36 . 2007-11-02 23:36 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-10-29 00:21 . 2009-10-29 00:21 141600 c:\program files\iTunes\iTunesHelper.exe
.
2007-09-02 11:14 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
.
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
.
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
.
2006-08-22 03:30 . 2005-05-23 17:20 50744 c:\program files\Verizon Online\Help Support\bak\VERIZO~1.EXE
.
2006-08-11 12:39 . 2000-05-11 05:00 90112 c:\windows\bak\UpdReg.EXE
.
2005-08-16 08:37 . 2005-09-29 18:01 67584 c:\windows\ehome\bak\ehtray.exe
.
2005-08-16 08:18 . 2004-08-10 09:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 08:18 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2006-08-11 12:52 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Weather"="c:\program files\weatherbug\WeatherBug\Weather.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-25 17:26 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 1:55 PM 363344]
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 1:55 PM 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-15 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SSODL-Codifnet-{4ACC49F0-1D95-4BFB-B8B4-ACD14EB72C19} - c:\windows\system32\cpyidimg.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 18:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-15 18:33:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-15 22:33
ComboFix2.txt 2011-03-15 11:45
ComboFix3.txt 2011-03-14 23:07
.
Pre-Run: 87,148,744,704 bytes free
Post-Run: 87,202,426,880 bytes free
.
- - End Of File - - 48277B2BA1EF3D9542F1F349733F5899

------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6069
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
3/15/2011 6:43:46 PM
mbam-log-2011-03-15 (18-43-46).txt
Scan type: Quick scan
Objects scanned: 198920
Time elapsed: 8 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

As follows please :

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::

AWF::
2007-11-02 23:36 . 2007-11-02 23:36 267048 c:\program files\iTunes\bak\iTunesHelper.exe
```
Save this as *CFScript.txt*, and as Type: *All Files* [(*.*)[/b] in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Post the log and give update on current issues...


----------



## PALV (Mar 10, 2011)

ComboFix 11-03-15.01 - 2.Kristin 03/15/2011 19:27:48.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.332 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\2.Kristin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\pdk-SYSTEM-272\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-272\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-272\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-272\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-272\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-272\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-272\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-272\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-272\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-272\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-272\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2011-02-17 11:19 . 2011-02-17 11:19 -------- d-----w- c:\documents and settings\William\Local Settings\Application Data\Help
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-12-20 23:09 . 2010-08-15 17:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-15 17:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
2006-09-23 02:33 . 2006-09-23 02:33 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-09-23 02:20 . 2006-09-23 02:20 359112 ----a-w- c:\program files\LimeWire.exe
2006-09-20 00:39 . 2006-09-20 00:39 1454005 ----a-w- c:\program files\aresfree.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
2007-05-11 07:06 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 03:16 . 2008-01-12 03:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
2006-08-11 12:38 . 2005-08-06 01:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
.
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
.
2006-08-11 12:40 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
.
2006-08-11 12:39 . 2005-09-15 13:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
.
2006-08-11 12:40 . 2005-09-19 11:42 1159168 c:\program files\Creative\VoiceCenter\bak\AndreaVC.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-11-02 23:36 . 2007-11-02 23:36 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-10-29 00:21 . 2009-10-29 00:21 141600 c:\program files\iTunes\iTunesHelper.exe
.
2007-09-02 11:14 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
.
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
.
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
.
2006-08-22 03:30 . 2005-05-23 17:20 50744 c:\program files\Verizon Online\Help Support\bak\VERIZO~1.EXE
.
2006-08-11 12:39 . 2000-05-11 05:00 90112 c:\windows\bak\UpdReg.EXE
.
2005-08-16 08:37 . 2005-09-29 18:01 67584 c:\windows\ehome\bak\ehtray.exe
.
2005-08-16 08:18 . 2004-08-10 09:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 08:18 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2006-08-11 12:52 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Weather"="c:\program files\weatherbug\WeatherBug\Weather.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-25 17:26 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 1:55 PM 363344]
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 1:55 PM 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-16 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 06:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(7456)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-16 06:47:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-16 10:47
ComboFix2.txt 2011-03-15 22:39
ComboFix3.txt 2011-03-15 11:45
ComboFix4.txt 2011-03-14 23:07
.
Pre-Run: 87,208,112,128 bytes free
Post-Run: 87,193,382,912 bytes free
.
- - End Of File - - 3579D432A88C59A371E1BC0615AD1121


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Still malware returning after each scan, OK lets run FindAWF

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from *here* or *here*, and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT

Press 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

Next,

This tool tends to be quite aggressive, so please be sure to configure it _exactly_ as listed below. I only want to see a Report of what it finds.

Download *DrWeb*

Doubleclick the *drweb-cureit.exe* file and click 'Start' to run the express scan. This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.

 Once the short scan has finished, we need to change the default settings.
In the Menu Bar at the top, click 'Setting'>Change Settings.
Click on the *Actions* tab
 Using the drop down menus, change each item under *Objects *and *Malware* to * Report*
Next, 'tick' *Complete Scan*.
Click the green arrow







at the right, and the scan will start.
Click *'No to All' *if it asks if you want to cure/move the file.
After the scan has completed, in the Dr.Web CureIt menu on top, click *File* and choose *Save Report List*
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
*Post the contents of the log* from Dr.Web you saved previously in your next reply.

Let me see the two logs in your reply, also an update on remaining issues please...

Kevin


----------



## PALV (Mar 10, 2011)

FWIW - I was just about to ask you about FindAWF, having realized it wasn't done yesterday after the problems with VirusTotal and Jotti. At least we're thinking alike at this point .....;-). Will get back with results ASAP.


----------



## PALV (Mar 10, 2011)

Kevin -
Quick question : when using FindAWF I assumed all 5 steps listed in would run, then produce a final report. An AWF.txt log was created after step 1 (and the tool closed). Correct to rerun the tool, each time choosing the next option, and save log files for each subsequent step?


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Just do step one of AWF and post that log together with the log from DrWeb. 

Kevin


----------



## PALV (Mar 10, 2011)

Thanks, Kevin. I reread your instructions again and realized that it was only Step 1. AWF done and waiting for DrWeb complete scan to finish now. (Dr Web short scan showed no viruses found).


----------



## kevinf80 (Mar 21, 2006)

Ok Bill, just post the logs when you`re ready.


----------



## PALV (Mar 10, 2011)

Wow - THAT was definitely the longest scan I'VE ever seen! Below are AWF and DrWeb logs.

Bill

----

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Wed 03/16/2011 
The current time is: 7:19:40.48

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
05/11/2000 01:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\DELLSU~1\BAK
03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
11/02/2007 07:36 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
10/19/2007 09:16 PM 286,720 qttask.exe
1 File(s) 286,720 bytes
Directory of C:\PROGRA~1\SYMANT~1\BAK
09/27/2006 08:33 PM 125,168 VPTray.exe
1 File(s) 125,168 bytes
Directory of C:\WINDOWS\EHOME\BAK
09/29/2005 02:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/10/2004 05:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
08/05/2005 09:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
07/19/2006 07:26 PM 52,896 ccApp.exe
1 File(s) 52,896 bytes
Directory of C:\PROGRA~1\CREATIVE\VOICEC~1\BAK
09/19/2005 07:42 AM 1,159,168 AndreaVC.exe
1 File(s) 1,159,168 bytes
Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK
10/05/2005 03:12 AM 94,208 DMXLauncher.exe
1 File(s) 94,208 bytes
Directory of C:\PROGRA~1\VERIZON\SERVIC~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\BAK
05/23/2005 01:20 PM 50,744 VERIZO~1.EXE
1 File(s) 50,744 bytes
Directory of C:\WINDOWS\SYSTEM32\DLA\BAK
09/08/2005 05:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 08:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK
06/10/2005 10:44 AM 81,920 issch.exe
06/10/2005 10:44 AM 249,856 isuspm.exe
2 File(s) 331,776 bytes
Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK
12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDIGY\SURROU~1\BAK
09/15/2005 09:47 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\DOCUME~1\ALLUSE~1\APPLIC~1\DELL\TRANSF~1\BAK
11/13/2007 05:46 PM 135,168 TransferAgent.exe
1 File(s) 135,168 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
141600 Oct 28 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 30 2009 "C:\WINDOWS\Installer\{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}\iTunesIco.exe"
417792 Sep 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
125168 Sep 27 2006 "C:\Program Files\SAV\VPTray.exe"
125168 Sep 27 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
125168 Sep 27 2006 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Apr 13 2008 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
344064 Aug 5 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
52896 Jul 19 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
52896 Jul 19 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
1159168 Sep 19 2005 "C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe"
94208 Oct 5 2005 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
1880064 Feb 1 2006 "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
50744 May 23 2005 "C:\Program Files\Verizon Online\Help Support\bak\VERIZO~1.EXE"
122660 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\VerizonSetPanFolder.exe"
122940 Sep 8 2005 "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
39792 Jan 11 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
81920 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
249856 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
57344 Sep 15 2005 "C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
135168 Nov 13 2007 "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe"
327437 Jan 27 2008 "C:\Documents and Settings\2.Kristin\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\CIP\TransferAgentSetup.exe"

end of report
--

DrWeb.csv:

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.78.1;Probably BACKDOOR.Trojan;;0E540000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.18654;;0E540001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.18638;;0E540002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.18654;;0E540003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.18638;;0EDC0000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.18654;;0EDC0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.18638;;4FE84CA4.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00000;Trojan.Fakealert.18654;;4FE85AFF.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00001;Trojan.Fakealert.18638;;4FE87AC8.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00002;Trojan.Fakealert.18654;;4FE8AA06.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC00003;Trojan.MulDrop1.41997;;NetZero - First Month Free!.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;;A0118471.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1436;Trojan.Inject.27655;;A0118476.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1436;Trojan.Inject.27655;;


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

The entries from DrWeb are all contained either within the system restore cache or symantecs quarantine folder, the one remaining entry in the AOL downloads folder is a false positive.

The AWF entries look ominous at first, but I can only see one set that look infected, the rest appear to be previous entries that were from old fixed infections.
This infection moves legitimate file to BAK folders and replaces them with infected files. The infected files are always significantly smaller in size. As can be seen from the one set I have identified:

141600 Oct 28 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"

Lets try again with Combofix as follows ;-

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::

AWF::
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
```
Save this as *CFScript.txt*, and as Type: *All Files* [(*.*)[/b] in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Give update on remaining issues...

Kevin


----------



## PALV (Mar 10, 2011)

Kevin - ComboFix log, below.

Re: status of other issues - haven't been using this computer too much, but redirecting/hijacking "seems' to have subsided. (have been working on scans and posting to you from a relatively rarely-used user log-in, vs. the primary one this machine usually sees, so not sure if that matters).

-Windows security icon in taskbar continunes to report Auto Updates not turned on, when Control Panel states it is.

Bill

--

ComboFix 11-03-16.01 - 2.Kristin 03/16/2011 15:17:47.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.329 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\2.Kristin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\1.Mom\Local Settings\Application Data\{93E4DA0A-9EB3-4563-98DA-5C17AC39571C}
c:\documents and settings\1.Mom\Local Settings\Application Data\{93E4DA0A-9EB3-4563-98DA-5C17AC39571C}\chrome.manifest
c:\documents and settings\1.Mom\Local Settings\Application Data\{93E4DA0A-9EB3-4563-98DA-5C17AC39571C}\chrome\content\_cfg.js
c:\documents and settings\1.Mom\Local Settings\Application Data\{93E4DA0A-9EB3-4563-98DA-5C17AC39571C}\chrome\content\overlay.xul
c:\documents and settings\1.Mom\Local Settings\Application Data\{93E4DA0A-9EB3-4563-98DA-5C17AC39571C}\install.rdf
c:\windows\TEMP\pdk-SYSTEM-188\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-188\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-188\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-188\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-188\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-188\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-188\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-188\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-188\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-188\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-188\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-16 19:10 . 2011-03-16 19:12 -------- d-----w- C:\Gotcha
2011-03-16 18:29 . 2011-03-16 18:29 -------- d-----w- c:\documents and settings\2.Kristin\Tracing
2011-03-16 12:01 . 2011-03-16 12:01 -------- d-----w- c:\documents and settings\2.Kristin\DoctorWeb
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2011-02-17 11:19 . 2011-02-17 11:19 -------- d-----w- c:\documents and settings\William Slavoski\Local Settings\Application Data\Help
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-12-20 23:09 . 2010-08-15 17:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-15 17:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
2006-09-23 02:33 . 2006-09-23 02:33 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-09-23 02:20 . 2006-09-23 02:20 359112 ----a-w- c:\program files\LimeWire.exe
2006-09-20 00:39 . 2006-09-20 00:39 1454005 ----a-w- c:\program files\aresfree.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
2007-05-11 07:06 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 03:16 . 2008-01-12 03:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
2006-08-11 12:38 . 2005-08-06 01:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
.
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
.
2006-08-11 12:40 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
.
2006-08-11 12:39 . 2005-09-15 13:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
.
2006-08-11 12:40 . 2005-09-19 11:42 1159168 c:\program files\Creative\VoiceCenter\bak\AndreaVC.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-09-02 11:14 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
.
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
.
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
.
2006-08-22 03:30 . 2005-05-23 17:20 50744 c:\program files\Verizon Online\Help Support\bak\VERIZO~1.EXE
.
2006-08-11 12:39 . 2000-05-11 05:00 90112 c:\windows\bak\UpdReg.EXE
.
2005-08-16 08:37 . 2005-09-29 18:01 67584 c:\windows\ehome\bak\ehtray.exe
.
2005-08-16 08:18 . 2004-08-10 09:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 08:18 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2006-08-11 12:52 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Weather"="c:\program files\weatherbug\WeatherBug\Weather.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-25 17:26 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 1:55 PM 363344]
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 1:55 PM 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-16 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 15:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(7924)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-16 15:46:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-16 19:45
ComboFix2.txt 2011-03-16 10:47
ComboFix3.txt 2011-03-15 22:39
ComboFix4.txt 2011-03-15 11:45
ComboFix5.txt 2011-03-16 19:12
.
Pre-Run: 87,041,130,496 bytes free
Post-Run: 87,094,870,016 bytes free
.
- - End Of File - - 3C4394C47D5642C2D463BC8E34BC57AD


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Can you "Turn Off" Automatic updates via the Security Center, re-boot then turn them back on, then re-boot again.

Next,

If you already have Malwarebytes installed, just update and do a quick scan, then follow the instructions below.








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Next,

Download Security Check by screen317 from *HERE* or *HERE*.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post log from Malwarebytes and log from Security Check in reply, also update on remaining issues.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -

- Did the Automatic Updates "Off - Re-boot - On - Re-boot" sequence (via Control Panel Auto Updates icon - cannot alter Auto Updates from within Security Center). Initially thought it had worked as the "red" Security Center Shield did not appear immediately in the taskbar. However, a "Found New Hardware" icon did, followed by a New Hardware Wizard window, followed immediately by the "red" Security Center Shield in the taskbar, indicating (once again) that "Automatic Updates is turned off". I did NOT run the New Hardware Wizard - should I?

- MBAM found no malicious items. (log below)

- Checkup.txt log also below.

(BTW - have thought it often, but don't think I've said so here - I truly appreciate all of your time, advice and assistance with these issues. Many thanks!)

Bill

----
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6082
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
3/16/2011 10:40:11 PM
mbam-log-2011-03-16 (22-40-11).txt
Scan type: Quick scan
Objects scanned: 199138
Time elapsed: 9 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)

----
Results of screen317's Security Check version 0.99.9 
Windows XP Service Pack 3 
Internet Explorer 7 *Out of date!* 
*`````````````````````````````` 
Antivirus/Firewall Check:* 
Windows Firewall Enabled! 
Symantec AntiVirus 
Antivirus up to date! 
*``````````````````````````````` 
Anti-malware/Other Utilities Check:* 
*Out of date Spybot installed!* 
Ad-Aware 
Malwarebytes' Anti-Malware 
Java(TM) 6 Update 2 
Java 2 Runtime Environment, SE v1.4.2_03 
*Out of date Java installed!* 
Adobe Flash Player 10.0.12.36 
Adobe Reader 8.1.2 
Adobe Reader 8.1.2 Security Update 1 (KB403742) 
*Out of date Adobe Reader installed!* 
*```````````````````````````````` 
Process Check: 
objlist.exe by Laurent* 
*Ad-Aware AAWService.exe is disabled!* 
*Ad-Aware AAWTray.exe is disabled!* 
Malwarebytes' Anti-Malware mbamservice.exe 
Malwarebytes' Anti-Malware mbamgui.exe 
Symantec AntiVirus DefWatch.exe 
Symantec AntiVirus Rtvscan.exe 
*``````````End of Log````````````*


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Looks like we are dealing with a very well hidden Rootkit, Proceed as follows please.

*Step 1*

Remove the following outdated and possibly exploited applications via Start > Control Panel > *Add/Remove Programs* (if present):

*Java(TM) 6 Update 2
Java 2 Runtime Environment, SE v1.4.2_03 
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742) *

*Step 2*

Please download *MBRCheck.exe* to your desktop.

Be sure to disable your security programs.
Double-Click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
A window will open on your desktop.
if an unknown bootcode is found you will have further options available to you, at this time press *N* then press *Enter* twice.
If nothing unusual is found just press *Enter*
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
In your next reply, please include the log from MBRChecker.

*Step 3*

Download GMER Rootkit Scanner from *Here* or *Here*.

Extract the contents of the zipped file to your desktop
Close all open browsers etc, make sure nothing else runs when GMER does
Turn off all security programs and disconnect internet. *<-- Very important*
Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*
*In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...*

IAT/EAT 
Drives/Partition other than Systemdrive (typically C:\) 
Show All *<--don't miss this one*
Then click the Scan button & wait for it to finish
Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
Save it where you can easily find it, such as your desktop

***Caution***

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance.

Copy and paste the log in next reply.....

Let me see the two logs in your next reply please,

Kevin


----------



## PALV (Mar 10, 2011)

Hi Kevin -
A bit frustrated here today.......specifically with GMER. But first - 

- Removed the 2 Java programs and the Adobe Reader 8.1.2; however there was no listing for the 8.1.2 Security Update listed in "currently installed programs". (Realized after removing the above 3 that "show updates" was not ticked in Add/Remove Programs) Is it possible that it was removed when 8.1.2 was removed?)

- MBR - log is copied below.

- GMER - arrrrrgggghhhh!!! Followed instructions carefully, started scan, and it was running for 3+ hrs. (noticed 1 file in red on the scanning screen, a "hidden file" that I think was related to "explorer.exe", but not 100% sure because......->). Before the the scan ended, a pop-up window came up warning about rootkit activity. No request for running a scan as instructions noted (it was already running), but the window only had an "OK" button. I waited, but it appeared to have stopped the scan, seeming to require the "OK" button to be pushed before continuing. Waited more (just to be sure) - no further scanning or reports resulted, so I hit "OK". Scanning did not resume. Main GMER window remained - no reporting, no scanning, just the main window as before. After more waiting - I hit "OK" on the bottom of the GMER window - > it closed out the program and no logs resulted. 

Assume I need to run it again (3+ more hours!!!) - but if same thing results, should I hit the "OK" button again, just wait it out, or try something else?

Bill
---

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 159):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7B52000 \WINDOWS\system32\KDCOM.DLL
0xF7A62000 \WINDOWS\system32\BOOTVID.dll
0xF7523000 ACPI.sys
0xF7B54000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7512000 pci.sys
0xF7652000 isapnp.sys
0xF7C1A000 pciide.sys
0xF78D2000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7662000 MountMgr.sys
0xF74F3000 ftdisk.sys
0xF7B56000 dmload.sys
0xF74CD000 dmio.sys
0xF78DA000 PartMgr.sys
0xF7672000 VolSnap.sys
0xF74B5000 atapi.sys
0xF7682000 disk.sys
0xF7692000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7495000 fltmgr.sys
0xF7483000 sr.sys
0xF746D000 DRVMCDB.SYS
0xF76A2000 PxHelp20.sys
0xF7456000 KSecDD.sys
0xF7443000 WudfPf.sys
0xF73B6000 Ntfs.sys
0xF7389000 NDIS.sys
0xF736F000 Mup.sys
0xF77D2000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6ED8000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6EC4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6E9C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7952000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6E78000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF795A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6E21000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6DFB000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF77E2000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7B64000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF77F2000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7802000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7962000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7C7E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7B78000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF796A000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7872000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B16000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6DAF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7882000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7892000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7972000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6D9E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF78A2000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF797A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7982000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF798A000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xF6D6E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76C2000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7992000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF799A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B7A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6D10000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B32000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76D2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF4CC3000 \SystemRoot\system32\drivers\sthda.sys
0xF4C9F000 \SystemRoot\system32\drivers\portcls.sys
0xF7712000 \SystemRoot\system32\drivers\drmk.sys
0xF4AB5000 \SystemRoot\system32\drivers\sigfilt.sys
0xF7722000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B84000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF702D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF4A01000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0xF49DF000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xF49CB000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xF7B88000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CB7000 \SystemRoot\System32\Drivers\Null.SYS
0xF79AA000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7B8C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79B2000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF79BA000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF79C2000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79CA000 \SystemRoot\System32\drivers\vga.sys
0xF7742000 \SystemRoot\system32\drivers\LVUSBSta.sys
0xF7B96000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AEE000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7B98000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79D2000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF79DA000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79E2000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF79EA000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AF2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF462F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF45D6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF4573000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xF454D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7752000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF4525000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7B0A000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF7762000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF4503000 \SystemRoot\System32\drivers\afd.sys
0xF7772000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF42F9000 \SystemRoot\system32\DRIVERS\LVMVDrv.sys
0xF3F80000 \SystemRoot\system32\DRIVERS\lvuvc.sys
0xF3F1E000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xF3D4A000 \SystemRoot\system32\DRIVERS\lvpopflt.sys
0xF7792000 \SystemRoot\system32\drivers\usbaudio.sys
0xF3D1F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3B1D000 \SystemRoot\system32\DRIVERS\LVcKap.sys
0xBA768000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF4AB1000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF77A2000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA70A000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xBA6ED000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xF4A8D000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF77C2000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF731E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7316000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA650000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xBA620000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xBA5FA000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xF7832000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA542000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BA4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF45D2000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7A12000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CAE000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB852A000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xF4C0F000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7C1B000 \SystemRoot\System32\DLA\DLADResN.SYS
0xB83EC000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xB8522000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7BB8000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF7A22000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xB83D4000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xB83BE000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xB83B2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB7EF9000 \SystemRoot\system32\drivers\wdmaud.sys
0xB809E000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7C10000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF7B5E000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xB7AD1000 \SystemRoot\System32\Drivers\HTTP.sys
0xB7A2A000 \SystemRoot\system32\DRIVERS\srv.sys
0xB7ABD000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF791A000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0xB721A000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xB6E8C000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\navex15.sys
0xB6E78000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\naveng.sys
0xB7B12000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xB7F0E000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xB2AB1000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
636 C:\WINDOWS\system32\smss.exe
708 csrss.exe
736 C:\WINDOWS\system32\winlogon.exe
780 C:\WINDOWS\system32\services.exe
792 C:\WINDOWS\system32\lsass.exe
1016 C:\WINDOWS\system32\ati2evxx.exe
1036 C:\WINDOWS\system32\svchost.exe
1152 svchost.exe
1248 C:\WINDOWS\system32\svchost.exe
1284 C:\WINDOWS\system32\svchost.exe
1436 svchost.exe
1568 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1604 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1708 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
1756 C:\WINDOWS\system32\spoolsv.exe
1824 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
1208 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1232 C:\WINDOWS\explorer.exe
1364 C:\Program Files\Bonjour\mDNSResponder.exe
1892 C:\WINDOWS\system32\CTSVCCDA.EXE
1908 C:\Program Files\Symantec AntiVirus\DefWatch.exe
1968 C:\WINDOWS\ehome\ehrecvr.exe
2024 C:\WINDOWS\ehome\ehSched.exe
268 C:\WINDOWS\system32\CBA\pds.exe
460 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
316 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
1452 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
904 C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
1904 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2088 C:\PROGRA~1\SYMANT~1\VPTray.exe
2164 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
2172 C:\WINDOWS\system32\HPZipm12.exe
2272 C:\WINDOWS\system32\ctfmon.exe
2300 C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
2468 C:\WINDOWS\system32\taskmgr.exe
2544 svchost.exe
3428 C:\WINDOWS\system32\svchost.exe
4064 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
2644 C:\Program Files\Canon\CAL\CALMAIN.exe
264 mcrdsvc.exe
3944 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
3152 C:\WINDOWS\system32\dllhost.exe
4092 C:\WINDOWS\system32\wscntfy.exe
2756 alg.exe
4484 C:\WINDOWS\system32\msiexec.exe
5988 C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
2588 C:\Documents and Settings\2.Kristin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: ST3160812AS, Rev: 3.ADH 

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E


Done!


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Your MBR is clean, I`d like a GMER log if possible as it is the best one for the job, you can run it from Safe Mode, see if that works any better.
It is very easy to get frustrated when dealing with Rootkit problems, hang in there we`ll get there in the end....

Kevin


----------



## PALV (Mar 10, 2011)

Thanks, Kevin. I know patience is necessary..........;-)

Last 2x Ive run GMER the scanner eventually hangs up - once is standard mode, once in safe mode. (Not sure if it matters, but the files being scanned at those times were "portcls.sys" (standard mode) and "basesrv.dll" (safe mode)). Both times had to disconnect power to reboot as well, since the computer froze up.

Another scan is running in Safe Mode now - if it hangs once again, other suggestions for next step(s)?

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

GMER is the best tool for the job if you can get it to run. After you download the tool disconnect from internet, turn off all security and give it a try.

If it still crashes, boot to safe mode, double check all security is off and try scan again. If you still have issues try the following:

Please download *Rootkit Unhooker* and save it on your desktop.
*Alternative Mirror*

 Disable your security programs
 Double click RKUnhookerLE.exe to run it
 Click the Report tab, then click Scan
 Check Drivers, Stealth Code, Files, and Code Hooks
 Uncheck the rest, then click OK
 When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
 Wait till the scanner has finished then go File > Save Report
 Save the report somewhere you can find it. Click Close
 Copy the entire contents of the report and paste it in your next reply.
*Note* - You may get this warning it is ok, *just ignore it*:
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
Please include the following in your next post:
	Rootkit Unhooker log

One other point, do you connect to the internet through a router?

Kevin


----------



## PALV (Mar 10, 2011)

Hi Kevin - 
Latest Safe Mode GMER scan seemed to work - but finished rather quickly vs. what I've been seeing on previous attempts. This log file looks very different that the original GMER scan I pasted in post #2 of this thread. Perhaps due to the settings you required in the instructions?

Bill

----
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-18 05:33:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3160812AS rev.3.ADH
Running: gmer.exe; Driver: C:\DOCUME~1\222F6~1.KRI\LOCALS~1\Temp\pxtdypod.sys

---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk  \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sectors 312499744 (+254): rootkit-like behavior; 
---- EOF - GMER 1.0.15 ----


----------



## PALV (Mar 10, 2011)

Looks like our most recent posts crossed - let me know if I should still try Rootkit Unhooker. 

Yes, I do connect through a router.


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

That log is not complete, did you set the scan up like so:










Also I had replied just before your GMER result, I gave an alternative scanner in case GMER was still giving issues..

Kevin


----------



## PALV (Mar 10, 2011)

Yes - I made sure the settings were as noted. Just downloaded the Rootkit Unhooker - will give it a try.


----------



## PALV (Mar 10, 2011)

Kevin -
Not sure I'm having much luck with rootkit scanners - here is what I was able to save from Rootkit Unhooker - although it doesn't appear to be a results "report", rather more of a listing of objects or files. (but I'm no expert  )

Scanner seems to cycle back to asking me for the Disk to Scan (C:\ always checked), and this is what appears after it seems to "finish". Is this what you're looking for?

--

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xEF7FA000 C:\WINDOWS\system32\DRIVERS\lvuvc.sys 3641344 bytes (Logitech Inc., Logitech USB Video Class Driver)
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2367488 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xEFBE3000 C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys 2138112 bytes (Logitech Inc., Logitech Machine Vision Engine Loader)
0xEF3A9000 C:\WINDOWS\system32\DRIVERS\LVcKap.sys 2105344 bytes (Logitech Inc., Logitech Kernel Audio Processing Filter Driver)
0xEF626000 C:\WINDOWS\system32\DRIVERS\lvpopflt.sys 1916928 bytes (Logitech Inc., Logitech AudioProcessing Filter Driver)
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB7A0A000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\navex15.sys 1355776 bytes (Symantec Corporation, AV Engine)
0xF0170000 C:\WINDOWS\system32\drivers\sigfilt.sys 1351680 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF6F01000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1331200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF2F4000 C:\WINDOWS\System32\ativvaxx.dll 643072 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF73B6000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEFB73000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB787C000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 401408 bytes (Symantec Corporation, SPBBC Driver)
0xEF5C8000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF232B000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEFEF7000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF0118000 C:\Program Files\Symantec AntiVirus\savrt.sys 360448 bytes (Symantec Corporation, AutoProtect)
0xB80E6000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB8368000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xEFEBC000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 241664 bytes (Symantec Corporation, Network Dispatch Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF07D000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 212992 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBA75B000 C:\WINDOWS\system32\DRIVERS\ctoss2k.sys 196608 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xF23B1000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7523000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF7389000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF02DE000 C:\WINDOWS\system32\drivers\sthda.sys 184320 bytes (SigmaTel, Inc., DELLRC)
0xEFDED000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6EC5000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xEFE6E000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xBA78B000 C:\WINDOWS\system32\drivers\ctusfsyn.sys 159744 bytes (Creative Technology Ltd., Creative SoundFont Synthesizer)
0xBA735000 C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys 155648 bytes (Creative Technology Ltd, SoundFont(R) Manager (WDM))
0xF74CD000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF6E24000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel(R) PRO/100 Adapter NDIS 5.1 driver)
0xEFE96000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB7344000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF02BA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6EA1000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6E4A000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEFE18000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF00F6000 C:\Program Files\Symantec\SYMEVENT.SYS 139264 bytes (Symantec Corporation, Symantec Event Library)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7495000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74F3000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xEF5AB000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF736F000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74B5000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB86C7000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA71D000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7456000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF3A22000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB86DF000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xB86B1000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF746D000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0xB779F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB79F6000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)
0xF00E2000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)
0xF6EED000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEFF50000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7443000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7483000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7512000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF3A11000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF3BB3000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7862000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF6A05000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7872000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB7E65000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF5CB9000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xF4252000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7692000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF6A65000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xF4111000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7672000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76A2000 PxHelp20.sys 49152 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF40F1000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7782000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7852000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7662000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF4101000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7732000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF7652000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF78C2000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB7440000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 40960 bytes (Symantec Corporation, Redirector Filter Driver)
0xF3C13000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7682000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF4242000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7842000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB7430000 C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF42B2000 C:\WINDOWS\system32\drivers\LVUSBSta.sys 36864 bytes (Logitech Inc., USB Statistic Driver)
0xF40E1000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF3AE4000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB7E55000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF652A000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF5226000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF3CB5000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7982000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7A02000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF79F2000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF3CDD000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF78D2000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF4805000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xF7A3A000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF23F9000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF2419000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF7A32000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF794A000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xF47FD000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF47F5000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF79FA000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7952000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF79BA000 C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -)
0xF5216000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF78DA000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF51FE000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF79D2000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF521E000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF2409000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF505F000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF3B58000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xF2399000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF564A000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF42E2000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB86A1000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF42CE000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF7A62000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7046000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7B4E000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7B46000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB7FD9000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF732E000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF506B000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF4141000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF732A000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7BEC000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
0xF7B94000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B8E000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7B96000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7B56000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B5E000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF7BD4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B80000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B52000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7BBA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7BC4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7BB4000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xF7BD2000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B64000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B54000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7CD6000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D54000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7C3E000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7D92000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C1A000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D49C, Type: Inline - RelativeJump 0x8050449C-->8050443F [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D8C0, Type: Inline - RelativeJump 0x805048C0-->80504899 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
[1824]ctfmon.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x7C80103C-->00000000 [LVPrcInj.dll]
[1824]ctfmon.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x7C801008-->00000000 [LVPrcInj.dll]
[1824]ctfmon.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x7C801038-->00000000 [LVPrcInj.dll]
[1824]ctfmon.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x7C8011CC-->00000000 [LVPrcInj.dll]
[2380]mbamgui.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x7C80103C-->00000000 [LVPrcInj.dll]
[2380]mbamgui.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x7C801008-->00000000 [LVPrcInj.dll]
[2380]mbamgui.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x7C801038-->00000000 [LVPrcInj.dll]
[2380]mbamgui.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x7C8011CC-->00000000 [LVPrcInj.dll]
[2444]jusched.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x7C80103C-->00000000 [LVPrcInj.dll]
[2444]jusched.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x7C801008-->00000000 [LVPrcInj.dll]
[2444]jusched.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x7C801038-->00000000 [LVPrcInj.dll]
[2444]jusched.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x7C8011CC-->00000000 [LVPrcInj.dll]
[2716]taskmgr.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x7C80103C-->00000000 [LVPrcInj.dll]
[2716]taskmgr.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x7C801008-->00000000 [LVPrcInj.dll]
[2716]taskmgr.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x7C801038-->00000000 [LVPrcInj.dll]
[2716]taskmgr.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x7C8011CC-->00000000 [LVPrcInj.dll]
[3676]wscntfy.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x7C80103C-->00000000 [LVPrcInj.dll]
[3676]wscntfy.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x7C801008-->00000000 [LVPrcInj.dll]
[3676]wscntfy.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x7C801038-->00000000 [LVPrcInj.dll]
[3676]wscntfy.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x7C8011CC-->00000000 [LVPrcInj.dll]
[3972]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[3972]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[3972]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[3972]explorer.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x7C80103C-->00000000 [LVPrcInj.dll]
[3972]explorer.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x7C801008-->00000000 [LVPrcInj.dll]
[3972]explorer.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x7C801038-->00000000 [LVPrcInj.dll]
[3972]explorer.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x7C8011CC-->00000000 [LVPrcInj.dll]
[3972]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[3972]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[3972]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[3972]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Proceed as follows please :-

*Upload a File to Virustotal*
Please visit *Virustotal*

 Click the *Browse...* button
 Navigate to the file *C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys*
 Click the *Open* button
 Click the *Send* button
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.

Next,

*Please read carefully and follow these steps.*

Download *TDSSKiller* and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on *TDSSKiller.exe* to run the application, then on *Start Scan.*










If an infected file is detected, the default action will be *Cure*, click on *Continue.*










If a suspicious file is detected, the default action will be *Skip*, click on *Continue.*










It may ask you to reboot the computer to complete the process. Click on *Reboot Now*.










If no reboot is require, click on *Report*. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.

Post the two logs please...

Kevin


----------



## PALV (Mar 10, 2011)

Kevin
Looks like neither found any infections.......

Bill

----

File name: LVPr2Mon.sys
Submission date: 2011-03-18 18:15:04 (UTC)
Current status: queued (#3) queued (#3) analysing finished

Result: 0/ 43 (0.0%)

"Antivirus", "Version", "Last update", "Result" 
"AhnLab-V3", "2011.03.19.00", "2011.03.18", "-" 
"AntiVir", "7.11.5.1", "2011.03.18", "-" 
"Antiy-AVL", "2.0.3.7", "2011.03.18", "-" 
"Avast", "4.8.1351.0", "2011.03.18", "-" 
"Avast5", "5.0.677.0", "2011.03.18", "-" 
"AVG", "10.0.0.1190", "2011.03.18", "-" 
"BitDefender", "7.2", "2011.03.18", "-" 
"CAT-QuickHeal", "11.00", "2011.03.18", "-" 
"ClamAV", "0.96.4.0", "2011.03.18", "-" 
"Commtouch", "5.2.11.5", "2011.03.18", "-" 
"Comodo", "8027", "2011.03.18", "-" 
"DrWeb", "5.0.2.03300", "2011.03.18", "-" 
"Emsisoft", "5.1.0.2", "2011.03.18", "-" 
"eSafe", "7.0.17.0", "2011.03.17", "-" 
"eTrust-Vet", "36.1.8222", "2011.03.18", "-" 
"F-Prot", "4.6.2.117", "2011.03.18", "-" 
"F-Secure", "9.0.16440.0", "2011.03.18", "-" 
"Fortinet", "4.2.254.0", "2011.03.18", "-" 
"GData", "21", "2011.03.18", "-" 
"Ikarus", "T3.1.1.97.0", "2011.03.18", "-" 
"Jiangmin", "13.0.900", "2011.03.18", "-" 
"K7AntiVirus", "9.94.4145", "2011.03.18", "-" 
"Kaspersky", "7.0.0.125", "2011.03.18", "-" 
"McAfee", "5.400.0.1158", "2011.03.18", "-" 
"McAfee-GW-Edition", "2010.1C", "2011.03.18", "-" 
"Microsoft", "1.6603", "2011.03.18", "-" 
"NOD32", "5967", "2011.03.18", "-" 
"Norman", "6.07.03", "2011.03.18", "-" 
"nProtect", "2011-02-10.01", "2011.02.15", "-" 
"Panda", "10.0.3.5", "2011.03.18", "-" 
"PCTools", "7.0.3.5", "2011.03.17", "-" 
"Prevx", "3.0", "2011.03.18", "-" 
"Rising", "23.49.04.05", "2011.03.18", "-" 
"Sophos", "4.63.0", "2011.03.18", "-" 
"SUPERAntiSpyware", "4.40.0.1006", "2011.03.18", "-" 
"Symantec", "20101.3.0.103", "2011.03.18", "-" 
"TheHacker", "6.7.0.1.151", "2011.03.18", "-" 
"TrendMicro", "9.200.0.1012", "2011.03.18", "-" 
"TrendMicro-HouseCall", "9.200.0.1012", "2011.03.18", "-" 
"VBA32", "3.12.14.3", "2011.03.18", "-" 
"VIPRE", "8744", "2011.03.18", "-" 
"ViRobot", "2011.3.18.4364", "2011.03.18", "-" 
"VirusBuster", "13.6.255.0", "2011.03.18", "-" 
"MD5", "406b1d186f75b4b4832d6237859e1b00" 
"SHA1", "4090d51bf5a12f3bbc7c01529e14b6e269d83089" 
"SHA256", "7fb2657f98b425262f57574feff70ecccead2238f10195d347aa95eaa632109d" 
"File size", "25624 bytes" 
"Scan date", "2011-03-18 18:15:04 (UTC)"

MD5 : 406b1d186f75b4b4832d6237859e1b00 
SHA1 : 4090d51bf5a12f3bbc7c01529e14b6e269d83089 
SHA256: 7fb2657f98b425262f57574feff70ecccead2238f10195d347aa95eaa632109d 
ssdeep: 384EH6kgTfd3z9/DFdlWWWoqc6jidVYJLWjJbT26jgi:rkgTftz5DFLhqc6KwLqbT2mgi 
File size : 25624 bytes 
First seen: 2008-04-17 08:28:49 
Last seen : 2011-03-18 18:15:04 
TrID: 
Win32 Executable Generic (58.4%)
Clipper DOS Executable (13.8%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.7%)
VXD Driver (0.2%) 
sigcheck: 
publisher....: Logitech Inc.
copyright....: (c) 1996-2007 Logitech. All rights reserved.
product......: Logitech QuickCam
description..: Logitech ProcMon Driver
original name: LVPr2Mon.sys
internal name: LVPr2Mon.sys
file version.: 11.5.0.1145
comments.....: n/a
signers......: Logitech Inc
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 2:59 AM 10/12/2007
verified.....: -

PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x3593
timedatestamp....: 0x470ECEA7 (Fri Oct 12 01:32:23 2007)
machinetype......: 0x14c (I386)
[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x480, 0x7F6, 0x800, 5.99, c23829c670ebaa26043270b4728cc4e5
.rdata, 0xC80, 0x68D, 0x700, 3.69, 7b8d24e1acc0212c971766981eedd0d5
.data, 0x1380, 0x9A8, 0xA00, 0.51, 8835fda83be804b2759d211b4aa66dfe
PAGE, 0x1D80, 0x16BA, 0x1700, 6.22, 50a28c8981e193c574b0e9f0f41eac2d
INIT, 0x3480, 0x844, 0x880, 5.61, 85c0cd999a76d353229b6dc1321328d8
.rsrc, 0x3D00, 0x930, 0x980, 3.36, 11079323579ca43304cc6a554a2338b0
.reloc, 0x4680, 0x330, 0x380, 4.60, 4b488a1dc2764dc5fbab7b853e892105
[[ 2 import(s) ]]
ntoskrnl.exe: IoDeleteSymbolicLink, RtlInitUnicodeString, KeDelayExecutionThread, PsSetCreateProcessNotifyRoutine, KeSetEvent, IoCreateSymbolicLink, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, ExDeleteNPagedLookasideList, ExDeletePagedLookasideList, ExInitializeNPagedLookasideList, ExInitializePagedLookasideList, KeInitializeMutex, ExFreeToPagedLookasideList, ExFreePoolWithTag, KeReleaseMutex, IoDeleteDevice, ExAllocateFromPagedLookasideList, memset, ZwCreateKey, ZwClose, ZwOpenKey, ZwQueryValueKey, memcpy, ZwSetValueKey, KeTickCount, KeBugCheckEx, PsGetCurrentThreadId, KeWaitForSingleObject, KeInitializeEvent, ExAllocatePoolWithTag, IofCompleteRequest, IoReleaseCancelSpinLock, MmGetSystemRoutineAddress, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlFreeUnicodeString
HAL.dll: ExReleaseFastMutex, KfReleaseSpinLock, KfAcquireSpinLock, ExAcquireFastMutex

------

2011/03/18 14:26:01.0031 2024 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/18 14:26:01.0312 2024 ================================================================================
2011/03/18 14:26:01.0312 2024 SystemInfo:
2011/03/18 14:26:01.0312 2024 
2011/03/18 14:26:01.0312 2024 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/18 14:26:01.0312 2024 Product type: Workstation
2011/03/18 14:26:01.0312 2024 ComputerName: FAMILY
2011/03/18 14:26:01.0312 2024 UserName: 2.Kristin
2011/03/18 14:26:01.0312 2024 Windows directory: C:\WINDOWS
2011/03/18 14:26:01.0312 2024 System windows directory: C:\WINDOWS
2011/03/18 14:26:01.0312 2024 Processor architecture: Intel x86
2011/03/18 14:26:01.0312 2024 Number of processors: 2
2011/03/18 14:26:01.0312 2024 Page size: 0x1000
2011/03/18 14:26:01.0312 2024 Boot type: Normal boot
2011/03/18 14:26:01.0312 2024 ================================================================================
2011/03/18 14:26:01.0828 2024 Initialize success
2011/03/18 14:26:18.0984 0316 ================================================================================
2011/03/18 14:26:18.0984 0316 Scan started
2011/03/18 14:26:18.0984 0316 Mode: Manual; 
2011/03/18 14:26:18.0984 0316 ================================================================================
2011/03/18 14:26:21.0593 0316 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/03/18 14:26:22.0234 0316 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/18 14:26:22.0656 0316 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/18 14:26:23.0250 0316 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/03/18 14:26:23.0765 0316 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/18 14:26:24.0406 0316 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/18 14:26:24.0796 0316 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/18 14:26:25.0343 0316 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/03/18 14:26:25.0750 0316 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/03/18 14:26:26.0281 0316 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/03/18 14:26:26.0750 0316 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/03/18 14:26:27.0312 0316 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/18 14:26:27.0734 0316 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/03/18 14:26:28.0312 0316 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/03/18 14:26:28.0718 0316 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/03/18 14:26:29.0312 0316 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/03/18 14:26:29.0734 0316 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/03/18 14:26:30.0265 0316 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/03/18 14:26:30.0718 0316 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/03/18 14:26:31.0281 0316 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/18 14:26:31.0734 0316 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/18 14:26:33.0078 0316 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/18 14:26:34.0015 0316 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/18 14:26:34.0625 0316 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/18 14:26:35.0015 0316 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/18 14:26:36.0000 0316 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/03/18 14:26:36.0500 0316 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/18 14:26:36.0890 0316 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/18 14:26:37.0421 0316 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/03/18 14:26:37.0843 0316 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/18 14:26:38.0437 0316 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/18 14:26:38.0875 0316 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/18 14:26:39.0843 0316 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/03/18 14:26:40.0375 0316 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/03/18 14:26:40.0859 0316 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/03/18 14:26:41.0453 0316 CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys
2011/03/18 14:26:41.0921 0316 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/03/18 14:26:42.0468 0316 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/03/18 14:26:42.0953 0316 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/18 14:26:43.0500 0316 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/03/18 14:26:43.0953 0316 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/03/18 14:26:44.0515 0316 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/03/18 14:26:44.0890 0316 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/03/18 14:26:45.0281 0316 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/03/18 14:26:45.0796 0316 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/03/18 14:26:46.0203 0316 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/03/18 14:26:46.0765 0316 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/03/18 14:26:47.0187 0316 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/03/18 14:26:48.0000 0316 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/18 14:26:48.0906 0316 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/18 14:26:49.0500 0316 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/18 14:26:49.0937 0316 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/18 14:26:50.0500 0316 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/03/18 14:26:50.0968 0316 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/18 14:26:51.0515 0316 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/03/18 14:26:51.0921 0316 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/03/18 14:26:52.0062 0316 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/03/18 14:26:52.0578 0316 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/03/18 14:26:53.0031 0316 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/03/18 14:26:53.0343 0316 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/03/18 14:26:53.0765 0316 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/03/18 14:26:54.0281 0316 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/18 14:26:54.0906 0316 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/18 14:26:55.0296 0316 FilterService (bcef16e3aedd1b44bca45f748d975d73) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/03/18 14:26:55.0859 0316 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/18 14:26:56.0281 0316 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/18 14:26:56.0875 0316 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/18 14:26:57.0312 0316 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/18 14:26:57.0859 0316 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/18 14:26:58.0281 0316 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/03/18 14:26:58.0875 0316 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/18 14:26:59.0312 0316 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/18 14:26:59.0859 0316 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/18 14:27:00.0265 0316 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/03/18 14:27:00.0812 0316 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/18 14:27:01.0265 0316 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/18 14:27:01.0796 0316 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/18 14:27:02.0281 0316 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/03/18 14:27:03.0281 0316 HSF_DP (668629c3b9ca8ef07cf2ccbd86bb6b2b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/03/18 14:27:04.0359 0316 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/18 14:27:04.0968 0316 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/03/18 14:27:05.0359 0316 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/03/18 14:27:05.0890 0316 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/18 14:27:06.0343 0316 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/18 14:27:06.0890 0316 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/03/18 14:27:07.0328 0316 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/18 14:27:07.0859 0316 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/18 14:27:08.0281 0316 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/18 14:27:08.0671 0316 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/18 14:27:09.0140 0316 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/18 14:27:09.0609 0316 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/18 14:27:10.0078 0316 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/18 14:27:10.0453 0316 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/18 14:27:10.0921 0316 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/18 14:27:11.0328 0316 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/18 14:27:11.0734 0316 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/18 14:27:12.0250 0316 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/18 14:27:12.0750 0316 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/18 14:27:14.0359 0316 LVcKap (8113133ec42dd6c566908008ce913edd) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
2011/03/18 14:27:16.0343 0316 LVMVDrv (0dd5b8af4917a2821047450195c511b3) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
2011/03/18 14:27:18.0140 0316 lvpopflt (e1158b0cb852db0573922c92e6e564de) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
2011/03/18 14:27:19.0203 0316 LVPr2Mon (406b1d186f75b4b4832d6237859e1b00) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/03/18 14:27:19.0609 0316 LVUSBSta (be5e104be263921d6842c555db6a5c23) C:\WINDOWS\system32\drivers\LVUSBSta.sys
2011/03/18 14:27:21.0359 0316 LVUVC (eacd1eb2d82ed2adc753afeee1d4d660) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/03/18 14:27:23.0156 0316 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys
2011/03/18 14:27:23.0578 0316 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/03/18 14:27:23.0953 0316 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/03/18 14:27:24.0359 0316 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/18 14:27:24.0781 0316 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/18 14:27:25.0187 0316 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/03/18 14:27:25.0578 0316 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/03/18 14:27:25.0984 0316 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/18 14:27:26.0375 0316 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/18 14:27:26.0796 0316 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/18 14:27:27.0218 0316 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/03/18 14:27:27.0671 0316 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/18 14:27:28.0296 0316 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/18 14:27:28.0828 0316 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/18 14:27:29.0234 0316 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/18 14:27:29.0640 0316 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/18 14:27:30.0109 0316 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/18 14:27:30.0515 0316 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/18 14:27:30.0953 0316 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/18 14:27:31.0390 0316 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/18 14:27:31.0875 0316 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/18 14:27:32.0093 0316 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\naveng.sys
2011/03/18 14:27:32.0718 0316 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110310.003\navex15.sys
2011/03/18 14:27:33.0656 0316 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/18 14:27:34.0171 0316 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/18 14:27:34.0562 0316 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/18 14:27:34.0968 0316 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/18 14:27:35.0406 0316 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/18 14:27:35.0875 0316 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/18 14:27:36.0312 0316 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/18 14:27:36.0750 0316 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/18 14:27:37.0250 0316 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/18 14:27:37.0890 0316 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/18 14:27:38.0593 0316 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/18 14:27:39.0687 0316 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/18 14:27:40.0906 0316 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/18 14:27:41.0281 0316 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/18 14:27:41.0765 0316 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/03/18 14:27:42.0156 0316 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2011/03/18 14:27:42.0562 0316 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/18 14:27:43.0031 0316 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/18 14:27:43.0390 0316 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/18 14:27:43.0812 0316 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/18 14:27:44.0531 0316 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/18 14:27:45.0015 0316 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/18 14:27:46.0953 0316 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/03/18 14:27:47.0359 0316 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/03/18 14:27:47.0812 0316 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/18 14:27:48.0265 0316 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/18 14:27:48.0703 0316 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/18 14:27:49.0156 0316 PxHelp20 (0c8da0a8b0d227319c285e0eae65defd) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/18 14:27:49.0546 0316 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/03/18 14:27:49.0937 0316 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/03/18 14:27:50.0343 0316 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/03/18 14:27:50.0781 0316 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/03/18 14:27:51.0187 0316 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/03/18 14:27:51.0609 0316 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/18 14:27:52.0031 0316 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/18 14:27:52.0500 0316 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/18 14:27:52.0875 0316 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/18 14:27:53.0375 0316 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/18 14:27:53.0843 0316 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/18 14:27:54.0343 0316 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/18 14:27:54.0906 0316 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/18 14:27:55.0375 0316 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/18 14:27:55.0843 0316 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/03/18 14:27:56.0265 0316 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/03/18 14:27:56.0656 0316 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/03/18 14:27:56.0937 0316 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/03/18 14:27:57.0203 0316 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/03/18 14:27:57.0609 0316 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/18 14:27:58.0031 0316 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/18 14:27:58.0484 0316 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/18 14:27:58.0937 0316 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/18 14:27:59.0875 0316 sigfilt (6bd3976b881888ac9a0ed3eb94e7fd38) C:\WINDOWS\system32\drivers\sigfilt.sys
2011/03/18 14:28:01.0218 0316 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/03/18 14:28:01.0625 0316 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/18 14:28:01.0812 0316 SMNDIS5 (4ef5ea44583c37383c289d4b8c354698) C:\PROGRA~1\VERIZO~2\VZACCE~1\SMNDIS5.SYS
2011/03/18 14:28:02.0203 0316 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/03/18 14:28:02.0484 0316 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/03/18 14:28:03.0031 0316 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/18 14:28:03.0453 0316 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/18 14:28:04.0015 0316 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/18 14:28:04.0500 0316 STHDA (b95480c92c4c9c311be47b8a1ad73770) C:\WINDOWS\system32\drivers\sthda.sys
2011/03/18 14:28:04.0937 0316 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/18 14:28:05.0343 0316 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/18 14:28:05.0765 0316 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/18 14:28:06.0187 0316 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/03/18 14:28:06.0609 0316 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/03/18 14:28:06.0781 0316 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
2011/03/18 14:28:07.0218 0316 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/03/18 14:28:07.0703 0316 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/03/18 14:28:08.0171 0316 sym_hi  (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/03/18 14:28:08.0562 0316 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/03/18 14:28:09.0031 0316 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/18 14:28:09.0609 0316 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/18 14:28:10.0140 0316 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/18 14:28:10.0531 0316 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/18 14:28:10.0906 0316 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/18 14:28:11.0328 0316 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/03/18 14:28:11.0734 0316 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/18 14:28:12.0187 0316 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/03/18 14:28:12.0796 0316 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/18 14:28:13.0296 0316 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/18 14:28:13.0781 0316 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/18 14:28:14.0218 0316 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/03/18 14:28:14.0625 0316 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/18 14:28:15.0062 0316 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/03/18 14:28:15.0500 0316 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/18 14:28:15.0953 0316 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/18 14:28:16.0359 0316 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/03/18 14:28:16.0796 0316 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/18 14:28:17.0218 0316 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/18 14:28:17.0609 0316 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/18 14:28:18.0062 0316 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/18 14:28:18.0468 0316 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/18 14:28:18.0859 0316 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/18 14:28:19.0250 0316 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/18 14:28:19.0656 0316 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/18 14:28:20.0078 0316 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/18 14:28:21.0062 0316 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/03/18 14:28:21.0968 0316 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/18 14:28:22.0671 0316 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/03/18 14:28:23.0437 0316 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/03/18 14:28:23.0843 0316 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/18 14:28:24.0296 0316 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/18 14:28:24.0734 0316 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/18 14:28:25.0171 0316 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/18 14:28:25.0296 0316 ================================================================================
2011/03/18 14:28:25.0296 0316 Scan finished
2011/03/18 14:28:25.0296 0316 ================================================================================


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

This is proving to be very elusive for sure. In post #2 you managed to produce a GMER log, can you run GMER again with those settings and post the new log.
I know these scans can be time consuming but feel GMER is our best chance of locating the problem...

Kevin


----------



## PALV (Mar 10, 2011)

Kevin - 
I agree -seems like something knows we're looking for it! Will give GMER a shot again. 

(FYI -that scan in post #2 was prior to anything we've done - I did it based on the moderator"s suggestions in a sticky before posting the first time, so I'm not exactly sure which settings I used to obtain it - but assume you're referring to the settings you've instructed, so I'll go that route again.)

Bill


----------



## kevinf80 (Mar 21, 2006)

Thanks Bill, I know its frustrating running scan after scan, but its the only way to locate rootkits...

Kevin


----------



## PALV (Mar 10, 2011)

I understand. Fortunately, I have another machine available for use, so it's not that big of an imposition, nor do I mind doing them and returning to post. It's when the scans stall (like now - mid scan, stuck on "i2omgmt.sys") and goes NOWHERE that I get annoyed.

Will give it a few more minutes, re-boot then try again in Safe Mode (again).

Appreciate your time (and patience!)

Bill


----------



## PALV (Mar 10, 2011)

BTW - have noticed that GMER looks different when scanning in standard vs Safe Mode (approx 25 type/name/values listed in the top half of the window while the scanning proceeds below it, in standard mode, vs. nothing up top and barely any noticeable activity down below while in Safe Mode). Does this matter, or just a function of having booted in Safe Mode?


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

I know its a pain when these tools keep crashing, try the settings for GMER as per the Forum sticky if that will get it to run...

Item 3 from here... http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html

Kevin


----------



## PALV (Mar 10, 2011)

5 hrs later - it "appeared" that GMER had been working correctly, and no longer saw any scanning (or hanging on a specific file) so I thought we had it, finally! Hit Save, and this is what resulted>>>> :-(

(This was standard mode, I deleted prior instances of GMER and downloaded it fresh, again, from the link in the sticky. It took off right away and was chugging along every time I checked back, so I thought THAT might have made the difference. Guess not.)

Suggestions? Try Safe Mode, again? Reattempt in standard mode? Willing to do whatever - just wondering if you have any recommendations.......

Bill

----

GMER 1.0.15.15565 - http://www.gmer.net
Rootkit scan 2011-03-18 21:31:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3160812AS rev.3.ADH
Running: 08rhyz9f.exe; Driver: C:\DOCUME~1\222F6~1.KRI\LOCALS~1\Temp\pxtdypod.sys

---- System - GMER 1.0.15 ----
SSDT 86F78138 ZwAlertResumeThread
SSDT 87112AC8 ZwAlertThread
SSDT 8702C160 ZwAllocateVirtualMemory
SSDT 86F7A220 ZwConnectPort
SSDT 871140D8 ZwCreateMutant
SSDT 8702A160 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF07EA350]
SSDT 870965B0 ZwFreeVirtualMemory
SSDT 8711B5C0 ZwImpersonateAnonymousToken
SSDT 86F76498 ZwImpersonateThread
SSDT 86EE5BC0 ZwMapViewOfSection
SSDT 871D1860 ZwOpenEvent
SSDT 86F86500 ZwOpenProcessToken
SSDT 870B3160 ZwOpenThreadToken
SSDT 86F84648 ZwQueryValueKey
SSDT 871E77E8 ZwResumeThread
SSDT 86F223E8 ZwSetContextThread
SSDT 86EE7820 ZwSetInformationProcess
SSDT 86F70CC8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF07EA580]
SSDT 871CB2E0 ZwSuspendProcess
SSDT 86F7AF88 ZwSuspendThread
SSDT 871C8CA0 ZwTerminateProcess
SSDT 87099B68 ZwTerminateThread
SSDT 87161CC8 ZwUnmapViewOfSection
SSDT 87030160 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2F08 805047A4 4 Bytes CALL 24D76620 
.text ntkrnlpa.exe!ZwCallbackReturn + 2F24 805047C0 4 Bytes CALL 16D739E8 
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xF0907F80]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B6CE2D20
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

I want you to reset your router, basic instructions available *Here* if required.

Next,

Delete any versions of Combofix you have on your Desktop, download and re-save to the Desktop again from either of the following links:

*Link 1*
*Link 2*

Make sure all security is off then run by double click on the Icon







Vista and Windows 7 users right click and select "Run as Administrator"

Instructions for running Combofix available *Here* if required.

Instructions for turning off security available *Here* if required.

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the new log in next reply please:

Kevin


----------



## PALV (Mar 10, 2011)

Hi Kevin -

- Router reset
- Deleted, downloaded, updated and reinstalled ComboFix

Newest log file below. Thanks.

Bill

-----

ComboFix 11-03-19.03 - 2.Kristin 03/20/2011 6:45.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.534 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\pdk-SYSTEM-2080\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-2080\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-2080\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-2080\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-2080\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-2080\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-2080\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-2080\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-2080\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-2080\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-2080\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\program files\VERIZONDM
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2011-03-20 10:11 . 2011-02-01 23:45 9811968 ----a-w- c:\windows\VerizonDM.msi
2011-03-20 10:11 . 2011-03-20 10:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2011-03-19 20:37 . 2011-03-19 20:37 -------- d-----w- c:\documents and settings\2.Kristin\Local Settings\Application Data\Temp
2011-03-19 20:20 . 2011-03-19 20:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-03-17 11:17 . 2006-07-26 07:03 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-16 19:10 . 2011-03-16 19:12 -------- d-----w- C:\Gotcha
2011-03-16 18:29 . 2011-03-20 10:27 -------- d-----w- c:\documents and settings\2.Kristin\Tracing
2011-03-16 12:01 . 2011-03-16 12:01 -------- d-----w- c:\documents and settings\2.Kristin\DoctorWeb
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-12-20 23:09 . 2010-08-15 17:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-15 17:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
2006-09-23 02:33 . 2006-09-23 02:33 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-09-23 02:20 . 2006-09-23 02:20 359112 ----a-w- c:\program files\LimeWire.exe
2006-09-20 00:39 . 2006-09-20 00:39 1454005 ----a-w- c:\program files\aresfree.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
2007-05-11 07:06 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
.
2006-08-11 12:38 . 2005-08-06 01:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
.
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
.
2006-08-11 12:40 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
.
2006-08-11 12:39 . 2005-09-15 13:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
.
2006-08-11 12:40 . 2005-09-19 11:42 1159168 c:\program files\Creative\VoiceCenter\bak\AndreaVC.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-09-02 11:14 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
.
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
.
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
.
2006-08-22 03:30 . 2005-05-23 17:20 50744 c:\program files\Verizon Online\Help Support\bak\VERIZO~1.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Weather"="c:\program files\weatherbug\WeatherBug\Weather.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 1:55 PM 363344]
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 1:55 PM 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-20 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-20 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 07:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4104)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
.
**************************************************************************
.
Completion time: 2011-03-20 07:28:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-20 11:28
ComboFix2.txt 2011-03-16 19:46
ComboFix3.txt 2011-03-16 10:47
ComboFix4.txt 2011-03-15 22:39
ComboFix5.txt 2011-03-20 10:39
.
Pre-Run: 86,435,721,216 bytes free
Post-Run: 86,567,800,832 bytes free
.
- - End Of File - - 893D65F8936F1E050219348EABB7D015


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Apologies for the late reply, been away to friends and just got back a couple of hours ago, loads of logs to catch up.

Please visit *Virustotal*

 Click the *Browse...* button
 Navigate to the file *c:\program files\Common Files\Symantec Shared\ccApp.exe*
 Click the *Open* button
 Click the *Send* button
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.
 Repeat the above steps for the following files
*c:\program files\QuickTime\QTTask.exe
c:\program files\Symantec AntiVirus\VPTray.exe*

Post the results in next reply please..

Kevin


----------



## PALV (Mar 10, 2011)

Kevin - 
No problem on response time, I'm sure you have a ton to review and reply to, and we DO need to have a life beyond computers sometimes!

Of the 3 it looks like QTTask.exe is infected. Log files from VirusTotal don't seem to paste as cleanly as others so I'm only copying what I "think" you'll need here. Saved the total results so if you need more I can repost - let me know.

Thanks,

Bill

---

Virustotal logs:

File name: 
*ccApp.exe
*
Submission date: 
*2011-03-21 13:46:16 (UTC)
*
Current status: 
*finished
*

Result:

*0/ 43 (0.0%)*

*---*

*File name: 
VPTray.exe

Submission date: 
2011-03-21 13:46:48 (UTC)

Current status: 
finished

Result: 
0/ 43 (0.0%)
*
*---*

*File name: 
QTTask.exe

Submission date: 
2011-03-21 13:48:32 (UTC)

Current status: 
finished

Result:

1/ 42 (2.4%)

eSafe7.0.17.02011.03.17Win32.TrojanHorse

Additional information

**MD5 :* 8cbd57d84729debee1e83cb5fa3e3d7a*SHA1 :* b26ccae897aabdb6a4747828b5aa29ecf10ab184*SHA256:* 01e0667f743a08210873b7ceb30ea6592596cce70e9ce9f6ccf40f22261201ee*ssdeep:* 3072:IeHnUgOsoBv5YCSY5rdWFbIa648bm+CSLipXkhTNax6JWotnfM+9B0eCkBQ3anSS:IeHnU
gOJv5Y25HC5om+xBzBaS*File size :* 417792 bytes*First seen:* 2009-09-09 22:32:53*Last seen :* 2011-03-21 13:48:32*TrID:* 
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)*sigcheck:* 
publisher....: Apple Inc.
copyright....: Copyright Apple Inc. 1989-2009
product......: QuickTime
description..: QuickTime Task
original name: QTTask.exe
internal name: QuickTime Task
file version.: 7.6.4 (1327.73)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
*PEInfo: PE structure information

*[[ basic data ]]
entrypointaddress: 0x28202
timedatestamp....: 0x4AA21D64 (Sat Sep 05 08:12:20 2009)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x49D65, 0x4A000, 6.17, df42404359a137922980b8e82ab25deb
.rdata, 0x4B000, 0x4EC4, 0x5000, 5.49, 1431c5c722aabbd4248a5f7c5cbe4105
.data, 0x50000, 0x32A4, 0x2000, 2.48, 60b8c1a51d107af6c10c26a7975ef6fd
.rsrc, 0x54000, 0xC5F8, 0xD000, 5.00, 48585b1c0037f1f4bd57931b7ca49f71
.reloc, 0x61000, 0x655A, 0x7000, 6.08, 15ab5c368bb8c9b042c74dd19ac22993

[[ 6 import(s) ]]
VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
KERNEL32.dll: GetVersionExA, WaitForSingleObject, CreateProcessA, ResetEvent, SetEvent, WaitForMultipleObjects, Sleep, CreateThread, GetLastError, CreateMutexA, GetModuleHandleA, GetSystemDirectoryA, TerminateProcess, GlobalFree, GlobalAlloc, ReleaseMutex, GetCurrentProcessId, GetConsoleOutputCP, WriteConsoleA, GetTimeZoneInformation, CompareStringW, CompareStringA, SetFilePointer, FindFirstFileA, HeapSize, FlushFileBuffers, GetConsoleMode, GetConsoleCP, VirtualAlloc, HeapReAlloc, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetDateFormatA, GetTimeFormatA, GetStringTypeW, GetStringTypeA, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, OpenProcess, FindClose, CloseHandle, LoadLibraryA, GetProcAddress, FreeLibrary, CreateEventA, GetModuleFileNameA, WriteConsoleW, SetStdHandle, ReadFile, GetLocaleInfoW, EnterCriticalSection, SetEnvironmentVariableW, SetEnvironmentVariableA, RaiseException, CreateFileA, LeaveCriticalSection, ExitProcess, MultiByteToWideChar, GetFileAttributesA, RtlUnwind, GetCommandLineA, HeapFree, HeapAlloc, GetProcessHeap, GetStartupInfoA, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, GetCurrentThread, LCMapStringA, WideCharToMultiByte, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, FatalAppExitA, WriteFile, SetConsoleCtrlHandler, InterlockedExchange, InitializeCriticalSection
USER32.dll: LoadIconA, LoadCursorA, RegisterClassExA, CreateWindowExA, SetWindowLongA, GetWindowLongA, DefWindowProcA, PostQuitMessage, LoadMenuA, GetSubMenu, DestroyMenu, SetMenuDefaultItem, GetCursorPos, SetForegroundWindow, TrackPopupMenu, CreatePopupMenu, GetMenuStringA, ModifyMenuA, EnableMenuItem, FindWindowA, GetWindowThreadProcessId, SendMessageA, AppendMenuA, MessageBoxA, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, PostMessageA, wsprintfA
GDI32.dll: GetStockObject
ADVAPI32.dll: RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, RegQueryInfoKeyA, RegEnumValueA, RegDeleteValueA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegEnumKeyA
SHELL32.dll: ShellExecuteA, Shell_NotifyIconA
*ExifTool:* 
file metadata
CharacterSet: Windows, Latin1
CodeSize: 303104
CompanyName: Apple Inc.
EntryPoint: 0x28202
FileDescription: QuickTime Task
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 408 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 7.6.4 (1327.73)
FileVersionNumber: 7.6.4.0
ImageVersion: 0.0
InitializedDataSize: 110592
InternalName: QuickTime Task
LanguageCode: English (U.S.)
LegalCopyright: Copyright Apple Inc. 1989-2009
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
OriginalFilename: QTTask.exe
PEType: PE32
ProductName: QuickTime
ProductVersion: QuickTime 7.6.4 (1327.73)
ProductVersionNumber: 7.64.17.73
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2009:09:05 10:12:20+02:00
UninitializedDataSize: 0


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Can you upload the same three files to Jotti :-

We need to upload a file to *Jotti*

1. Click *HERE* to get to Jotti's site.

2. At the top of the Jotti window, use the *Browse* button to locate the following file on your system:

*c:\program files\Common Files\Symantec Shared\ccApp.exe*

3. Once you have located the file, click *SUBMIT* and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

5. Please repeat steps 2-4 for the following files:

*c:\program files\QuickTime\QTTask.exe
c:\program files\Symantec AntiVirus\VPTray.exe*

Post the results please...

Kevin..


----------



## PALV (Mar 10, 2011)

Kevin - Here you go.

Bill

*Jotti's malware scan*

Filename: ccApp.exe Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Mon 21 Mar 2011 21:46:49 (CET) Permalink

File size: 52896 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 1918a1d8e67a6452720797919fa520c9 SHA1: f610dcda5e19efb616faa9a4b9dbac6bfb0fb76d

----

Filename: QTTask.exe Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Mon 21 Mar 2011 21:49:17 (CET) Permalink

File size: 417792 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 8cbd57d84729debee1e83cb5fa3e3d7a SHA1: b26ccae897aabdb6a4747828b5aa29ecf10ab184

----

Filename: VPTray.exe Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Mon 21 Mar 2011 21:50:46 (CET) Permalink

File size: 125168 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: a1307c939e5216317e363d06a5473c7d SHA1: b9cce6a3f38412166fec0d3ce62786af048c6dee


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

As follows please:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::

Folder::

File::
c:\program files\LimeWire.exe
c:\program files\aresfree.exe
c:\program files\iTunesSetup.exe

AWF::
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
```
Save this as *CFScript.txt*, and as Type: *All Files* [(*.*)[/b] in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin - 
Log file, below.

FYI - There still appears to be quarantined files that require uploading. Server has been busy so the upload has still not completed. Will continue to try and if another report log follows, I will post.

Bill

---

ComboFix 11-03-21.01 - 2.Kristin 03/21/2011 18:04:08.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.429 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\2.Kristin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
FILE ::
"c:\program files\aresfree.exe"
"c:\program files\iTunesSetup.exe"
"c:\program files\LimeWire.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\aresfree.exe
c:\program files\iTunesSetup.exe
c:\program files\LimeWire.exe
c:\windows\TEMP\pdk-SYSTEM-1460\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-1460\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-1460\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-1460\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-1460\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-1460\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-1460\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-1460\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-1460\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-1460\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-1460\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-21 to 2011-03-21 )))))))))))))))))))))))))))))))
.
.
2011-03-21 18:22 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-03-21 18:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-03-21 18:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-03-21 18:17 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-21 18:17 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-03-21 17:57 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-03-21 14:32 . 2011-03-21 14:32 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\pdf995
2011-03-21 14:23 . 2011-03-21 14:45 59 ----a-w- c:\windows\wpd99.drv
2011-03-21 14:23 . 2011-03-21 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2011-03-21 14:23 . 2011-03-21 14:23 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2011-03-21 14:23 . 2011-03-21 14:23 249856 ----a-w- c:\windows\system32\pdfmona.dll
2011-03-21 14:23 . 2011-03-21 14:25 -------- d-----w- c:\program files\pdf995
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\program files\VERIZONDM
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2011-03-20 10:11 . 2011-02-01 23:45 9811968 ----a-w- c:\windows\VerizonDM.msi
2011-03-20 10:11 . 2011-03-20 10:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2011-03-19 20:37 . 2011-03-19 20:37 -------- d-----w- c:\documents and settings\2.Kristin\Local Settings\Application Data\Temp
2011-03-19 20:20 . 2011-03-19 20:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-03-17 11:17 . 2006-07-26 07:03 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-16 19:10 . 2011-03-16 19:12 -------- d-----w- C:\Gotcha
2011-03-16 18:29 . 2011-03-20 10:27 -------- d-----w- c:\documents and settings\2.Kristin\Tracing
2011-03-16 12:01 . 2011-03-16 12:01 -------- d-----w- c:\documents and settings\2.Kristin\DoctorWeb
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-02-04 21:48 . 2005-08-16 08:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 21:48 . 2005-08-16 08:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 08:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 08:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 08:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 08:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 08:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 08:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Weather"="c:\program files\weatherbug\WeatherBug\Weather.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 1:55 PM 363344]
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 1:55 PM 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-21 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-21 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-21 18:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(6508)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
.
**************************************************************************
.
Completion time: 2011-03-21 18:47:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-21 22:47
ComboFix2.txt 2011-03-20 11:28
ComboFix3.txt 2011-03-16 19:46
ComboFix4.txt 2011-03-16 10:47
ComboFix5.txt 2011-03-21 21:56
.
Pre-Run: 84,938,641,408 bytes free
Post-Run: 84,889,829,376 bytes free
.
- - End Of File - - AE6DF204565A237EE94F3E57EF38EC09


----------



## PALV (Mar 10, 2011)

Kevin -
Upload of subsequent files results in the following error message from BleepingComputer.com :

*There was an error uploading your file.*
_Your file is either 0 bytes or has exceeded the maximum file size of 5MB that we allow to be uploaded._

Following the path to locate the file (*C:\Qoobox\Quarantine\[4]-Submit_2011-03-21_18.02.19.zip) *it shows the targeted zip file to be 37,425 KB. Suggestions?

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

It would appear that Combofix attempted to upload the contents of Qoobox for analysis, usually we have to initiate a command for that to happen. To be honest I`m not sure why that happened.

I take it that we are not seeing any improvement, I`d like to try GMER again, but in a slightly different way. Create a folder on C:\ drive and call it ARK. Navigate Start > My Computer > C:\ > right click inside C:\ > select "new" then "folder" and name it ARK.

*YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,*

Next, download this *Random name exe* to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Next, please perform a rootkit scan:
Double-click the randomly named EXE located in the C:\ARK folder that you just downloaded to launch it 
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the "quick" scan is finished (a few seconds), 
click the Rootkit/Malware tab,and then select the Scan button. 
Leave your system completely idle while this longer scan is in progress. 
When the scan is done,* save the scan log to the Windows clipboard 
Open Notepad or a similar text editor 
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply.
Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.
.
If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan, this can be saved in the same way as the full scan in the above instructions.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
GMER ran as "usual" - then "seemed" to be finished, but without a resulting scan log. The program window is still present on desktop, with a file listing on the top half but no more file locations being flashed across the bottom as is usual while scanning. Waited to see if any more activity would follow -> none. Hit "save" and below is the resulting log (doesn't appear to be what we're looking for).

Am also trying to attach a screen view of what I've described above so you can hopefully "see" what I do when scanning activity ceases but no scan log results.

Bill

PS - since we ran it a slightly different way this time, I followed directions specifically and did NOT uncheck IAT/EAT as before.

---

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-22 10:53:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3160812AS rev.3.ADH
Running: vpr7gxr6.exe; Driver: C:\DOCUME~1\222F6~1.KRI\LOCALS~1\Temp\pxtdypod.sys

---- System - GMER 1.0.15 ----
SSDT 8709B270 ZwAlertResumeThread
SSDT 869740C8 ZwAlertThread
SSDT 86918910 ZwAllocateVirtualMemory
SSDT 86FC6940 ZwConnectPort
SSDT 86482AC0 ZwCreateMutant
SSDT 8702D6F0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEFA6F350]
SSDT 8691E0E8 ZwFreeVirtualMemory
SSDT 87006F08 ZwImpersonateAnonymousToken
SSDT 8709B1F0 ZwImpersonateThread
SSDT 870316A0 ZwMapViewOfSection
SSDT 8691BC30 ZwOpenEvent
SSDT 864BA3B0 ZwOpenProcessToken
SSDT 87030DA0  ZwOpenThreadToken
SSDT 8691BB60 ZwQueryValueKey
SSDT 8702E900 ZwResumeThread
SSDT 8701C5A0 ZwSetContextThread
SSDT 8702EC38 ZwSetInformationProcess
SSDT 864BB660 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEFA6F580]
SSDT 86EF6FD0 ZwSuspendProcess
SSDT 87054640 ZwSuspendThread
SSDT 8700F228 ZwTerminateProcess
SSDT 864C0940 ZwTerminateThread
SSDT 864611F0 ZwUnmapViewOfSection
SSDT 8691B488 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2D30 805045CC 4 Bytes CALL 22D6D7B1 
.text ntkrnlpa.exe!ZwCallbackReturn + 2F1C 805047B8 4 Bytes JMP DC1CCEBF 
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xEFB8CF80]
? C:\Gotcha12562G\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\VERIZONDM\bin\sprtcmd.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\VERIZONDM\bin\sprtcmd.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\VERIZONDM\bin\sprtcmd.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\VERIZONDM\bin\sprtcmd.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe[3856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe[3856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe[3856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe[3856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4660] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4660] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4660] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4660] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[5960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[5960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[5960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[5960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[6508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[6508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[6508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[6508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\ARK\vpr7gxr6.exe[7704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\ARK\vpr7gxr6.exe[7704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\ARK\vpr7gxr6.exe[7704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\ARK\vpr7gxr6.exe[7704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
AttachedDevice  SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

We dont seem to be making much headway with your current issue. Lets hit this from outside windows with an Avira rescue system, As follows please :-

The process is very simple and easy to follow. One stipulation that must be followed. The CD must be created on a known clean PC, from the same PC print off the instruction, they really are very easy to follow. All you need is a blank writable CD, everything else is included in the tutorial. Obviously the PC must have a burner.
All instructions are available here *Avira Rescue System* Read through the instructions a couple of times to familiarize yourself with them, create the CD and print off the instruction. It will be to your advantage to have the instructions available during the process.
When complete post back and let me know how you got on, any improvement...

Kevin


----------



## PALV (Mar 10, 2011)

Kevin-
Avira Rescue System CD created and run - log below.

Question : should a full system scan (with my AV software, Symantec) be run as noted in final step of instructions? I stopped there not knowing if that only applied when/if AntiVir was the resident AV software.

Bill

----
Avira / Linux Version 1.9.152.0
Copyright (c) 2010 by Avira GmbH
All rights reserved.
engine set: 8.2.4.188
VDF Version: 7.11.5.43
Scan start time: Wed Mar 23 11:47:47 2011
configuration file: /etc/avira/scancl.conf

WARNING: [Unsupported archive version] /media/Devices/sda2/Documents and 
Settings/1.Mom/Application Data/Juniper Networks/Host 
Checker/uninstall.exe

WARNING: [Unexpected end of file] 
/media/Devices/sda2/Documents and Settings/1.Mom/Application Data/Juniper 
Networks/setup/uninstall.exe

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/1.Mom/My 
Documents/LimeWire/Saved/10 -Nickelback-Dark Horse- If Today Was Your Last 
Day.mp3

WARNING: [File is encrypted] /media/Devices/sda2/Documents and 
Settings/1.Mom/My Documents/LimeWire/Saved/11 -Nickelback-Dark Horse- This 
Afternoon.mp3

WARNING: [File is encrypted] /media/Devices/sda2/Documents 
and Settings/All Users/Application Data/Spybot - Search & 
Destroy/Recovery/MicrosoftWindowsSecurityCenterAntiVirusDisableNotify1.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/MicrosoftWindowsSecurityCenterFirewallDisableNotify1.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/MicrosoftWindowsSecurityInternetExplorer.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/MyWayMyWebSearch.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/MyWayMyWebSearch1.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/MyWayMyWebSearch2.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/MyWayMyWebSearch3.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/MyWayMyWebSearch4.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/MyWayMyWebSearch5.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/KuasioKa.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/KuasioKa1.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/KuasioKa2.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/KuasioKa3.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/KuasioKa4.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/KuasioKa5.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/KuasioKa6.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar30.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar31.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar32.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar33.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar4.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar5.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar6.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar7.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar8.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar9.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FraudSysguard.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/FraudSysguard1.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FraudSysguard2.zip

WARNING: [File 
is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar1.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar10.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar11.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar12.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar13.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar14.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar15.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar16.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar17.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar18.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar19.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar2.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar20.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar21.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar22.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar23.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar24.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar25.zip

ALERT: [GEN/PwdZIP] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar26.zip <<< Contains signature of 
the GEN/PwdZIP virus

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/FastBrowserSearchToolbar26.zip

ALERT: 
[GEN/PwdZIP] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar27.zip <<< Contains signature of 
the GEN/PwdZIP virus

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/FastBrowserSearchToolbar27.zip

WARNING: [File 
is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar28.zip

[archive scan abort]
[renamed]
WARNING: [File is encrypted] /media/Devices/sda2/Documents and 
Settings/All Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar29.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FastBrowserSearchToolbar.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/FastBrowserSearchToolbar3.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & 
Destroy/Recovery/MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/GameVance.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/GameVance1.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/GameVance2.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/GameVance3.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & Destroy/Recovery/GameVance4.zip

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/GameVancePlaySushi.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/GameVancePlaySushi1.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/GameVancePlaySushi10.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/GameVancePlaySushi11.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/GameVancePlaySushi12.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/GameVancePlaySushi13.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/GameVancePlaySushi14.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/GameVancePlaySushi15.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/GameVancePlaySushi16.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/GameVancePlaySushi2.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/GameVancePlaySushi3.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/GameVancePlaySushi4.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/GameVancePlaySushi5.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/GameVancePlaySushi6.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/GameVancePlaySushi7.zip

WARNING: 
[File is encrypted] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/Spybot - Search & 
Destroy/Recovery/GameVancePlaySushi8.zip

WARNING: [File is encrypted] 
/media/Devices/sda2/Documents and Settings/All Users/Application Data/Spybot 
- Search & Destroy/Recovery/GameVancePlaySushi9.zip

WARNING: [File is 
encrypted] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/Spybot - Search & Destroy/Recovery/FraudUltraAntivir.zip

WARNING: 
[Unsupported archive version] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/AOL 
Downloads/triton_suite_install_2.2.78.1/vwpt.exe

WARNING: [Unsupported 
archive version] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/AOL 
Downloads/triton_suite_install_6.0.28.3/vwpt.exe

WARNING: [Unexpected end 
of file] /media/Devices/sda2/Documents and Settings/All Users/Application 
Data/BigFishGamesCache/GameManager/GameDB/F588T1L1/setup_gF588T1L1_d42401238
6_l1_s1.exe

WARNING: [Unexpected end of file] 
/media/Devices/sda2/Documents and Settings/All Users/Application 
Data/WildTangent/Dell Game 
Console/Downloads/Installers/{651956B7-1969-42AA-9453-E0B813019D54}.exe --> 
[UnknownDir]/651956B7-1969-42AA-9453-E0B813019D54.exe

WARNING: [Bad 
compressed data] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/blasterball2remix-setup.exe_cache

WARNING: 
[Unexpected end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/faceit-drm3.exe --> 
[UnknownDir]/35B081E6-2482-4495-90F8-C00D6C42D2A0.exe

WARNING: [Bad 
compressed data] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/SetupGamesClient.exe_cache

WARNING: 
[Unexpected end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.exe --> 
[UnknownDir]/6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA.exe

WARNING: [Unexpected 
end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.exe --> 
[UnknownDir]/C0A0AA4D-C79B-48CA-8843-2B02B626C9E6.exe

WARNING: [Unexpected 
end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.exe --> 
[UnknownDir]/C2D8F0E2-6978-4409-8351-BA8785DA11EE.exe

WARNING: [Unexpected 
end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.exe --> 
[UnknownDir]/D1A6F3FD-7B40-443F-8767-BADB25A0D222.exe

WARNING: [Unexpected 
end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{E0814F95-5380-4892-B8C8-7FA4B349EF46}.exe --> 
[UnknownDir]/E0814F95-5380-4892-B8C8-7FA4B349EF46.exe

WARNING: [Bad 
compressed data] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/vorthex-setup.exe_cache

WARNING: [Unexpected 
end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.exe --> 
[UnknownDir]/26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3.exe

WARNING: [Unexpected 
end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{3C48F877-A164-45E9-B9DA-26A049FFC207}.exe --> 
[UnknownDir]/3C48F877-A164-45E9-B9DA-26A049FFC207.exe

WARNING: [Unexpected 
end of file] /media/Devices/sda2/Documents and Settings/All 
Users/Application Data/WildTangent/Dell Game 
Console/Downloads/Installers/{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.exe --> 
[UnknownDir]/6293BC00-4EB8-4C65-8548-53E2FC3BF937.exe

ALERT: 
[Java/Agent.BH] /media/Devices/sda2/Documents and 
Settings/NetworkService/Application 
Data/Sun/Java/Deployment/cache/6.0/14/3160e6ce-7bcfb402 --> 
dev/s/AdgredY.class <<< Contains signature of the Java virus JAVA/Agent.BH 
[archive scan abort]

ALERT: [JAVA/Exdoer.E] /media/Devices/sda2/Documents 
and Settings/[USER]/Application 
Data/Sun/Java/Deployment/cache/6.0/53/55956235-3295b642 --> 
lort/cooter.class <<< Contains signature of the Java virus JAVA/Exdoer.E 
[archive scan abort]

WARNING: [Unsupported archive version] 
/media/Devices/sda2/Program Files/NetZeroInstallers/nzcw.exe

WARNING: 
[Unsupported archive version] /media/Devices/sda2/Program 
Files/NetZeroInstallers/nzfull.exe

WARNING: [Bad compressed data] 
/media/Devices/sda2/Program Files/NetZeroInstallers/nzhs.exe

WARNING: 
[Unsupported archive version] /media/Devices/sda2/Program 
Files/NetZeroInstallers/nzqs.exe

WARNING: [Unsupported archive version] 
/media/Devices/sda2/Program Files/AIM/Sysfiles/viewpoint.exe

WARNING: 
[Unsupported archive version] /media/Devices/sda2/Program Files/America 
Online 9.0/Jiti/viewpoint.exe

WARNING: [File is encrypted] 
/media/Devices/sda2/Program Files/Verizon Wireless/VZAccess 
Manager/System/Operators.zip

ALERT: [SPR/Dldr.DigStream] 
/media/Devices/sda2/Program Files/DIGStream/digstream.exe <<< Contains 
signature of the SPR/Dldr.DigStream program [renamed]

WARNING: 
[Unsupported archive version] /media/Devices/sda2/Program 
Files/EnglishOtto/uninstallotto.exe

WARNING: [Unsupported archive version] 
/media/Devices/sda2/Program Files/GemMaster/uninstallgemmaster.exe

WARNING: [Unsupported archive version] /media/Devices/sda2/Program 
Files/WildTangent/Apps/GameChannel/Games/26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B
3/DMXGameLaunch.exe

WARNING: [Unexpected end of file] 
/media/Devices/sda2/Program 
Files/WildTangent/Apps/GameChannel/Games/26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B
3/Uninstall.exe

WARNING: [Unsupported archive version] 
/media/Devices/sda2/Program 
Files/WildTangent/Apps/GameChannel/Games/35B081E6-2482-4495-90F8-C00D6C42D2A
0/DMXGameLaunch.exe

WARNING: [Unexpected end of file] 
/media/Devices/sda2/Program 
Files/WildTangent/Apps/GameChannel/Games/35B081E6-2482-4495-90F8-C00D6C42D2A
0/Uninstall.exe

WARNING: [File is encrypted] /media/Devices/sda2/Program 
Files/Lavasoft/Ad-Aware SE Personal/Skins/Ad-Aware SE default.ask

ALERT: 
[TR/Kazy.15448.4] /media/Devices/sda2/Qoobox/Quarantine/C/Documents and 
Settings/[USER]/Local Settings/Application Data/pwg.exe.vir <<< Is the 
Trojan horse TR/Kazy.15448.4 [renamed]

ALERT: [Worm/Rbot.655092] 
/media/Devices/sda2/Qoobox/Quarantine/C/Program Files/aresfree.exe.vir <<< 
Contains signature of the worm WORM/Rbot.655092 [renamed]

ALERT: 
[Worm/Rbot.655092] /media/Devices/sda2/Qoobox/Quarantine/C/Program 
Files/iTunesSetup.exe.vir <<< Contains signature of the worm 
WORM/Rbot.655092 [renamed]

ALERT: [Worm/Rbot.655092] 
/media/Devices/sda2/Qoobox/Quarantine/C/Program Files/LimeWire.exe.vir <<< 
Contains signature of the worm WORM/Rbot.655092 [renamed]

ALERT: 
[TR/Crypt.XPACK.Gen2] 
/media/Devices/sda2/Qoobox/Quarantine/C/WINDOWS/system32/cpyidimg.dll.vir 
<<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [renamed]

ALERT: 
[TR/Crypt.XPACK.Gen2] 
/media/Devices/sda2/Qoobox/Quarantine/C/WINDOWS/system32/urigamon.dll.vir 
<<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [renamed]

ALERT: 
[TR/Crypt.XPACK.Gen2] 
/media/Devices/sda2/Qoobox/Quarantine/C/WINDOWS/system32/zipahfat/usbabdev/p
olottbl.dll.vir <<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [renamed]

ALERT: [TR/Diple.D] /media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1436/A0118471.e
xe <<< Is the Trojan horse TR/Diple.D [renamed]

ALERT: [TR/Diple.D] 
/media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1436/A0118476.e
xe <<< Is the Trojan horse TR/Diple.D [renamed]

ALERT: [DR/Spy.Delf.iur.5] 
/media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1440/A0121572.e
xe <<< Contains signature of the dropper DR/Spy.Delf.iur.5 [renamed]

ALERT: [TR/Kazy.15448.4] /media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1440/A0121594.e
xe <<< Is the Trojan horse TR/Kazy.15448.4 [renamed]

ALERT: 
[TR/Crypt.XPACK.Gen2] /media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1441/A0121793.d
ll <<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [renamed]

ALERT: 
[TR/Crypt.XPACK.Gen2] /media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1441/A0121794.d
ll <<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [renamed]

ALERT: 
[TR/Crypt.XPACK.Gen2] /media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1441/A0121795.d
ll <<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [renamed]

ALERT: 
[Worm/Rbot.655092] /media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1452/A0129223.e
xe <<< Contains signature of the worm WORM/Rbot.655092 [renamed]

WARNING: 
[Bad compressed data] /media/Devices/sda2/System Volume 
Information/_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}/RP1452/A0129224.e
xe

ALERT: [TR/Crypt.XPACK.Gen2] 
/media/Devices/sda2/WINDOWS/system32/rtfecfax.exe <<< Is the Trojan horse 
TR/Crypt.XPACK.Gen2 [renamed]

WARNING: [Unexpected end of file] 
/media/Devices/sda2/WINDOWS/system32/Macromed/Flash/uninstall_plugin.exe

ALERT: [TR/ATRAPS.Gen2] /media/Devices/sda2/WINDOWS/system32/imededis.dll 
<<< Is the Trojan horse TR/ATRAPS.Gen2 [renamed]

WARNING: [Unexpected end 
of file] /media/Devices/sda2/WINDOWS/Downloaded Program 
Files/unagiuninst.exe

Statistics :
Directories............... : 22965
Archives.................. : 3929
Files..................... : 332701
Infected.............. : 20
Renamed........... : 20
Warnings.............. : 115
Suspicious............ : 2
Ignored........... : 2
Infections................ : 22


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Avira has a stand alone scanner as a follow up available *Here* and a manual in PDF format how to use it *Here* I`ve not used this particular tool before, it apparently is recommended as a follow up if you do not have Avira AV installed.
Run the scan and post any log that is produced. Re-boot your system when finished and do a full scan with your onboard security AV. let me know if you see any improvement.

Kevin...

Edit... Avira will produce a log at the end of the scan and will be on your Desktop


----------



## PALV (Mar 10, 2011)

Kevin - 
AntiVir Removal Tool did not find any malicious items in memory or after full scan. Symantec AV's auto-protect identified and cleaned by deletion 2 instances of "Trojan.FakeAV!gen39" . Am doing a full scan with my AV now.

Re: improvement - since original post started with browser hijacking, I've used a little used Sys Admin user account for testing, repairing and communicating with you, and not much other browsing by design until we feel its safe to do so. Point is - I'm not sure that the hijacking is still rampant - but in my troubleshooting use of IE has not resulted in any visible hijacking of late.

The evidence and existence of rootkit infection obviously had me concerned. In your opinion, absent of further hijacking, do you think we've cleaned and corrected what was wrong with this system? I know you referenced much malware in previous posts, and it seems we've deleted, corrected and clean a lot. I'm not trying to rush this as I know it takes time, but seeking your opinion as far as how clean/safe you believe it is to put this computer back into regular use again.

As always, I welcome any/all suggestions as far as steps, precautions, and advice to use going forward.

Bill

---


*Anti**Vir Removal Tool 3.0 (c) 2009 Avira GmbH
*Removal Tool for:
Sober.J/P/Y
TR/Agent.imh/its
TR/Drop.Agent.qna.2/Agent.qna.1
TR/PSW.Delf.AH/Kates.C.25
TR/Spy.Delf.tge/Banker.AATZ/Banker.AATZ.1/Banker.AATZ.2/Banker.AATZ.3
W32/Stanit.A
Worm/NetSky.P
Version: 3.0.1.17, Jun 3 2009 11:33:20
*Use /? to list all available command line options
*- Saving results to logfile "removaltool-win32-en.log".
*- Host: "Family", IP: 192.168.1.44
*Scanning memory... done
No malware found in memory

Scanning drive C: ...
No malware found on hard drives
scan results:
scanned directories: 22876
scanned files: 124098
scanned streams: 223
scanned processes: 52
scanned modules: 571
infected files: 0
infected processes: 0
repaired/removed files: 0
renamed files: 0
terminated processes: 0
elapsed time for memory scan: 103.25 seconds
average memory scanner throughput: 2557.98 KB/s
elapsed time for file scan: 7716.66 seconds
average file scanner throughput: 233.16 KB/s
Thank you for using AntiVir Removal Tool.


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Lets wait and see what the AV scan shows before we decide on the next course of action. If the re-directs have ceased we are heading in the right direction. 

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Latest AV scan looked like it identified 8 infections of "Trojan.Maliava". Did not seem to be a scan log available as per other tools used here - but the scan history was exported as .csv file, which I've copied below. (Looked nice & neat in the window it opened in - not so much here...;-) Hope you can decipher.

Bill

---

Symantec AV Full Scan Results 03/23/11 5:53:06 PM
Risk Action Count Filename Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description Date

?????? Left alone 1 55956235-3295b642.vir Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\ FAMILY FAMILY\2.Kristin No infected items C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\ Leave alone (log only) Leave alone (log only) Manual scan The file was left unchanged. 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 menu/property.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 menu/help.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 menu/file.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 menu/edit.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 lort/object4.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 lort/object2.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 lort/cooter.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37
Trojan.Maljava Cleaned by deletion 1 lort/border.class File; Compressed file C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir FAMILY FAMILY\2.Kristin Infected C:\Documents and Settings\[USER]\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-3295b642.vir Clean security risk Quarantine Manual scan 3/23/2011 18:37


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Proceed as follows please :-

*Step 1*

Please download *OTM by OldTimer*.
*Alternative Mirror* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Files
ipconfig /flushdns /c
:Commands
[EmptyTemp]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

*Step 2*

You were using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. 
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. 
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 24.


 Go to *Sun Java*
 Select *Windows 7/XP/Vista/2000/2003/2008* If using 64 bit OS Select *Information about the 64-bit Java plug-in* and follow prompts
 Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
 Reboot your computer

*Step 3*

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

Please go to the link below to update.

*Adobe Reader* Untick the Free McAfee® Security Scan Plus

*Step 4*








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

If you already have Malwarebytes installed open the program and check for updates, then as below...

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post the log from Malwarebytes in your reply, also give an update on any issues that remain.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Java and Adobe Reader updated (and prior versions deleted).

OTM and MBAM logs, below.

Bill

----
All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\2.Kristin\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\2.Kristin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 1

User: 1.Mom
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1003823 bytes
->Java cache emptied: 57604347 bytes
->Flash cache emptied: 1823165 bytes

User: 1~Mom

User: 2.Kristin
->Temp folder emptied: 7761677 bytes
->Temporary Internet Files folder emptied: 66706782 bytes
->Java cache emptied: 7860491 bytes
->Flash cache emptied: 62250 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 59964 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56543 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 735582 bytes
->Flash cache emptied: 741 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 8912 bytes
->Flash cache emptied: 8556 bytes

User: [USER]
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 4658221 bytes
->Flash cache emptied: 56735 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 7344145 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1605531 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 64873 bytes

Total Files Cleaned = 150.00 mb

OTM by OldTimer - Version 3.1.17.2 log created on 03242011_092845
Files moved on Reboot...
File C:\WINDOWS\temp\pdk-SYSTEM-548\0a6b9f23e356336cc61530f586d0c66a.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\1ff4eae997b1753d848dbbc61d1b4345.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\31aa023220b46a62dd91739a3bf1cad4.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\36971e8ed4d19cc0a7051079b039c204.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\42db37dadb779dbfc5da8bdd7ec61c52.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\44abde5de65f3f034faac2c132713018.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\7aace6f21e4c397996b145b7fd777643.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\7acaa276f32e012922082aa697dfa218.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\89f4ac43ba2b792785d9d472365e562b.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll not found!
File C:\WINDOWS\temp\pdk-SYSTEM-548\b2774d247dfbf0abe8539e577ee59b4c.dll not found!
Registry entries deleted on Reboot...

----

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6151
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
3/24/2011 11:54:16 AM
mbam-log-2011-03-24 (11-54-16).txt
Scan type: Quick scan
Objects scanned: 201058
Time elapsed: 25 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

What is the state of play with your system now, any improvement? Recent logs look promising. 

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Overall it seems pretty good. Redirects and hijacks appear to have stopped, and no other "strange" behavior has been evident recently. My only question left on this front has to do with the different user accounts noted previously : the primary user account has not been used while troubleshooting (but that is where the symptoms were first noticed). Is is safe to assume that the cleaning, updating and corrections we've done will have crossed all user account areas?

Between removal of "bad stuff" and updated versions of risk areas, *I'm* thinking we're in much better shape than when we started (but I defer to the expert.....;-) )

Thoughts?

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

All accounts will be similar, run this final scan please; it will not take long. I`ll read back through your thread and see what we need to do to clean up...

Download







from any of the following links and save to your Desktop:

*Link 1*
*Link 2*
*Link 3*


 Double click on the icon to run it. Vista and Windows 7 users right click and select Run as Administrator. Make sure all other windows are closed and to let it run uninterrupted.
 In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
 Under the Custom Scan box paste this in

```
netsvcs
      drivers32
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
```

 Click the *Run Scan* button. Do not change any settings unless otherwise told to do so. The scan wont take long.
 When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
 Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply
Copy and paste OTL Txt and ExtrasTxt in your reply.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin-

Requested logs, below.

Bill
----

OTL Txt :

OTL logfile created on: 3/24/2011 5:04:53 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\2.Kristin\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 314.00 Mb Available Physical Memory | 31.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 78.99 Gb Free Space | 54.74% Space Free | Partition Type: NTFS

Computer Name: FAMILY | User Name: 2.Kristin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/24 17:01:05 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
PRC - [2011/02/01 05:54:46 | 000,185,640 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe
PRC - [2011/02/01 05:54:42 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe
PRC - [2011/02/01 05:54:30 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\sprtcmd.exe
PRC - [2010/12/20 19:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/12/20 19:08:56 | 000,443,728 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/19 13:19:22 | 000,141,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2007/10/19 13:17:28 | 000,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PRC - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/09/27 20:35:02 | 000,038,696 | ---- | M] (LANDesk Software Ltd.) -- C:\WINDOWS\system32\CBA\pds.exe
PRC - [2006/09/27 20:33:44 | 000,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/07/19 19:26:04 | 000,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2006/02/10 07:56:12 | 000,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

========== Modules (SafeList) ==========

MOD - [2011/03/24 17:01:05 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/10/19 13:19:10 | 000,109,080 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AresChatServer)
SRV - [2011/03/01 09:56:36 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2011/02/01 05:54:46 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - [2011/02/01 05:54:42 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - [2010/12/20 19:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2007/10/19 13:21:16 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/10/19 13:19:22 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2007/10/19 13:17:28 | 000,186,904 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/09/27 20:35:02 | 000,038,696 | ---- | M] (LANDesk Software Ltd.) [Auto | Running] -- C:\WINDOWS\system32\CBA\pds.exe -- (Intel PDS)
SRV - [2006/09/27 20:33:38 | 000,116,464 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/11 08:38:50 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2006/08/07 16:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

========== Driver Services (SafeList) ==========

DRV - [2010/12/20 19:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/12/17 05:00:00 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110320.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/12/17 05:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110320.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/15 13:50:36 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/07/15 13:50:36 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2007/10/19 13:16:30 | 002,109,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/10/11 22:01:06 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2007/10/11 22:00:54 | 003,647,384 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2007/10/11 22:00:43 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/10/11 21:59:12 | 001,920,920 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2007/10/11 18:59:24 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2007/10/11 18:59:02 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/07/20 12:09:15 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/04/09 10:56:22 | 000,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 10:55:08 | 000,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 10:53:24 | 000,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/09/18 17:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 14:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/11 08:45:53 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/08/07 16:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 16:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/04/11 17:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/09/08 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 05:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 12:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 12:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/04 04:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/06/06 21:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/05/25 22:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005/03/25 16:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005/01/11 00:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005/01/11 00:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2003/11/17 21:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 21:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 21:56:26 | 001,042,432 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2002/11/26 14:54:58 | 000,016,936 | ---- | M] (Smith Micro Software, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -- (SMNDIS5)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{3F15FA0E-1BC7-4C4E-B3CF-91A6B67E9BC2}: C:\Documents and Settings\[USER]\Local Settings\Application Data\{3F15FA0E-1BC7-4C4E-B3CF-91A6B67E9BC2} [2010/07/27 06:30:36 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/03/21 18:23:49 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
O4 - HKLM..\Run: [VERIZONDM] C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKCU..\Run: [Weather] File not found
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe (NOS Microsystems Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://webportal.hunterdonhealthcare.org/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\2.Kristin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\2.Kristin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56027131116781568)

========== Files/Folders - Created Within 30 Days ==========

[2011/03/24 17:00:57 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
[2011/03/24 11:09:44 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/03/24 11:09:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/03/24 10:24:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/03/24 10:22:27 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/03/24 10:22:26 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/03/24 10:22:26 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/24 10:22:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/24 10:22:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/24 10:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/03/24 09:28:45 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/03/24 09:26:53 | 000,519,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTM.exe
[2011/03/23 14:20:16 | 000,367,616 | ---- | C] (Avira GmbH) -- C:\Documents and Settings\2.Kristin\Desktop\removaltool-win32-en.exe
[2011/03/23 08:41:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/22 13:40:48 | 000,000,000 | ---D | C] -- C:\bin
[2011/03/22 13:34:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\HP
[2011/03/22 13:30:02 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard
[2011/03/22 07:06:45 | 000,000,000 | ---D | C] -- C:\ARK
[2011/03/21 18:15:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/21 14:22:52 | 000,954,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40.dll
[2011/03/21 14:22:51 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2011/03/21 14:22:50 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2011/03/21 14:17:45 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/03/21 14:17:41 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/03/21 13:57:18 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/03/21 10:32:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Application Data\pdf995
[2011/03/21 10:23:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2011/03/21 10:23:06 | 000,249,856 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2011/03/21 10:23:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Software995
[2011/03/21 10:23:00 | 000,000,000 | ---D | C] -- C:\Program Files\pdf995
[2011/03/20 06:12:06 | 000,000,000 | ---D | C] -- C:\Program Files\VERIZONDM
[2011/03/20 06:12:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/03/20 06:11:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SupportSoft
[2011/03/19 16:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Local Settings\Application Data\Temp
[2011/03/19 16:20:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/03/16 15:10:28 | 000,000,000 | ---D | C] -- C:\Gotcha
[2011/03/16 14:29:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Tracing
[2011/03/16 08:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\DoctorWeb
[2011/03/14 14:32:38 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouclass.sys
[2011/03/14 14:28:11 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/14 13:42:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/14 13:42:46 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/14 13:42:46 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/14 13:42:46 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/14 13:42:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/14 13:41:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/12 11:11:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Desktop\Virus removal
[2011/03/11 21:56:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Application Data\Malwarebytes
[2011/03/11 21:01:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/03/10 12:27:50 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller.exe

========== Files - Modified Within 30 Days ==========

[2011/03/24 17:19:15 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/24 17:01:05 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
[2011/03/24 10:50:56 | 000,000,588 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2011/03/24 10:50:56 | 000,000,588 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2011/03/24 10:50:53 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/24 10:50:52 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
[2011/03/24 10:49:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/24 10:49:26 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/24 10:47:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2011/03/24 10:47:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2011/03/24 10:21:27 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/24 10:21:27 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/24 10:21:27 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/24 10:21:27 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/03/24 10:21:26 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/03/24 10:04:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/24 09:26:58 | 000,519,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTM.exe
[2011/03/23 14:20:18 | 000,367,616 | ---- | M] (Avira GmbH) -- C:\Documents and Settings\2.Kristin\Desktop\removaltool-win32-en.exe
[2011/03/23 14:02:36 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\WebReg Photosmart C6100 series.job
[2011/03/23 10:40:31 | 000,216,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/23 03:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2011/03/22 17:49:35 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/03/22 17:49:31 | 000,503,536 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/22 17:49:31 | 000,088,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/22 13:52:21 | 000,117,091 | ---- | M] () -- C:\WINDOWS\hpoins11.dat
[2011/03/22 13:41:11 | 000,001,894 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Document Viewer.lnk
[2011/03/22 13:37:16 | 000,000,898 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Premier.lnk
[2011/03/22 13:37:16 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2011/03/22 13:33:15 | 000,001,808 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2011/03/22 13:32:17 | 000,001,875 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Express.lnk
[2011/03/22 13:31:27 | 000,000,984 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2011/03/22 13:02:36 | 000,000,124 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/03/22 12:03:22 | 000,000,012 | ---- | M] () -- C:\Documents and Settings\2.Kristin\DOT4_001
[2011/03/22 11:00:18 | 000,228,901 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\GMER window.JPG
[2011/03/21 18:23:49 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/21 18:04:04 | 000,001,224 | ---- | M] () -- C:\CF-Submit.htm
[2011/03/21 17:55:01 | 004,298,593 | R--- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Gotcha.exe
[2011/03/21 17:53:09 | 000,000,217 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Windows Firewall.lnk
[2011/03/21 16:13:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/21 12:45:31 | 000,000,235 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Error number 0×80070424 in Windows Update - Solution - Techie Corner.url
[2011/03/21 11:57:56 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\automatic update service not working - Tech Support Guy Forums.url
[2011/03/21 10:45:14 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2011/03/21 10:32:19 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini
[2011/03/21 10:23:06 | 000,249,856 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2011/03/21 10:23:06 | 000,051,716 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll
[2011/03/19 16:33:17 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/03/18 17:37:20 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\08rhyz9f.exe
[2011/03/18 14:33:30 | 000,012,326 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller results.JPG
[2011/03/18 14:24:43 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller.exe
[2011/03/18 14:24:05 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\tdsskiller.zip
[2011/03/18 06:37:41 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\RKUnhookerLE.EXE
[2011/03/17 07:13:20 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\MBRCheck.exe
[2011/03/16 22:28:51 | 000,879,069 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\SecurityCheck.exe
[2011/03/16 16:13:10 | 000,000,253 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\General Security Information, How to tighten Security Settings and Warnings - Tech Support Guy Forums.url
[2011/03/16 11:20:15 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/15 17:56:33 | 000,021,314 | ---- | M] () -- C:\WINDOWS\System32\avididoc.dll
[2011/03/15 08:35:50 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/03/12 11:10:00 | 000,000,589 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Shortcut to Moms Favorites.lnk
[2011/03/12 00:33:50 | 000,012,682 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3452207138
[2011/03/11 23:56:38 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2011/03/10 11:40:46 | 000,000,047 | ---- | M] () -- C:\WINDOWS\System32\_WKERNEL.FRE
[2011/03/09 19:32:32 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/02/27 16:02:06 | 122,562,410 | ---- | M] () -- C:\SYM_REGISTRY_BACKUP.reg

========== Files Created - No Company Name ==========

[2011/03/23 14:02:35 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\WebReg Photosmart C6100 series.job
[2011/03/22 13:41:43 | 000,000,731 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\I.R.I.S. OCR Registration.lnk
[2011/03/22 13:41:10 | 000,001,894 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Document Viewer.lnk
[2011/03/22 13:37:16 | 000,000,898 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Premier.lnk
[2011/03/22 13:37:16 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2011/03/22 13:33:15 | 000,001,808 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2011/03/22 13:32:17 | 000,001,875 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Express.lnk
[2011/03/22 13:31:27 | 000,000,984 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2011/03/22 13:00:38 | 000,117,091 | ---- | C] () -- C:\WINDOWS\hpoins11.dat
[2011/03/22 12:02:44 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\2.Kristin\DOT4_001
[2011/03/22 11:00:18 | 000,228,901 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\GMER window.JPG
[2011/03/21 18:04:04 | 000,001,224 | ---- | C] () -- C:\CF-Submit.htm
[2011/03/21 17:53:09 | 000,000,217 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Windows Firewall.lnk
[2011/03/21 12:45:31 | 000,000,235 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Error number 0×80070424 in Windows Update - Solution - Techie Corner.url
[2011/03/21 11:57:56 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\automatic update service not working - Tech Support Guy Forums.url
[2011/03/21 10:32:19 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2011/03/21 10:23:09 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2011/03/21 10:23:06 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2011/03/20 06:28:04 | 004,298,593 | R--- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Gotcha.exe
[2011/03/20 06:11:49 | 009,811,968 | ---- | C] () -- C:\WINDOWS\VerizonDM.msi
[2011/03/19 16:33:17 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/03/19 16:33:16 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/03/18 17:37:19 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\08rhyz9f.exe
[2011/03/18 14:33:30 | 000,012,326 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller results.JPG
[2011/03/18 14:23:59 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\tdsskiller.zip
[2011/03/18 06:37:41 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\RKUnhookerLE.EXE
[2011/03/18 06:00:56 | 1071,796,224 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/17 07:13:20 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\MBRCheck.exe
[2011/03/16 22:28:45 | 000,879,069 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\SecurityCheck.exe
[2011/03/16 16:13:10 | 000,000,253 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\General Security Information, How to tighten Security Settings and Warnings - Tech Support Guy Forums.url
[2011/03/14 14:28:21 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2011/03/14 14:28:15 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/14 13:42:46 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/14 13:42:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/14 13:42:46 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/14 13:42:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/14 13:42:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/12 11:10:00 | 000,000,589 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Shortcut to Moms Favorites.lnk
[2011/03/11 21:33:44 | 000,012,682 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3452207138
[2011/03/09 18:58:37 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2011/02/27 16:01:32 | 122,562,410 | ---- | C] () -- C:\SYM_REGISTRY_BACKUP.reg
[2010/10/27 00:23:48 | 000,127,392 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/27 00:23:40 | 000,191,654 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/07/25 16:49:14 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Adujabivebaxitiv.dat
[2010/07/25 16:49:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Olitihikilugoqor.bin
[2010/04/06 13:12:29 | 000,000,059 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
[2010/02/07 14:17:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\UNIVMGR.INI
[2009/11/12 15:30:46 | 000,021,314 | ---- | C] () -- C:\WINDOWS\System32\avididoc.dll
[2009/11/12 14:47:00 | 006,582,272 | ---- | C] () -- C:\WINDOWS\System32\rtfecfax.exe.vir
[2009/10/31 11:21:10 | 000,042,080 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/09/25 15:09:13 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/09/25 12:32:50 | 000,000,020 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/08/10 11:12:59 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2008/11/28 15:02:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2008/06/25 15:29:45 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/06/25 13:39:53 | 000,059,500 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/03/20 13:02:55 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/03/09 21:36:54 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/02/10 19:00:53 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\VZWDLManager.dll
[2008/02/10 15:36:47 | 004,891,136 | ---- | C] () -- C:\Program Files\WeatherbugSetupZ6157.msi
[2007/10/11 18:59:24 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2007/09/03 10:15:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/08/06 09:22:21 | 000,002,946 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/06/06 11:59:55 | 000,000,384 | ---- | C] () -- C:\WINDOWS\Wyncs.INI
[2007/05/08 07:00:08 | 000,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2007/02/13 08:38:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2006/12/01 08:03:59 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2006/12/01 08:03:22 | 000,000,021 | ---- | C] () -- C:\WINDOWS\phbase.ini
[2006/12/01 08:02:37 | 000,000,572 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/12/01 08:01:21 | 000,000,022 | ---- | C] () -- C:\WINDOWS\OP70.INI
[2006/12/01 07:59:48 | 000,001,413 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2006/12/01 07:59:48 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2006/12/01 07:59:48 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2006/11/24 12:15:14 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/19 14:33:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QUICKI~1.INI
[2006/10/19 12:52:28 | 000,000,191 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2006/10/02 22:26:22 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\instlsp.exe
[2006/08/19 19:48:17 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/08/19 19:48:17 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\CF7422D466.sys
[2006/08/19 13:50:36 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/08/19 11:48:59 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2006/08/18 13:01:07 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Local Settings\Application Data\fusioncache.dat
[2006/08/18 11:05:42 | 000,000,031 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/08/11 09:01:12 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/11 08:52:04 | 000,000,124 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/11 08:48:23 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/08/11 08:45:01 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/08/11 08:43:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/11 08:39:19 | 000,005,811 | ---- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2006/08/11 08:15:30 | 000,004,969 | ---- | C] () -- C:\WINDOWS\System32\Sigfilt.ini
[2006/08/11 08:15:30 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2006/08/11 08:15:14 | 001,345,520 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2006/08/11 08:15:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\SETLANG.EXE
[2006/08/11 08:15:06 | 001,042,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\HSF_DP.sys
[2006/08/11 08:14:54 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/08/11 08:14:50 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/08/11 08:14:20 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/05/05 17:18:56 | 000,011,634 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat
[2005/11/10 08:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 04:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 04:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 04:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 04:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 04:27:59 | 000,216,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 04:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 04:18:33 | 000,503,536 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 04:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 04:18:33 | 000,088,394 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 04:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 04:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 04:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 04:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 04:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 04:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 04:18:21 | 000,158,730 | ---- | C] () -- C:\WINDOWS\System32\docipurl32.dll
[2005/08/16 04:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 04:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2000/09/08 18:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll

========== LOP Check ==========

[2006/08/19 13:55:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\acccore
[2006/08/19 14:20:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Aim
[2008/04/27 13:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Canon
[2007/08/07 22:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\HotSync
[2007/04/16 12:13:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\ICAClient
[2011/03/21 10:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\pdf995
[2008/02/09 18:47:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\PlayFirst
[2008/05/07 10:36:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Uniblue
[2007/01/20 01:07:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Viewpoint
[2008/02/10 15:37:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\WeatherBug
[2006/08/18 22:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\WildTangent
[2007/11/23 23:38:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Zylom
[2006/12/24 12:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2006/12/24 11:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2005/08/16 20:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2007/07/20 12:11:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2006/09/16 11:58:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2011/03/21 10:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2008/02/09 18:47:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/12/29 20:47:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/09/25 12:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2011/02/04 08:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2011/03/20 06:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/01/23 18:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/26 13:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/08/18 11:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Weather Studio
[2007/07/20 23:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2007/11/23 23:38:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2009/10/30 15:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/03/24 10:50:52 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2005/08/16 04:43:04 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/21 11:03:32 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2011/03/15 08:35:50 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/03/21 18:04:04 | 000,001,224 | ---- | M] () -- C:\CF-Submit.htm
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2011/03/21 18:47:38 | 000,014,531 | ---- | M] () -- C:\ComboFix.txt
[2005/08/16 04:43:04 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2006/08/18 15:03:50 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
[2006/08/11 08:19:42 | 000,007,039 | RH-- | M] () -- C:\dell.sdr
[2011/03/09 19:32:32 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2008/12/15 06:54:37 | 000,000,179 | ---- | M] () -- C:\handle.dat
[2011/03/24 10:49:26 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2007/07/20 12:11:14 | 004,751,376 | ---- | M] () -- C:\HuskyInstallerLog.txt
[2006/08/19 15:41:05 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2005/08/16 04:43:04 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2009/02/02 17:58:32 | 000,000,125 | ---- | M] () -- C:\ioSpecial.ini
[2008/04/27 17:46:07 | 000,003,126 | -H-- | M] () -- C:\IPH.PH
[2011/03/24 10:57:00 | 000,227,764 | ---- | M] () -- C:\mombi.log
[2005/08/16 04:43:04 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/10 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/09/13 11:57:38 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/03/24 10:49:06 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2008/02/09 19:04:50 | 000,102,486 | ---- | M] () -- C:\playground.log
[2006/10/19 13:44:02 | 000,000,136 | ---- | M] () -- C:\SerialSync.txt
[2006/12/24 12:17:09 | 000,000,200 | ---- | M] () -- C:\setup.log
[2009/08/09 01:03:18 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/08/09 22:47:30 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/08/10 08:29:34 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/08/10 08:31:53 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/08/10 10:42:56 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/08/10 11:28:23 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/08/10 12:04:01 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/08/10 12:34:26 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/08/10 12:34:50 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/08/10 12:35:25 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/08/10 12:39:24 | 000,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/08/10 12:40:05 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/08/10 12:41:19 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/08/10 12:42:53 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/08/10 12:43:30 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/08/10 12:43:10 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/08/10 13:19:11 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/08/11 03:29:36 | 000,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/08/08 13:35:21 | 000,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/08/09 00:58:19 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/08/09 01:03:18 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/08/09 22:47:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/08/10 08:29:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/08/10 08:31:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/08/10 10:42:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/08/10 11:28:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/08/10 12:04:01 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/08/10 12:34:26 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/08/10 12:34:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/08/10 12:35:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/08/10 12:39:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/08/10 12:40:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/08/10 12:41:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/08/10 12:42:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/08/10 12:43:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/08/10 12:43:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/08/10 13:19:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/08/11 03:29:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/08/08 13:35:21 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/08/09 00:58:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe
[2011/02/27 16:02:06 | 122,562,410 | ---- | M] () -- C:\SYM_REGISTRY_BACKUP.reg
[2006/08/11 08:46:15 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini
[2011/03/15 05:37:07 | 000,061,508 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_15.03.2011_05.33.27_log.txt
[2011/03/18 14:39:01 | 000,059,976 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_18.03.2011_14.26.00_log.txt
[2006/12/24 12:17:01 | 000,000,851 | ---- | M] () -- C:\tempbmm.iss
[2007/08/23 08:30:03 | 000,004,581 | ---- | M] () -- C:\VETlog.txt

<  %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2005/08/16 04:27:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/08/16 04:27:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/08/16 04:27:08 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-03-24 04:07:22

========== Alternate Data Streams ==========

@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:813B8EB6
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B9F8237A
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:815D61C4
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:331B76C7
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:483AC68A
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8
< End of report >

----

ExtrasTxt :

OTL Extras logfile created on: 3/24/2011 5:04:53 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\2.Kristin\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 314.00 Mb Available Physical Memory | 31.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 78.99 Gb Free Space | 54.74% Space Free | Partition Type: NTFS

Computer Name: FAMILY | User Name: 2.Kristin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabledxpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*isabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Palm\HOTSYNC.EXE" = C:\Palm\HOTSYNC.EXE:*:Enabled:HotSync® Manager Application -- (PalmSource, Inc)
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater -- ()
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*isabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- ()
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:LocalSubNet:Enabled:mbam.exe -- (Malwarebytes Corporation)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{02807340-8FA2-44B6-ABA1-E443E4FF0A20}" = VZAccess Manager for RIM
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{154508C0-07C5-4659-A7A0-E49968750D21}" = HLPPDOCK
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{25EF03E6-F17B-11D6-88EA-000476CD2443}" = Verizon Online Help & Support
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java(TM) 6 Update 24
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan
"{40A594D0-1490-4979-9382-D2B764F949C6}" = BlackBerry® Media Sync
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Sonic Advanced Decoder
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E7E8E6A-15F1-4E26-9352-26AD235131E9}" = Documents To Go
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}" = Ad-Aware SE Personal
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{81D62C32-0984-11D3-86CD-00105AD33021}" = Caere Scan Manager 5.1
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110206700}" = Bejeweled
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel(R) PROSet for Wired Connections
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8D2AE3F6-79DF-423C-91CB-389F6FB5837B}" = Andrea VoiceCenter
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}" = Logitech QuickCam
"{95120000-0038-0409-0000-0000000FF1CE}" = Time Zone Data Update Tool for Microsoft Office Outlook
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B3B4CD34-6C20-4b28-A231-FEC55B42C579}" = c6100_Help
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8574AE5-370F-4246-A301-B85A2CC89A5E}" = C6100
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"{D1973749-F5E7-40EB-B528-F2B78685B9FF}" = essvcpt
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D547A594-AA85-4B92-80EB-47B371B98C68}" = Verizon Download Manager
"{D76D1828-BBA0-4BD9-8181-5ACC617DC5F2}" = Virtual Earth 3D (Beta)
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine
"{E0B27188-A15E-4C64-AE49-85E8EF46184B}" = Reporting Agents (Symantec Corporation)
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}" = The Print Shop
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FC274982-5AAD-4C20-848D-4424A5043010}_is1" = WinUtilities 9.82 Free Edition
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"{FF24F097-D090-41D2-8E9C-BAFEBBFD938C}" = palmOne
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3" = Polar Bowler
"35B081E6-2482-4495-90F8-C00D6C42D2A0" = FaceIt
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"American Airlines TravelDesk_is1" = American Airlines TravelDesk
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ArcSoft PhotoBase" = ArcSoft PhotoBase
"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Bejeweled 2 Deluxe 1.1.3.2523" = Bejeweled 2 Deluxe 1.1.3.2523
"BFGC" = Big Fish Games Client
"BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon ScanGear Toolbox CS" = Canon ScanGear Toolbox CS 2.2
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Crossword Weaver 8.0" = Crossword Weaver 8.0
"CSCLIB" = Canon Camera Support Core Library
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"EOS Utility" = Canon Utilities EOS Utility
"ESPNMotion" = ESPNMotion
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Monopoly Here & Now Edition" = Monopoly Here & Now Edition (remove only)
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSNINST" = MSN
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSSSetup.{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan (Symantec Corporation)
"OmniPagePro9.0DeinstKey" = OmniPage Pro 9.0
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel(R) PRO Network Connections Drivers
"RadialpointClientGateway_is1" = Verizon Servicepoint 1.3.21
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer Basic
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Shockwave" = Shockwave
"Snood 4_is1" = Snood 4
"Sound Blaster Audigy ADVANCED MB Product Registration" = Sound Blaster Audigy ADVANCED MB Product Registration
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"StreetPlugin" = Learn2 Player (Uninstall Only)
"VCast Music Essentials Manager" = V CAST Music Manager 
"Verizon Online DSL_is1" = Verizon Online DSL
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"WT009382" = Mah-Jomino
"WT014569" = Blasterball 2 Holidays
"WT014651" = Ocean Express
"WT014654" = PegSweeper
"WT014676" = Serpengo
"WT014681" = Slingo Deluxe
"WT023996" = Puzzle Express
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
"Yahoo! Toolbar" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT  Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

[ System Events ]
Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The LVCOMSer service terminated unexpectedly. It has done this 1 
time(s).

Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/24/2011 9:28:51 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The MSSQLSERVER service terminated unexpectedly. It has done this
1 time(s).

Error - 3/24/2011 9:28:51 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Sprocket Service (verizondm) service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/24/2011 9:28:52 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The Canon Camera Access Library 8 service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/24/2011 9:28:52 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Repair Service (verizondm) service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/24/2011 10:00:12 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7024
Description = The Symantec SPBBCSvc service terminated with service-specific error
4294967295 (0xFFFFFFFF).

Error - 3/24/2011 10:53:58 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7024
Description = The Symantec SPBBCSvc service terminated with service-specific error
4294967295 (0xFFFFFFFF).

< End of report >


----------



## PALV (Mar 10, 2011)

Kevin-

Requested logs, below.

Bill
----

OTL Txt :

OTL logfile created on: 3/24/2011 5:04:53 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\2.Kristin\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 314.00 Mb Available Physical Memory | 31.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 78.99 Gb Free Space | 54.74% Space Free | Partition Type: NTFS

Computer Name: FAMILY | User Name: 2.Kristin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/24 17:01:05 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
PRC - [2011/02/01 05:54:46 | 000,185,640 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe
PRC - [2011/02/01 05:54:42 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe
PRC - [2011/02/01 05:54:30 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\sprtcmd.exe
PRC - [2010/12/20 19:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/12/20 19:08:56 | 000,443,728 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/19 13:19:22 | 000,141,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2007/10/19 13:17:28 | 000,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PRC - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/09/27 20:35:02 | 000,038,696 | ---- | M] (LANDesk Software Ltd.) -- C:\WINDOWS\system32\CBA\pds.exe
PRC - [2006/09/27 20:33:44 | 000,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/07/19 19:26:04 | 000,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2006/02/10 07:56:12 | 000,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

========== Modules (SafeList) ==========

MOD - [2011/03/24 17:01:05 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/10/19 13:19:10 | 000,109,080 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AresChatServer)
SRV - [2011/03/01 09:56:36 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2011/02/01 05:54:46 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - [2011/02/01 05:54:42 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - [2010/12/20 19:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2007/10/19 13:21:16 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/10/19 13:19:22 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2007/10/19 13:17:28 | 000,186,904 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/09/27 20:35:02 | 000,038,696 | ---- | M] (LANDesk Software Ltd.) [Auto | Running] -- C:\WINDOWS\system32\CBA\pds.exe -- (Intel PDS)
SRV - [2006/09/27 20:33:38 | 000,116,464 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/11 08:38:50 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2006/08/07 16:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

========== Driver Services (SafeList) ==========

DRV - [2010/12/20 19:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/12/17 05:00:00 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110320.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/12/17 05:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110320.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/15 13:50:36 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/07/15 13:50:36 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2007/10/19 13:16:30 | 002,109,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/10/11 22:01:06 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2007/10/11 22:00:54 | 003,647,384 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2007/10/11 22:00:43 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/10/11 21:59:12 | 001,920,920 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2007/10/11 18:59:24 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2007/10/11 18:59:02 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/07/20 12:09:15 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/04/09 10:56:22 | 000,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 10:55:08 | 000,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 10:53:24 | 000,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/09/18 17:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 14:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/11 08:45:53 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/08/07 16:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 16:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/04/11 17:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/09/08 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 05:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 12:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 12:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/04 04:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/06/06 21:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/05/25 22:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005/03/25 16:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005/01/11 00:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005/01/11 00:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2003/11/17 21:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 21:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 21:56:26 | 001,042,432 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2002/11/26 14:54:58 | 000,016,936 | ---- | M] (Smith Micro Software, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -- (SMNDIS5)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{3F15FA0E-1BC7-4C4E-B3CF-91A6B67E9BC2}: C:\Documents and Settings\[USER]\Local Settings\Application Data\{3F15FA0E-1BC7-4C4E-B3CF-91A6B67E9BC2} [2010/07/27 06:30:36 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/03/21 18:23:49 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
O4 - HKLM..\Run: [VERIZONDM] C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKCU..\Run: [Weather] File not found
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe (NOS Microsystems Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://webportal.hunterdonhealthcare.org/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\2.Kristin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\2.Kristin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56027131116781568)

========== Files/Folders - Created Within 30 Days ==========

[2011/03/24 17:00:57 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
[2011/03/24 11:09:44 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/03/24 11:09:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/03/24 10:24:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/03/24 10:22:27 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/03/24 10:22:26 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/03/24 10:22:26 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/24 10:22:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/24 10:22:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/24 10:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/03/24 09:28:45 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/03/24 09:26:53 | 000,519,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTM.exe
[2011/03/23 14:20:16 | 000,367,616 | ---- | C] (Avira GmbH) -- C:\Documents and Settings\2.Kristin\Desktop\removaltool-win32-en.exe
[2011/03/23 08:41:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/22 13:40:48 | 000,000,000 | ---D | C] -- C:\bin
[2011/03/22 13:34:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\HP
[2011/03/22 13:30:02 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard
[2011/03/22 07:06:45 | 000,000,000 | ---D | C] -- C:\ARK
[2011/03/21 18:15:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/21 14:22:52 | 000,954,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40.dll
[2011/03/21 14:22:51 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2011/03/21 14:22:50 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2011/03/21 14:17:45 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/03/21 14:17:41 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/03/21 13:57:18 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/03/21 10:32:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Application Data\pdf995
[2011/03/21 10:23:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2011/03/21 10:23:06 | 000,249,856 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2011/03/21 10:23:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Software995
[2011/03/21 10:23:00 | 000,000,000 | ---D | C] -- C:\Program Files\pdf995
[2011/03/20 06:12:06 | 000,000,000 | ---D | C] -- C:\Program Files\VERIZONDM
[2011/03/20 06:12:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/03/20 06:11:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SupportSoft
[2011/03/19 16:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Local Settings\Application Data\Temp
[2011/03/19 16:20:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/03/16 15:10:28 | 000,000,000 | ---D | C] -- C:\Gotcha
[2011/03/16 14:29:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Tracing
[2011/03/16 08:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\DoctorWeb
[2011/03/14 14:32:38 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouclass.sys
[2011/03/14 14:28:11 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/14 13:42:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/14 13:42:46 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/14 13:42:46 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/14 13:42:46 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/14 13:42:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/14 13:41:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/12 11:11:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Desktop\Virus removal
[2011/03/11 21:56:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\2.Kristin\Application Data\Malwarebytes
[2011/03/11 21:01:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/03/10 12:27:50 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller.exe

========== Files - Modified Within 30 Days ==========

[2011/03/24 17:19:15 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/24 17:01:05 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTL.exe
[2011/03/24 10:50:56 | 000,000,588 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2011/03/24 10:50:56 | 000,000,588 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2011/03/24 10:50:53 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/24 10:50:52 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
[2011/03/24 10:49:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/24 10:49:26 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/24 10:47:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2011/03/24 10:47:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2011/03/24 10:21:27 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/24 10:21:27 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/24 10:21:27 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/24 10:21:27 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/03/24 10:21:26 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/03/24 10:04:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/24 09:26:58 | 000,519,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\2.Kristin\Desktop\OTM.exe
[2011/03/23 14:20:18 | 000,367,616 | ---- | M] (Avira GmbH) -- C:\Documents and Settings\2.Kristin\Desktop\removaltool-win32-en.exe
[2011/03/23 14:02:36 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\WebReg Photosmart C6100 series.job
[2011/03/23 10:40:31 | 000,216,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/23 03:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2011/03/22 17:49:35 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/03/22 17:49:31 | 000,503,536 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/22 17:49:31 | 000,088,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/22 13:52:21 | 000,117,091 | ---- | M] () -- C:\WINDOWS\hpoins11.dat
[2011/03/22 13:41:11 | 000,001,894 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Document Viewer.lnk
[2011/03/22 13:37:16 | 000,000,898 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Premier.lnk
[2011/03/22 13:37:16 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2011/03/22 13:33:15 | 000,001,808 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2011/03/22 13:32:17 | 000,001,875 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Express.lnk
[2011/03/22 13:31:27 | 000,000,984 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2011/03/22 13:02:36 | 000,000,124 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/03/22 12:03:22 | 000,000,012 | ---- | M] () -- C:\Documents and Settings\2.Kristin\DOT4_001
[2011/03/22 11:00:18 | 000,228,901 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\GMER window.JPG
[2011/03/21 18:23:49 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/21 18:04:04 | 000,001,224 | ---- | M] () -- C:\CF-Submit.htm
[2011/03/21 17:55:01 | 004,298,593 | R--- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Gotcha.exe
[2011/03/21 17:53:09 | 000,000,217 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Windows Firewall.lnk
[2011/03/21 16:13:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/21 12:45:31 | 000,000,235 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Error number 0×80070424 in Windows Update  Solution - Techie Corner.url
[2011/03/21 11:57:56 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\automatic update service not working - Tech Support Guy Forums.url
[2011/03/21 10:45:14 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2011/03/21 10:32:19 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini
[2011/03/21 10:23:06 | 000,249,856 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2011/03/21 10:23:06 | 000,051,716 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll
[2011/03/19 16:33:17 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/03/18 17:37:20 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\08rhyz9f.exe
[2011/03/18 14:33:30 | 000,012,326 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller results.JPG
[2011/03/18 14:24:43 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller.exe
[2011/03/18 14:24:05 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\tdsskiller.zip
[2011/03/18 06:37:41 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\RKUnhookerLE.EXE
[2011/03/17 07:13:20 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\MBRCheck.exe
[2011/03/16 22:28:51 | 000,879,069 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\SecurityCheck.exe
[2011/03/16 16:13:10 | 000,000,253 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\General Security Information, How to tighten Security Settings and Warnings - Tech Support Guy Forums.url
[2011/03/16 11:20:15 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/15 17:56:33 | 000,021,314 | ---- | M] () -- C:\WINDOWS\System32\avididoc.dll
[2011/03/15 08:35:50 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/03/12 11:10:00 | 000,000,589 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Desktop\Shortcut to Moms Favorites.lnk
[2011/03/12 00:33:50 | 000,012,682 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3452207138
[2011/03/11 23:56:38 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\2.Kristin\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2011/03/10 11:40:46 | 000,000,047 | ---- | M] () -- C:\WINDOWS\System32\_WKERNEL.FRE
[2011/03/09 19:32:32 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/02/27 16:02:06 | 122,562,410 | ---- | M] () -- C:\SYM_REGISTRY_BACKUP.reg

========== Files Created - No Company Name ==========

[2011/03/23 14:02:35 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\WebReg Photosmart C6100 series.job
[2011/03/22 13:41:43 | 000,000,731 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\I.R.I.S. OCR Registration.lnk
[2011/03/22 13:41:10 | 000,001,894 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Document Viewer.lnk
[2011/03/22 13:37:16 | 000,000,898 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Premier.lnk
[2011/03/22 13:37:16 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2011/03/22 13:33:15 | 000,001,808 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2011/03/22 13:32:17 | 000,001,875 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Express.lnk
[2011/03/22 13:31:27 | 000,000,984 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2011/03/22 13:00:38 | 000,117,091 | ---- | C] () -- C:\WINDOWS\hpoins11.dat
[2011/03/22 12:02:44 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\2.Kristin\DOT4_001
[2011/03/22 11:00:18 | 000,228,901 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\GMER window.JPG
[2011/03/21 18:04:04 | 000,001,224 | ---- | C] () -- C:\CF-Submit.htm
[2011/03/21 17:53:09 | 000,000,217 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Windows Firewall.lnk
[2011/03/21 12:45:31 | 000,000,235 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Error number 0×80070424 in Windows Update  Solution - Techie Corner.url
[2011/03/21 11:57:56 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\automatic update service not working - Tech Support Guy Forums.url
[2011/03/21 10:32:19 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2011/03/21 10:23:09 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2011/03/21 10:23:06 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2011/03/20 06:28:04 | 004,298,593 | R--- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Gotcha.exe
[2011/03/20 06:11:49 | 009,811,968 | ---- | C] () -- C:\WINDOWS\VerizonDM.msi
[2011/03/19 16:33:17 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/03/19 16:33:16 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/03/18 17:37:19 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\08rhyz9f.exe
[2011/03/18 14:33:30 | 000,012,326 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\TDSSKiller results.JPG
[2011/03/18 14:23:59 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\tdsskiller.zip
[2011/03/18 06:37:41 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\RKUnhookerLE.EXE
[2011/03/18 06:00:56 | 1071,796,224 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/17 07:13:20 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\MBRCheck.exe
[2011/03/16 22:28:45 | 000,879,069 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\SecurityCheck.exe
[2011/03/16 16:13:10 | 000,000,253 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\General Security Information, How to tighten Security Settings and Warnings - Tech Support Guy Forums.url
[2011/03/14 14:28:21 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2011/03/14 14:28:15 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/14 13:42:46 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/14 13:42:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/14 13:42:46 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/14 13:42:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/14 13:42:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/12 11:10:00 | 000,000,589 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Desktop\Shortcut to Moms Favorites.lnk
[2011/03/11 21:33:44 | 000,012,682 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3452207138
[2011/03/09 18:58:37 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2011/02/27 16:01:32 | 122,562,410 | ---- | C] () -- C:\SYM_REGISTRY_BACKUP.reg
[2010/10/27 00:23:48 | 000,127,392 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/27 00:23:40 | 000,191,654 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/07/25 16:49:14 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Adujabivebaxitiv.dat
[2010/07/25 16:49:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Olitihikilugoqor.bin
[2010/04/06 13:12:29 | 000,000,059 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
[2010/02/07 14:17:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\UNIVMGR.INI
[2009/11/12 15:30:46 | 000,021,314 | ---- | C] () -- C:\WINDOWS\System32\avididoc.dll
[2009/11/12 14:47:00 | 006,582,272 | ---- | C] () -- C:\WINDOWS\System32\rtfecfax.exe.vir
[2009/10/31 11:21:10 | 000,042,080 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/09/25 15:09:13 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/09/25 12:32:50 | 000,000,020 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/08/10 11:12:59 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2008/11/28 15:02:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2008/06/25 15:29:45 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/06/25 13:39:53 | 000,059,500 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/03/20 13:02:55 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/03/09 21:36:54 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/02/10 19:00:53 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\VZWDLManager.dll
[2008/02/10 15:36:47 | 004,891,136 | ---- | C] () -- C:\Program Files\WeatherbugSetupZ6157.msi
[2007/10/11 18:59:24 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2007/09/03 10:15:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/08/06 09:22:21 | 000,002,946 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/06/06 11:59:55 | 000,000,384 | ---- | C] () -- C:\WINDOWS\Wyncs.INI
[2007/05/08 07:00:08 | 000,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2007/02/13 08:38:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2006/12/01 08:03:59 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2006/12/01 08:03:22 | 000,000,021 | ---- | C] () -- C:\WINDOWS\phbase.ini
[2006/12/01 08:02:37 | 000,000,572 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/12/01 08:01:21 | 000,000,022 | ---- | C] () -- C:\WINDOWS\OP70.INI
[2006/12/01 07:59:48 | 000,001,413 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2006/12/01 07:59:48 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2006/12/01 07:59:48 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2006/11/24 12:15:14 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/19 14:33:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QUICKI~1.INI
[2006/10/19 12:52:28 | 000,000,191 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2006/10/02 22:26:22 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\instlsp.exe
[2006/08/19 19:48:17 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/08/19 19:48:17 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\CF7422D466.sys
[2006/08/19 13:50:36 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/08/19 11:48:59 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2006/08/18 13:01:07 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\2.Kristin\Local Settings\Application Data\fusioncache.dat
[2006/08/18 11:05:42 | 000,000,031 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/08/11 09:01:12 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/11 08:52:04 | 000,000,124 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/11 08:48:23 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/08/11 08:45:01 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/08/11 08:43:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/11 08:39:19 | 000,005,811 | ---- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2006/08/11 08:15:30 | 000,004,969 | ---- | C] () -- C:\WINDOWS\System32\Sigfilt.ini
[2006/08/11 08:15:30 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2006/08/11 08:15:14 | 001,345,520 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2006/08/11 08:15:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\SETLANG.EXE
[2006/08/11 08:15:06 | 001,042,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\HSF_DP.sys
[2006/08/11 08:14:54 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/08/11 08:14:50 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/08/11 08:14:20 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/05/05 17:18:56 | 000,011,634 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat
[2005/11/10 08:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 04:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 04:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 04:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 04:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 04:27:59 | 000,216,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 04:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 04:18:33 | 000,503,536 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 04:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 04:18:33 | 000,088,394 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 04:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 04:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 04:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 04:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 04:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 04:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 04:18:21 | 000,158,730 | ---- | C] () -- C:\WINDOWS\System32\docipurl32.dll
[2005/08/16 04:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 04:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2000/09/08 18:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll

========== LOP Check ==========

[2006/08/19 13:55:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\acccore
[2006/08/19 14:20:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Aim
[2008/04/27 13:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Canon
[2007/08/07 22:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\HotSync
[2007/04/16 12:13:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\ICAClient
[2011/03/21 10:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\pdf995
[2008/02/09 18:47:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\PlayFirst
[2008/05/07 10:36:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Uniblue
[2007/01/20 01:07:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Viewpoint
[2008/02/10 15:37:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\WeatherBug
[2006/08/18 22:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\WildTangent
[2007/11/23 23:38:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\2.Kristin\Application Data\Zylom
[2006/12/24 12:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2006/12/24 11:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2005/08/16 20:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2007/07/20 12:11:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2006/09/16 11:58:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2011/03/21 10:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2008/02/09 18:47:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/12/29 20:47:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/09/25 12:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2011/02/04 08:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2011/03/20 06:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/01/23 18:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/26 13:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/08/18 11:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Weather Studio
[2007/07/20 23:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2007/11/23 23:38:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2009/10/30 15:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/03/24 10:50:52 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2005/08/16 04:43:04 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/21 11:03:32 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2011/03/15 08:35:50 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/03/21 18:04:04 | 000,001,224 | ---- | M] () -- C:\CF-Submit.htm
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2011/03/21 18:47:38 | 000,014,531 | ---- | M] () -- C:\ComboFix.txt
[2005/08/16 04:43:04 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2006/08/18 15:03:50 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
[2006/08/11 08:19:42 | 000,007,039 | RH-- | M] () -- C:\dell.sdr
[2011/03/09 19:32:32 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2008/12/15 06:54:37 | 000,000,179 | ---- | M] () -- C:\handle.dat
[2011/03/24 10:49:26 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2007/07/20 12:11:14 | 004,751,376 | ---- | M] () -- C:\HuskyInstallerLog.txt
[2006/08/19 15:41:05 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2005/08/16 04:43:04 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2009/02/02 17:58:32 | 000,000,125 | ---- | M] () -- C:\ioSpecial.ini
[2008/04/27 17:46:07 | 000,003,126 | -H-- | M] () -- C:\IPH.PH
[2011/03/24 10:57:00 | 000,227,764 | ---- | M] () -- C:\mombi.log
[2005/08/16 04:43:04 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/10 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/09/13 11:57:38 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/03/24 10:49:06 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2008/02/09 19:04:50 | 000,102,486 | ---- | M] () -- C:\playground.log
[2006/10/19 13:44:02 | 000,000,136 | ---- | M] () -- C:\SerialSync.txt
[2006/12/24 12:17:09 | 000,000,200 | ---- | M] () -- C:\setup.log
[2009/08/09 01:03:18 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/08/09 22:47:30 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/08/10 08:29:34 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/08/10 08:31:53 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/08/10 10:42:56 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/08/10 11:28:23 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/08/10 12:04:01 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/08/10 12:34:26 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/08/10 12:34:50 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/08/10 12:35:25 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/08/10 12:39:24 | 000,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/08/10 12:40:05 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/08/10 12:41:19 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/08/10 12:42:53 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/08/10 12:43:30 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/08/10 12:43:10 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/08/10 13:19:11 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/08/11 03:29:36 | 000,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/08/08 13:35:21 | 000,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/08/09 00:58:19 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/08/09 01:03:18 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/08/09 22:47:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/08/10 08:29:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/08/10 08:31:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/08/10 10:42:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/08/10 11:28:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/08/10 12:04:01 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/08/10 12:34:26 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/08/10 12:34:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/08/10 12:35:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/08/10 12:39:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/08/10 12:40:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/08/10 12:41:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/08/10 12:42:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/08/10 12:43:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/08/10 12:43:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/08/10 13:19:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/08/11 03:29:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/08/08 13:35:21 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/08/09 00:58:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe
[2011/02/27 16:02:06 | 122,562,410 | ---- | M] () -- C:\SYM_REGISTRY_BACKUP.reg
[2006/08/11 08:46:15 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini
[2011/03/15 05:37:07 | 000,061,508 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_15.03.2011_05.33.27_log.txt
[2011/03/18 14:39:01 | 000,059,976 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_18.03.2011_14.26.00_log.txt
[2006/12/24 12:17:01 | 000,000,851 | ---- | M] () -- C:\tempbmm.iss
[2007/08/23 08:30:03 | 000,004,581 | ---- | M] () -- C:\VETlog.txt

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2005/08/16 04:27:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/08/16 04:27:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/08/16 04:27:08 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-03-24 04:07:22

========== Alternate Data Streams ==========

@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:813B8EB6
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B9F8237A
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:815D61C4
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:331B76C7
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:483AC68A
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8
< End of report >

----

ExtrasTxt :

OTL Extras logfile created on: 3/24/2011 5:04:53 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\2.Kristin\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 314.00 Mb Available Physical Memory | 31.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 78.99 Gb Free Space | 54.74% Space Free | Partition Type: NTFS

Computer Name: FAMILY | User Name: 2.Kristin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabledxpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*isabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Palm\HOTSYNC.EXE" = C:\Palm\HOTSYNC.EXE:*:Enabled:HotSync® Manager Application -- (PalmSource, Inc)
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater -- ()
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*isabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- ()
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:LocalSubNet:Enabled:mbam.exe -- (Malwarebytes Corporation)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{02807340-8FA2-44B6-ABA1-E443E4FF0A20}" = VZAccess Manager for RIM
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{154508C0-07C5-4659-A7A0-E49968750D21}" = HLPPDOCK
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{25EF03E6-F17B-11D6-88EA-000476CD2443}" = Verizon Online Help & Support
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java(TM) 6 Update 24
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan
"{40A594D0-1490-4979-9382-D2B764F949C6}" = BlackBerry® Media Sync
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Sonic Advanced Decoder
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E7E8E6A-15F1-4E26-9352-26AD235131E9}" = Documents To Go
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype 3.8
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}" = Ad-Aware SE Personal
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{81D62C32-0984-11D3-86CD-00105AD33021}" = Caere Scan Manager 5.1
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110206700}" = Bejeweled
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel(R) PROSet for Wired Connections
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8D2AE3F6-79DF-423C-91CB-389F6FB5837B}" = Andrea VoiceCenter
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}" = Logitech QuickCam
"{95120000-0038-0409-0000-0000000FF1CE}" = Time Zone Data Update Tool for Microsoft Office Outlook
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B3B4CD34-6C20-4b28-A231-FEC55B42C579}" = c6100_Help
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8574AE5-370F-4246-A301-B85A2CC89A5E}" = C6100
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"{D1973749-F5E7-40EB-B528-F2B78685B9FF}" = essvcpt
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D547A594-AA85-4B92-80EB-47B371B98C68}" = Verizon Download Manager
"{D76D1828-BBA0-4BD9-8181-5ACC617DC5F2}" = Virtual Earth 3D (Beta)
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine
"{E0B27188-A15E-4C64-AE49-85E8EF46184B}" = Reporting Agents (Symantec Corporation)
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}" = The Print Shop
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FC274982-5AAD-4C20-848D-4424A5043010}_is1" = WinUtilities 9.82 Free Edition
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"{FF24F097-D090-41D2-8E9C-BAFEBBFD938C}" = palmOne
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3" = Polar Bowler
"35B081E6-2482-4495-90F8-C00D6C42D2A0" = FaceIt
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"American Airlines TravelDesk_is1" = American Airlines TravelDesk
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ArcSoft PhotoBase" = ArcSoft PhotoBase
"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Bejeweled 2 Deluxe 1.1.3.2523" = Bejeweled 2 Deluxe 1.1.3.2523
"BFGC" = Big Fish Games Client
"BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon ScanGear Toolbox CS" = Canon ScanGear Toolbox CS 2.2
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Crossword Weaver 8.0" = Crossword Weaver 8.0
"CSCLIB" = Canon Camera Support Core Library
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"EOS Utility" = Canon Utilities EOS Utility
"ESPNMotion" = ESPNMotion
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Monopoly Here & Now Edition" = Monopoly Here & Now Edition (remove only)
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSNINST" = MSN
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSSSetup.{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan (Symantec Corporation)
"OmniPagePro9.0DeinstKey" = OmniPage Pro 9.0
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel(R) PRO Network Connections Drivers
"RadialpointClientGateway_is1" = Verizon Servicepoint 1.3.21
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer Basic
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Shockwave" = Shockwave
"Snood 4_is1" = Snood 4
"Sound Blaster Audigy ADVANCED MB Product Registration" = Sound Blaster Audigy ADVANCED MB Product Registration
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"StreetPlugin" = Learn2 Player (Uninstall Only)
"VCast Music Essentials Manager" = V CAST Music Manager 
"Verizon Online DSL_is1" = Verizon Online DSL
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"WT009382" = Mah-Jomino
"WT014569" = Blasterball 2 Holidays
"WT014651" = Ocean Express
"WT014654" = PegSweeper
"WT014676" = Serpengo
"WT014681" = Slingo Deluxe
"WT023996" = Puzzle Express
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
"Yahoo! Toolbar" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

Error - 3/24/2011 9:28:53 AM | Computer Name = FAMILY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\2.Kristin\Desktop\OTM.exe (PID 2464) Time: Thursday,
March 24, 2011 9:28:53 AM

[ System Events ]
Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The LVCOMSer service terminated unexpectedly. It has done this 1 
time(s).

Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/24/2011 9:28:50 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/24/2011 9:28:51 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The MSSQLSERVER service terminated unexpectedly. It has done this
1 time(s).

Error - 3/24/2011 9:28:51 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Sprocket Service (verizondm) service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/24/2011 9:28:52 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The Canon Camera Access Library 8 service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/24/2011 9:28:52 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Repair Service (verizondm) service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/24/2011 10:00:12 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7024
Description = The Symantec SPBBCSvc service terminated with service-specific error
4294967295 (0xFFFFFFFF).

Error - 3/24/2011 10:53:58 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7024
Description = The Symantec SPBBCSvc service terminated with service-specific error
4294967295 (0xFFFFFFFF).

< End of report >


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

I guess we are not quite finished yet, as follows please :-

Re-Run







by double left click, Vista and Widows 7 users right click and select Run as Administrator.

Under the







box at the bottom, paste in the following


```
:OTL
SRV - File not found [On_Demand | Stopped] -- -- (AresChatServer)
[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe
O3 - HKLM\..\Toolbar: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKCU..\Run: [Weather] File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab  (Reg Error: Key error.)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/dim2/def...ploader_v6.cab  (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/...nAxControl.CAB  (Reg Error: Key error.)
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:813B8EB6
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B9F8237A
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:815D61C4
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:331B76C7
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:483AC68A
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8

:Services

:Reg

:Files
C:\WINDOWS\System32\settings.sfm
C:\WINDOWS\System32\settingsbkup.sfm
C:\fsqwr.bmp
C:\WINDOWS\Adujabivebaxitiv.dat
C:\WINDOWS\Olitihikilugoqor.bin
:Commands
[emptytemp]
```

Then click







button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log it produces in your next reply.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
FYI - scan hung, then froze computer last night. Re-running again this AM, will post logs as soon as completed.

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

If you have issues running the OTL fix, disconnect from the internet and turn off Security then run the fix. Hopefully we`ll be able to clean up all of our tools after this one. Its 12:30 pm local time for me, got to go out and will not be back until about 8:00 pm local time...

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Wow - that was much faster than yesterday! FYI - Set up and ran yesterday per instructions. A note at bottom of scanner said something like " Scanning - DO NOT INTERRUPT........" - so I didn't. As noted earlier, I returned to see the same screen, no further progress, and could not reboot or shut down computer. Pulled plug, rebooted,and restarted OTL this AM - fast scan, results are below.

One other note - upon reboot after this OTL scan/fix - received another mysterious "Found New Hardware" wizard. A few days ago I had to reinstall my printer after one of our steps (don't recall which), so I thought maybe that was what it found. (then remembered, I had already completed that install and successfully used the printer since then.) So I clicked through the first step of the Wizard to see just what it had found - and again it only listed an abstract, single character (similar to a previous mystery wizard earlier in this troubleshooting process). I stopped and cancelled at that point - not knowing if it was problematic.

Bill

---

All processes killed
========== OTL ==========
Service AresChatServer stopped successfully!
Service AresChatServer deleted successfully!
C:\StubInstaller.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{1BB22D38-A411-4B13-A746-C2A4F4EC7344} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1BB22D38-A411-4B13-A746-C2A4F4EC7344} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Weather deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
C:\WINDOWS\Downloaded Program Files\popcaploader.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:813B8EB6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B9F8237A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:815D61C4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:331B76C7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:483AC68A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\System32\settings.sfm moved successfully.
C:\WINDOWS\System32\settingsbkup.sfm moved successfully.
C:\fsqwr.bmp moved successfully.
C:\WINDOWS\Adujabivebaxitiv.dat moved successfully.
C:\WINDOWS\Olitihikilugoqor.bin moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 1

User: 1.Mom
->Temp folder emptied: 99297 bytes
->Temporary Internet Files folder emptied: 24804201 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 405 bytes

User: 1~Mom

User: 2.Kristin
->Temp folder emptied: 15257689 bytes
->Temporary Internet Files folder emptied: 17630248 bytes
->Java cache emptied: 3923 bytes
->Flash cache emptied: 42330 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: [USER]
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 732958 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 56.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 03252011_075545
Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\0a6b9f23e356336cc61530f586d0c66a.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\1ff4eae997b1753d848dbbc61d1b4345.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\31aa023220b46a62dd91739a3bf1cad4.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\36971e8ed4d19cc0a7051079b039c204.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\42db37dadb779dbfc5da8bdd7ec61c52.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\44abde5de65f3f034faac2c132713018.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\7aace6f21e4c397996b145b7fd777643.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\7acaa276f32e012922082aa697dfa218.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\89f4ac43ba2b792785d9d472365e562b.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll not found!
File\Folder C:\WINDOWS\temp\pdk-SYSTEM-516\b2774d247dfbf0abe8539e577ee59b4c.dll not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1c4.dat not found!
Registry entries deleted on Reboot...


----------



## PALV (Mar 10, 2011)

Kevin -
Looks like our last messages crossed. I had already disconnected from internet and disabled security - that must have been the issue since it ran successfully. Thanks for the update re: your schedule, will look for your reply whenever you return. 

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Just had a quick look before I leave, mmmm I`m concerned about that found new hardware alert.. Lets run Combofix again and see what turns up. Delete the version you have on your Desktop and d/l a fresh copy from either of the following links:

*Link 1*
*Link 2*

Turn off security and run as you have done previously, post the log and I`ll have a look when I return,

Thanks,

Kevin.


----------



## PALV (Mar 10, 2011)

Kevin -

FWIW - that was the easiest ComboFix scan/report so far - hopefully a sign of good things to come!

Since the New HW Wizard caused you concern, I might as well share the following, too : for the past few days, sounds from this computer have been rather full of static - uncharacteristically so. System sounds, Windows start-up jingle, music, anything coming from the system sounds a bit "off". Checked speaker connections, reviewed sound controls from within Control Panel, etc. Not sure if it's a separate HW-related problem requiring a post in another forum, but thought I'd mention it just in case it happens to be a symptom of something you're familiar with.

Bill

----
ComboFix 11-03-24.05 - 2.Kristin 03/25/2011 9:36.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.411 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\pdk-SYSTEM-572\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-572\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-572\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-572\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-572\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-572\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-572\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-572\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-572\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-572\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-572\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))
.
.
2011-03-24 23:03 . 2011-03-24 23:03 -------- d-----w- C:\_OTL
2011-03-24 14:22 . 2011-03-24 14:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-24 14:22 . 2011-03-24 14:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-24 14:19 . 2011-03-24 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-24 13:28 . 2011-03-24 13:28 -------- d-----w- C:\_OTM
2011-03-22 17:40 . 2011-03-22 17:40 -------- d-----w- C:\bin
2011-03-22 17:34 . 2011-03-22 17:37 -------- d-----w- c:\program files\Common Files\HP
2011-03-22 17:30 . 2011-03-22 17:30 -------- d-----w- c:\program files\Hewlett-Packard
2011-03-22 11:06 . 2011-03-23 11:55 -------- d-----w- C:\ARK
2011-03-21 18:22 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-03-21 18:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-03-21 18:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-03-21 18:17 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-21 18:17 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-03-21 17:57 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-03-21 14:32 . 2011-03-21 14:32 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\pdf995
2011-03-21 14:23 . 2011-03-21 14:45 59 ----a-w- c:\windows\wpd99.drv
2011-03-21 14:23 . 2011-03-21 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2011-03-21 14:23 . 2011-03-21 14:23 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2011-03-21 14:23 . 2011-03-21 14:23 249856 ----a-w- c:\windows\system32\pdfmona.dll
2011-03-21 14:23 . 2011-03-21 14:25 -------- d-----w- c:\program files\pdf995
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\program files\VERIZONDM
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2011-03-20 10:11 . 2011-02-01 23:45 9811968 ----a-w- c:\windows\VerizonDM.msi
2011-03-20 10:11 . 2011-03-20 10:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2011-03-19 20:37 . 2011-03-19 20:37 -------- d-----w- c:\documents and settings\2.Kristin\Local Settings\Application Data\Temp
2011-03-19 20:20 . 2011-03-19 20:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-03-16 19:10 . 2011-03-16 19:12 -------- d-----w- C:\Gotcha
2011-03-16 18:29 . 2011-03-20 10:27 -------- d-----w- c:\documents and settings\2.Kristin\Tracing
2011-03-16 12:01 . 2011-03-16 12:01 -------- d-----w- c:\documents and settings\2.Kristin\DoctorWeb
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-02-04 21:48 . 2005-08-16 08:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 21:48 . 2005-08-16 08:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 08:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 08:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 08:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 08:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 08:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
2007-05-11 07:06 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
.
2006-08-11 12:38 . 2005-08-06 01:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
.
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
.
2006-08-11 12:40 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
.
2006-08-11 12:39 . 2005-09-15 13:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
.
2006-08-11 12:40 . 2005-09-19 11:42 1159168 c:\program files\Creative\VoiceCenter\bak\AndreaVC.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-09-02 11:14 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
.
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
.
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
.
2006-08-22 03:30 . 2005-05-23 17:20 50744 c:\program files\Verizon Online\Help Support\bak\VERIZO~1.EXE
.
2006-08-11 12:39 . 2000-05-11 05:00 90112 c:\windows\bak\UpdReg.EXE
.
2005-08-16 08:37 . 2005-09-29 18:01 67584 c:\windows\ehome\bak\ehtray.exe
.
2005-08-16 08:18 . 2004-08-10 09:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 08:18 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2006-08-11 12:52 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 1:55 PM 363344]
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 1:55 PM 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-23 c:\windows\Tasks\WebReg Photosmart C6100 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 21:45]
.
2011-03-25 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-25 10:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(8052)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2011-03-25 10:26:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-25 14:25
ComboFix2.txt 2011-03-21 22:47
ComboFix3.txt 2011-03-20 11:28
ComboFix4.txt 2011-03-16 19:46
ComboFix5.txt 2011-03-25 13:30
.
Pre-Run: 84,808,900,608 bytes free
Post-Run: 84,790,538,240 bytes free
.
- - End Of File - - 9EB804F1EB3348CCB290D0CBA01F5652


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

I honestly believe we will chase our tails with this one in a continuous loop. We now seem to be back where we started, i`ve no doubt if we run GMER we`ll find the infection back and firmly rooted again.
I feel the best way forward is to re-format and re-install your system, would that be a problem for you?

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Help me understand why you think we're back to the beginning - something in the latest ComboFix logs or just a gut feel? 

To answer your question - I'd prefer not to reformat and reinstall for a couple of reasons : 1) never done before, so not sure how difficult/risky it is to do; 2) nothing backed up so that would be a mini project to begin with (I know. I know - shame on me) 3) having never needed them before, not even sure I have system disks to reinstall from. I'd have to go searching for them (its a legitimate copy of Windows, bought directly from Dell in '06).

Not saying "no" - just responding to your questions with reasons for my initial hesitance. Back to my original question - how "bad" would it be not to reformat/reinstall? If it were your system, what would you do???

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

You mentioned the the alert that "new hardware" was detected again. I was concerned about that, we ran CF and this has returned:

*((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
2007-05-11 07:06 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
.
2006-08-11 12:38 . 2005-08-06 01:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
.
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
.
2006-08-11 12:40 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
.
2006-08-11 12:39 . 2005-09-15 13:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
.
2006-08-11 12:40 . 2005-09-19 11:42 1159168 c:\program files\Creative\VoiceCenter\bak\AndreaVC.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-09-02 11:14 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
.
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
.
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
.
2006-08-22 03:30 . 2005-05-23 17:20 50744 c:\program files\Verizon Online\Help Support\bak\VERIZO~1.EXE
.
2006-08-11 12:39 . 2000-05-11 05:00 90112 c:\windows\bak\UpdReg.EXE
.
2005-08-16 08:37 . 2005-09-29 18:01 67584 c:\windows\ehome\bak\ehtray.exe
.
2005-08-16 08:18 . 2004-08-10 09:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 08:18 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2006-08-11 12:52 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.EXE*

It just seemed too much of a coincidence, we`ve removed a considerable amount of malware from your system, some dating back to july 2010.

What is happening with your system at present, tell me exactly what issues remain. If you want to continue I`ll oblige.

Kevin...


----------



## PALV (Mar 10, 2011)

Kevin -
System is not displaying any symptoms at present (other than occasionally taking a bit longer to boot up than in the past) -which is why I was kind of surprised that the rootkit showed up again on the last scan results. If you're willing, and think we can somehow attack and make some progress (again) - I'd like to continue.

Thanks for your patience and persistence.

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

As follows please :-

*Step 1*

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::

File::
c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak
c:\program files\Adobe\Reader 8.0\Reader\bak\
c:\program files\ATI Technologies\ATI Control Panel\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Creative\MediaSource\Detector\bak
c:\program files\Creative\SBAudigy\Surround Mixer\bak\
c:\program files\Creative\VoiceCenter\bak
c:\program files\Dell\Media Experience\bak
c:\program files\DellSupport\bak
c:\windows\bak\UpdReg.EXE
c:\windows\ehome\bak
c:\windows\system32\DLA\bak
c:\program files\Java\jre1.6.0_02\bin\bak
AWF::
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
```
Save this as *CFScript.txt*, and as Type: *All Files* [(*.*)[/b] in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

*Step 2*

*Run ESET Online Scan*

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
*ESET OnlineScan*
Click the







button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on







to download the ESET Smart Installer. *Save* it to your desktop.
Double click on the







icon on your desktop.

Check








Click the







button.
Accept any security warnings from your browser.
Check








Leave the tick out of *remove found threats*
Push the *Start* button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push








Push







, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the







button.
Push








You can refer to *this animation* by *neomage* if needed.
Frequently asked questions available *Here* *Please read them before running the scan.*

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

Let me see the logs from Combofix and ESET in your reply.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -

Here you go.

Bill

---

ComboFix 11-03-24.05 - 2.Kristin 03/28/2011 20:59:25.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.398 [GMT -4:00]
Running from: c:\documents and settings\2.Kristin\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\2.Kristin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
FILE ::
"c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak"
"c:\program files\Adobe\Reader 8.0\Reader\bak\"
"c:\program files\ATI Technologies\ATI Control Panel\bak"
"c:\program files\Common Files\InstallShield\UpdateService\bak"
"c:\program files\Creative\MediaSource\Detector\bak"
"c:\program files\Creative\SBAudigy\Surround Mixer\bak\"
"c:\program files\Creative\VoiceCenter\bak"
"c:\program files\Dell\Media Experience\bak"
"c:\program files\DellSupport\bak"
"c:\program files\Java\jre1.6.0_02\bin\bak"
"c:\windows\bak\UpdReg.EXE"
"c:\windows\ehome\bak"
"c:\windows\system32\DLA\bak"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\pdk-SYSTEM-436\0a6b9f23e356336cc61530f586d0c66a.dll
c:\windows\TEMP\pdk-SYSTEM-436\1ff4eae997b1753d848dbbc61d1b4345.dll
c:\windows\TEMP\pdk-SYSTEM-436\31aa023220b46a62dd91739a3bf1cad4.dll
c:\windows\TEMP\pdk-SYSTEM-436\36971e8ed4d19cc0a7051079b039c204.dll
c:\windows\TEMP\pdk-SYSTEM-436\42db37dadb779dbfc5da8bdd7ec61c52.dll
c:\windows\TEMP\pdk-SYSTEM-436\44abde5de65f3f034faac2c132713018.dll
c:\windows\TEMP\pdk-SYSTEM-436\7aace6f21e4c397996b145b7fd777643.dll
c:\windows\TEMP\pdk-SYSTEM-436\7acaa276f32e012922082aa697dfa218.dll
c:\windows\TEMP\pdk-SYSTEM-436\89f4ac43ba2b792785d9d472365e562b.dll
c:\windows\TEMP\pdk-SYSTEM-436\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
c:\windows\TEMP\pdk-SYSTEM-436\b2774d247dfbf0abe8539e577ee59b4c.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-28 17:19 . 2011-03-28 17:19 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Juniper Networks
2011-03-24 23:03 . 2011-03-24 23:03 -------- d-----w- C:\_OTL
2011-03-24 14:22 . 2011-03-24 14:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-24 14:22 . 2011-03-24 14:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-24 14:19 . 2011-03-24 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-24 13:28 . 2011-03-24 13:28 -------- d-----w- C:\_OTM
2011-03-22 17:40 . 2011-03-22 17:40 -------- d-----w- C:\bin
2011-03-22 17:34 . 2011-03-22 17:37 -------- d-----w- c:\program files\Common Files\HP
2011-03-22 17:30 . 2011-03-22 17:30 -------- d-----w- c:\program files\Hewlett-Packard
2011-03-22 11:06 . 2011-03-23 11:55 -------- d-----w- C:\ARK
2011-03-21 18:22 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-03-21 18:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-03-21 18:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-03-21 18:17 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-21 18:17 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-03-21 17:57 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-03-21 14:32 . 2011-03-21 14:32 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\pdf995
2011-03-21 14:23 . 2011-03-21 14:45 59 ----a-w- c:\windows\wpd99.drv
2011-03-21 14:23 . 2011-03-21 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2011-03-21 14:23 . 2011-03-21 14:23 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2011-03-21 14:23 . 2011-03-21 14:23 249856 ----a-w- c:\windows\system32\pdfmona.dll
2011-03-21 14:23 . 2011-03-21 14:25 -------- d-----w- c:\program files\pdf995
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\program files\VERIZONDM
2011-03-20 10:12 . 2011-03-20 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2011-03-20 10:11 . 2011-02-01 23:45 9811968 ----a-w- c:\windows\VerizonDM.msi
2011-03-20 10:11 . 2011-03-20 10:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2011-03-19 20:37 . 2011-03-19 20:37 -------- d-----w- c:\documents and settings\2.Kristin\Local Settings\Application Data\Temp
2011-03-19 20:20 . 2011-03-19 20:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-03-16 19:10 . 2011-03-16 19:12 -------- d-----w- C:\Gotcha
2011-03-16 18:29 . 2011-03-20 10:27 -------- d-----w- c:\documents and settings\2.Kristin\Tracing
2011-03-16 12:01 . 2011-03-16 12:01 -------- d-----w- c:\documents and settings\2.Kristin\DoctorWeb
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-03-14 18:32 . 2008-04-13 19:39 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys
2011-03-12 01:56 . 2011-03-12 01:56 -------- d-----w- c:\documents and settings\2.Kristin\Application Data\Malwarebytes
2011-02-27 20:01 . 2011-02-27 20:02 122562410 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:38 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-02-04 21:48 . 2005-08-16 08:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 21:48 . 2005-08-16 08:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 08:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 08:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 08:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 08:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 08:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2008-02-10 19:36 . 2008-02-10 19:36 4891136 ----a-w- c:\program files\WeatherbugSetupZ6157.msi
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
.
2007-05-11 07:06 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
.
2006-08-11 12:38 . 2005-08-06 01:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2005-06-10 14:44 . 2005-06-10 14:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
.
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-07-19 23:26 . 2006-07-19 23:26 52896 c:\program files\Common Files\Symantec Shared\ccApp.exe
.
2006-08-11 12:40 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
.
2006-08-11 12:39 . 2005-09-15 13:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
.
2006-08-11 12:40 . 2005-09-19 11:42 1159168 c:\program files\Creative\VoiceCenter\bak\AndreaVC.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2007-09-02 11:14 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
.
2007-10-20 01:16 . 2007-10-20 01:16 286720 c:\program files\QuickTime\bak\qttask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe
.
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\bak\VPTray.exe
2006-09-28 00:33 . 2006-09-28 00:33 125168 c:\program files\Symantec AntiVirus\VPTray.exe
.
2006-08-22 03:30 . 2005-05-23 17:20 50744 c:\program files\Verizon Online\Help Support\bak\VERIZO~1.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2005-8-16 135680]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VERIZONDM]
2011-02-01 09:54 206120 ----a-w- c:\program files\VERIZONDM\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/15/2010 1:55 PM 363344]
R2 Reporting;Reporting Agents;c:\program files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe [9/27/2006 2:17 PM 1324808]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/11/2011 10:15 AM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/15/2010 1:55 PM 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 10:54 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 14:54]
.
2011-03-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-02-28 19:31]
.
2011-03-23 c:\windows\Tasks\WebReg Photosmart C6100 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 21:45]
.
2011-03-29 c:\windows\Tasks\WinUtilities-02BB2F56CB964deb8996194DE7EB5275.job
- c:\program files\WinUtilities\WinUtil.exe [2010-08-15 15:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 21:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(7396)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
.
**************************************************************************
.
Completion time: 2011-03-28 21:42:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-29 01:41
ComboFix2.txt 2011-03-25 14:26
ComboFix3.txt 2011-03-21 22:47
ComboFix4.txt 2011-03-20 11:28
ComboFix5.txt 2011-03-29 00:56
.
Pre-Run: 84,706,279,424 bytes free
Post-Run: 84,732,129,280 bytes free
.
- - End Of File - - 1A0F48F9857CC63BB551221793E1D16D
---

ESETScan log :

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastBrowserSearchToolbar14.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastBrowserSearchToolbar26.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastBrowserSearchToolbar27.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\[4]-Submit_2011-03-21_18.02.19.zip Win32/Adware.Relevant application
C:\Qoobox\Quarantine\C\Documents and Settings\[USER]\Local Settings\Application Data\pwg.exe.vir a variant of Win32/Kryptik.LOD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\cpyidimg.dll.vir a variant of Win32/Urlbot.NAI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\urigamon.dll.vir a variant of Win32/Urlbot.NAN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\zipahfat\usbabdev\polottbl.dll.vir a variant of Win32/Urlbot.NAG trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1440\A0121594.exe.vir a variant of Win32/Kryptik.LOD trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1441\A0121793.dll.vir a variant of Win32/Urlbot.NAI trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1441\A0121794.dll.vir a variant of Win32/Urlbot.NAN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1441\A0121795.dll.vir a variant of Win32/Urlbot.NAG trojan


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Proceed as follows please :-

*Step 1*


Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")









 Please follow the prompts to uninstall Combofix.
 You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:

 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:_OtMoveIt folder, if present
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Reset System Restore.

Let me know if the uninstall was successful.

*Step 2*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7, please right-click and choose run as administrator
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.

*Step 3*

I want you to Uninstall Norton from Add/Remove programs and run the Norton removal tool:

Download and install the Norton removal tool from *Here*

*Alternative link*

Install and run the tool, follow any prompts that are given.

*Step 4*

Uninstall QuickTime from Add/Remove Programs. Re-Boot your PC.

*Step 5*

Download and install Microsoft Security Essentials from *Here* hit the "Download Now" tab, once installed it will want to update and carry out a quick scan, allow that to happen. Let me know if it finds anything. It does not produce a log, open main interface > select "History" tab, make sure "all detected items" is selected. You will have a list of anything found.

*Step 6*

*Download and scan with * *CCleaner*

1. Use either one of the two free links below the Premium version.
2. Before first use, *select Options > Advanced and UNCHECK* "*Only delete files in Windows Temp folder older than 24 hours*"
3. Then select the items you wish to clean up.

*In the Windows Tab*:


 * Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.* 
 *Clean all the entries in the "Windows Explorer" section.*
 *Clean all entries in the "System" section.* 
 *Clean all entries in the "Advanced" section.* 
 *Clean any others that you choose.*

*In the Applications Tab*: 

 *Clean all except cookies in the Firefox/Mozilla section if you use it.*
 *Clean all in the Opera section if you use it.* 
 *Clean Sun Java in the Internet Section.* 
 *Clean any others that you choose.*
 *Make sure "Wipe free space" is unticked, this will dramatically increase scan time if selected.* 

4. Click the "*Run Cleaner*" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "*OK*" and it will scan and clean your system.
7. Click "*exit*" when done.

Let me know if all steps completed OK, did MSE find anything? was Combofix /Uninstall command successful. How is your system responding, any new or remaining issues?

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
In Step #3 you instructed : _I want you to Uninstall Norton from Add/Remove programs and run the Norton removal tool_

1) Do you just want Norton Security Scan removed, or the Symantec [Norton] AntiVirus, too?

2) Will the Norton Removal Tool remove both?

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

I`d like you to remove Norton altogether, you can re-install later. Uninstall both Add/Remove then run the removal tool. 

Kevin


----------



## PALV (Mar 10, 2011)

Ok - will do.

Thanks.


----------



## kevinf80 (Mar 21, 2006)

Okey dokey,


----------



## PALV (Mar 10, 2011)

Kevin -
All steps ran successfully.

1 - ComboFix uninstalled without issue.
2 - OTC cleaned up. Upon reboot, however, "Found New Hardware Wizard" reappeared. (Cancelled without proceeding.)
3 - Uninstalled Norton and Symantec AV. Norton Removal Tool ran successfully. Rebooted without incident.
4 - Uninstalled QuickTime. Upon reboot - "Found New Hardware Wizard" reappeared. (Cancelled)
5 - MSE installed and run. Nothing detected.
6 - CCleaner installed and run as directed.

Post CCleaner scan - I noticed both a "AIM 6" and a generic icon for QuickTime in the Quick Launch toolbar. Neither programs appear in Add/Remove Program listings (didn't think so). Rebooted, thinking they may have been artifact from CCleaner process. (BTW -no HW Wizard appeared after this reboot).

Icons still remain after reboot. Right-clicking the icons and selecting Properties, the QuickTime icon info is blank, but the AIM6 shows a legit AIM target folder - with old logs (3-4 yrs old,) which I recognize from when my daughter used this machine. So - maybe not significant, but didn't want to simply delete the icons without reporting this first. 

Otherwise - nothing out of the ordinary. 

3 - ?'s : 

- OK to reinstall Symantec AV? (just feeling kind of nervous with no AV present...)

- MSE seems to be running and monitoring the system - default settings indicate scheduled scans and realtime protection status. Leave alone? Is this redundant with MBAM, which I usually have running?

- OK to delete the AIM folders?

Bill


----------



## PALV (Mar 10, 2011)

Correction - AOL _*is*_ listed among installed programs - missed it when looking the first time. No need for it - OK to uninstall?

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Microsoft Security Essentials is Antivirus/Antimalware/AntiSpyware/Rootkit protection, its free has a very small footprint, uses minimal resources and has the easiest user interface you`ll ever use, IMHO. 

Regarding your questions, leave Norton off for now, lets just run with MSE and Windows Firewall. 

Regarding programs to delete, any that are not used should be Uninstalled. 

Once they have been removed open CCleaner > Select > Registry > Scan for issues > Fix selected issues > say yes to back up, save some where handy. Follow the prompts.

Next, Select > Cleaner > Run Cleaner > then Reboot. Give it 24 hours normal use and post back how system is responding, obviously if you have any issues or concerns, post back as required.

Also keep the free version of Malwarebytes, very good security program. The free version has no realtime protection or auto updates, but is an excellent stand alone scanner, always update first. Normally a quick scan is all that is required.

Its 25 after midnight local time for me, sleepy time me thinks.... 

Kevin,


----------



## PALV (Mar 10, 2011)

Thanks, Kevin. Will follow up and let run for 24hrs. Have a good nite.

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Ok, let me know how you make out...

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Well - system seems to be doing pretty well. No hijacks or redirects while browsing, but New HW Wizard still shows up upon reboot. Other than the annoying sound clipping that occurs regularly now - no other symptoms (my fingers are crossed....).

BTW - realized the MBAM version I have IS a paid subscription - and do have realtime protection and update alerts. Forgot that I subscribed when first having issues several months ago and wanted the realtime protection. MSE and MBA have been coexisting without issue.

Bill


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Good to hear some form of normality has returned. Also excellent news on MB, and yes it will run side by side with MSE. I use them both myself and never have any issues.
The windows Firewall for XP basic and is only one way protection, it will be much more secure if you install a software firewall. My recommendation is Online Armour, there is a free version for home user. Please visit the tutorial before installation if you elect to use it. my canned for it follows:

You also need a software Firewall, *Online Armour Free Firewall* is one of the best available, also go *Here* for an excellent tutorial that will show you how to use it.

Regarding the "Found New Hardware" issue. Follow the instructions *Here* if you are comfortable editing the Registry.

As always we back up the registry before making a change, as follows please :-

*Backing Up Your Registry*

Download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT*
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked
Press *OK*
Press *YES* to create the folder.










You`ll have to expand on the noise you refer to, i`m not sure what you mean. Could it be a noisy fan possibly?

Post back and let me know if hardware issue is gone..

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -
Thanks for the recommendation of using MB + MSE together - will continue so here and add both to my other system as well.

- Installed and have Online Armour up and running.

- Installed ERUNT and backed up registry.

- Followed instructions in MS kb link to resolve repetitive HW Wizard notices, however, once in the registry, it would not allow me to delete the key specified, instead returning the error message "Unable to delete all specified values". Interestingly, under the Data heading, the key is listed as "(value not set)". Suggestion??

Bill

PS - re: sound issue, its not an external sound like a fan. From post #80 - *"for the past few days, sounds from this computer have been rather full of static - uncharacteristically so. System sounds, Windows start-up jingle, music, anything coming from the system sounds a bit "off". Checked speaker connections, reviewed sound controls from within Control Panel, etc. Not sure if it's a separate HW-related problem requiring a post in another forum, but thought I'd mention it just in case it happens to be a symptom of something you're familiar with.* As this machine is often used to play background music, its just a very noticeable difference, and as indicated above, mentioned it so you were aware, if that might have been a symptom of an infection or other problem we were trying to fix.


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

If you cannot delete the registry entry then try visiting the Manf. web site for your printer and see if there is a driver update available for the printer.

Were you logged in with Administrator rights?

When tried to delete the entry did you right click as per the attached image?

Regarding the Sound issue, Navigate > Start > right click on "My Computer" > select "Manage" > "Device Manager" > expand >
Sound, video and controllers. See if any exclamation marks against any entries. Right click on audio devices and select "Update driver Software" select > Search Automatically and follow prompts.

Kevin


----------



## PALV (Mar 10, 2011)

Kevin -

See below -

Bill



kevinf80 said:


> If you cannot delete the registry entry then try visiting the Manf. web site for your printer and see if there is a driver update available for the printer.
> 
> *- When deleting unused programs last week, I had removed some ancillary features of the HP printer, which messed up the printer altogether, so I uninstalled/reinstalled the entire thing, with newest available drivers. (FYI - New HW Wizard pop-ups were occuring long before this reinstall.)*
> 
> ...


----------



## kevinf80 (Mar 21, 2006)

Hiya Bill,

Can you disconnect the Printer from the PC altogether, also any other external devices except for Keyboard, Mouse and Monitor. Obviously your Modem/Router will stay connected.
Re-boot your PC and see if you still get the "Found new Hardware" alert. 

Does your Monitor have inbuilt speakers,can you disconnect the external speakers and use the Monitor ones (if present) see if that makes a difference...

Kev..


----------

