# Browswer Hijacker / Program Files "LP" folder keep reappearing...



## dave07060033 (Nov 10, 2011)

I got a message from Symantec Anti Virus a couple days ago when I was on a veteran job board about to post a resume. It said it was blocking some suspicious activity. Shortly after that, I noticed when I did a google search for about anything, the links were not going to what I was selecting. I also noticed a lot of strange processes running in task manager. I went to msconfig and deleted the startup processes and there was a folder named "LP" in program files that was not previously there. I deleted it but it keeps regenerating when I reboot. The cryptic processes seem to have stopped for the time being but I am still getting the browser hijacks at random times. Other issues have been strange Internet Explorer messages when I am not even using Internet Explorer, it changed my Firefox and IE settings to use a proxy server, and a couple of random pop up windows. Symantec has something in quarantine called Trojan.FakeAV with an exe file named 02692471103690665.exe. Here is a copy of my HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:40:33 AM, on 11/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\xxx\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52505
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303912342156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1303928978968
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/RELEASECAB/install.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 6926 bytes

Thanks in advance for any assistance you can provide.


----------



## DFW (Jun 12, 2004)

> *Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
> If you think you have similar problems, please post the required log/s in the forum and wait for help.*


Hi dave07060033 and welcome..

I'm DFW and I am going to try and help you with your Malware problem. Please observe the following points and rules while we work:

 The fixes are specific to your problem and should only be used for this issue on this machine!.
 The clean up process can take time. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
 If you don't know,* stop and ask!* Don't keep going on.
 Please reply to this thread. Do not start a new topic.
Refrain *from running self fixes as this will hinder* the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Some of the Logs we ask for can take some time to Analise, so please be patient
This may or may not, solve other issues you have with your machine.
*Note: No Reply Within 3 Days Will Result In Your Topic Being Closed.*

*Before we start:*
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. 
However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. 
It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

*Because of this, I advise you to backup any personal files and folders before you start*.

*Going over your log, be back as soon as possible*


----------



## dave07060033 (Nov 10, 2011)

Thank you!


----------



## DFW (Jun 12, 2004)

*Hi dave07060033*

You welcome

Download to your desktop *DDS* from one of the links below:

Link

*Double click* the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finish it will open 2 reports.
Copy/paste both reports back here and remove *DDS* from your desktop.

*Gmer*
Download *GMER Rootkit Scanner* from *here*.

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*


_Click the image to enlarge it_

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish
Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply
_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries_
*Note:* Do not run any programs while Gmer is running.

*Please post back with

Both DDS Logs and the GMER Log.*


----------



## dave07060033 (Nov 10, 2011)

DDS ran and put a notepad file of garbage on the screen. GMER will not run, getting an error message that says LoadDriver(C:"Docum~.... Temp/fxddqpog.sys) error 0xC000010E: Cannot create a stable key under a volatile parent key. Also got a Symantec notification about Trojan.Gen.2 Access Denied.


----------



## DFW (Jun 12, 2004)

*Hi dave07060033*

*That's probably the infection stopping the tools working, try these below*

*1st Post*

Download *TDSSKiller.zip* and extract it to your Desktop.

Double click on *TDSSKiller.exe* to launch it.
If using Vista or Windows7, when prompted by *UAC* allow the prompt.

Click on *Start Scan*
The scan will run.
When the scan has finished, if it finds anything please click on the drop down arrow next to *Cure* and select *Skip*
Now click on *Report* to open the log file created by TDSSKiller in your root directory *C:\*
*Post the contents in your next reply please.*
*DO NOT TRY TO FIX ANYTHING AT THIS POINT*

Please download *OTL* by *Old Timer* and save it to your Desktop.

Double click on *OTL.exe* to run it.
Under *Output*, ensure that *Standard Output* is selected.
Under *Extra Registry* section, select *Use SafeList*.
Click the *Scan All Users* checkbox.
Click on *Run Scan* at the top left hand corner.
When done, two Notepad files will open.
*OTL.txt* <-- _Will be opened_
*Extra.txt* <-- _Will be minimized_

Please post the contents of these 2 Notepad files in your next reply.

*Post back

TDSSKiller Log
Both OTL Logs
*


----------



## dave07060033 (Nov 10, 2011)

TDSKILLER came up with one thing, I accidentally hit continue, it says it will cure after reboot. It found rootkit.boot.sst.b. I am not rebooting the computer.

Here are the 2 OTL logs:

OTL Extras logfile created on: 11/11/2011 3:12:05 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\dave\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.16 Gb Total Physical Memory | 2.30 Gb Available Physical Memory | 72.70% Memory free
5.00 Gb Paging File | 4.51 Gb Available in Paging File | 90.20% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 201.18 Gb Free Space | 86.39% Space Free | Partition Type: NTFS

Computer Name: 10R0MQ1 | User Name: | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-504249514-2004877394-1847928074-225766\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 1
"AllowOutboundSourceQuench" = 1
"AllowRedirect" = 1
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 1
"AllowOutboundTimeExceeded" = 1
"AllowOutboundParameterProblem" = 1
"AllowInboundTimestampRequest" = 1
"AllowInboundMaskRequest" = 1
"AllowOutboundPacketTooBig" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabledxpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*isabled:Windows Remote Management
"80:TCP" = 80:TCP:*isabled:Windows Remote Management - Compatibility Mode (HTTP-In)
"139:TCP" = 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\HP\HP Officejet 7500 E910\Bin\DeviceSetup.exe" = C:\Program Files\HP\HP Officejet 7500 E910\Bin\DeviceSetup.exe:LocalSubNet:Enabled:HP Device Setup -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Officejet 7500 E910\Bin\HPNetworkCommunicator.exe" = C:\Program Files\HP\HP Officejet 7500 E910\Bin\HPNetworkCommunicator.exe:LocalSubNet:Enabled:HP Network Communicator -- (Hewlett-Packard Co.)
"C:\Documents and Settings\dave\Desktop\msgr11us.exe" = C:\Documents and Settings\dave\Desktop\msgr11us.exe:*:Enabled:msgr11us

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03E67C27-BE46-4A44-89E9-D7961542E8D9}" = HP Officejet 7500 E910 Basic Device Software
"{05F5D4C6-D6E5-4E2A-AE47-6514250870A8}" = AutoCAD Civil 3D 2012 32 Bit Object Enabler on Autodesk® Storm and Sanitary Analysis 2012 - Language Neutral
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{086F9A69-CD39-4893-A9FB-D3A0634CE3F7}" = Autodesk Content Service
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0CB3B7EE-52C7-4136-AF40-605567D90318}" = O2Micro Flash Memory Card Windows Driver
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{203E564A-51E6-44E5-9DF9-8D0AD66E401D}" = DJ_SF_05_D2600_Software_Min
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{24DC9885-E759-4BD2-8A20-D4AC509A7FDE}" = HP Officejet 7500 E910 Help
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 26
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A9FC03D-C685-4831-94CF-4EDFD3749497}" = Microsoft SQL Server Compact 3.5 SP2 ENU
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{5783F2D7-9001-0409-0002-0060B0CE6BBA}" = AutoCAD 2011 - English
"{5783F2D7-9001-0409-1002-0060B0CE6BBA}" = AutoCAD 2011 Language Pack - English
"{5783F2D7-A000-0409-0002-0060B0CE6BBA}" = AutoCAD Civil 3D 2012
"{5783F2D7-A000-0409-1002-0060B0CE6BBA}" = AutoCAD Civil 3D 2012 Language Pack - English
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{65420DC9-306E-4371-905F-F4DC3B418E52}" = Autodesk Material Library Base Resolution Image Library 2012
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{775290AD-C54E-418C-9564-A10836F42C1C}" = D2600
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B4D193B-D76D-308B-8B12-5D9BB1CBCE6C}" = Microsoft Visual Basic Power Packs 3.0
"{800D0D43-5097-470D-9A03-7D6108A43C3E}" = AutoCAD Civil 3D 2012 32 Bit Object Enabler on Autodesk Content Service - Language Neutral
"{80D3CFFD-4CB5-47A1-8779-11A720A9ADB2}" = HP Deskjet D2600 Printer Driver Software 13.0 Rel .5
"{84B70C16-7032-41EE-965C-3C8D9D566CBB}" = Symantec Endpoint Protection
"{87434D51-51DB-4109-B68F-A829ECDCF380}" = AccelerometerP11
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8F0837C2-EE09-4903-88F3-1976FE7FFF4E}" = Autodesk Material Library 2012
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2010
"{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{20601BE5-6E56-49E5-A6CD-B558A279288B}" =
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.STANDARD_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.STANDARD_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.STANDARD_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.STANDARD_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.STANDARD_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.STANDARD_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.STANDARD_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.STANDARD_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.STANDARD_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.STANDARD_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.STANDARD_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.STANDARD_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{951B0F30-9F1A-4BF6-B3DA-99EB0E917B1C}" = FARO LS 1.1.406.58
"{95761B4F-5940-4908-921E-B71B1B183699}" = Intel(R) PROSet/Wireless WiFi Software
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9DEABCB6-B759-4D52-92F8-51B34A2B4D40}" = Autodesk Material Library 2011
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD1E078C-A6B9-47DA-B035-6365C85C7832}" = Autodesk Material Library 2011 Base Image library
"{CD41B576-4787-4D5C-95EE-24A4ABD89CD3}" = System Requirements Lab for Intel
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7926497-E476-489B-B4E9-DBFCA45483A2}" = Autodesk® Storm and Sanitary Analysis 2012
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E2867240-F889-4D76-9AAF-252D9A1A623E}" = O2Micro Flash Memory Card Reader Driver (x86)
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AutoCAD 2011 - English" = AutoCAD 2011 - English
"AutoCAD 2011 - English Version 2.1" = AutoCAD 2011 - English Version 2.1
"AutoCAD Civil 3D 2012" = AutoCAD Civil 3D 2012
"CCleaner" = CCleaner
"DriveScrubber 3_is1" = iolo technologies' DriveScrubber 3
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{0CB3B7EE-52C7-4136-AF40-605567D90318}" = O2Micro Flash Memory Card Windows Driver
"Just BASIC v1.01" = Just BASIC v1.01
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 7.0.1 (x86 en-US)" = Mozilla Firefox 7.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSConfig CleanUp_is1" = MSConfig CleanUp 1.2
"Office14.STANDARD" = Microsoft Office Standard 2010
"PDF Report Writer_is1" = PDF Report Writer (novaPDF 6.4 printer)
"pdfFactory" = pdfFactory
"ProInst" = Intel PROSet Wireless
"RealPlayer 12.0" = RealPlayer
"Shop for HP Supplies" = Shop for HP Supplies
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YTdetect" = Yahoo! Detect

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-504249514-2004877394-1847928074-225766\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/11/2011 8:16:15 AM | Computer Name = 10R0MQ1 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/11/2011 8:16:17 AM | Computer Name = 10R0MQ1 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/11/2011 9:28:16 AM | Computer Name = 10R0MQ1 | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 11/11/2011 11:24:55 AM | Computer Name = 10R0MQ1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Cookie:[email protected]/
by: Manual scan. Action: Quarantine failed : Leave Alone failed. Action Description:
The file was deleted successfully.

Error - 11/11/2011 11:53:29 AM | Computer Name = 10R0MQ1 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x000269a9.

Error - 11/11/2011 12:10:52 PM | Computer Name = 10R0MQ1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\System Volume Information\_restore{75798BF8-5303-4F8D-A03A-831C2FD2E049}\RP65\A0018596.exe
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 11/11/2011 12:10:56 PM | Computer Name = 10R0MQ1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\System Volume Information\_restore{75798BF8-5303-4F8D-A03A-831C2FD2E049}\RP65\A0018597.exe
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 11/11/2011 12:10:58 PM | Computer Name = 10R0MQ1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\System Volume Information\_restore{75798BF8-5303-4F8D-A03A-831C2FD2E049}\RP65\A0018598.exe
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 11/11/2011 4:10:12 PM | Computer Name = 10R0MQ1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/11/2011 4:10:12 PM | Computer Name = 10R0MQ1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 11/11/2011 11:57:47 AM | Computer Name = 10R0MQ1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 11/11/2011 11:58:33 AM | Computer Name = 10R0MQ1 | Source = Service Control Manager | ID = 7034
Description = The DNS Client service terminated unexpectedly. It has done this
1 time(s).

Error - 11/11/2011 12:22:21 PM | Computer Name = 10R0MQ1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain CORP due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 11/11/2011 12:25:05 PM | Computer Name = 10R0MQ1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain CORP due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 11/11/2011 12:30:52 PM | Computer Name = 10R0MQ1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain CORP due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 11/11/2011 1:00:24 PM | Computer Name = 10R0MQ1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 11/11/2011 1:15:27 PM | Computer Name = 10R0MQ1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 11/11/2011 2:04:16 PM | Computer Name = 10R0MQ1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 11/11/2011 4:06:09 PM | Computer Name = 10R0MQ1 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.138.47.213 for the Network Card with network
address A088B487A478 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 11/11/2011 4:06:14 PM | Computer Name = 10R0MQ1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

< End of report >

2nd one:

OTL logfile created on: 11/11/2011 3:11:56 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\dave\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.16 Gb Total Physical Memory | 2.30 Gb Available Physical Memory | 72.70% Memory free
5.00 Gb Paging File | 4.51 Gb Available in Paging File | 90.20% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 201.18 Gb Free Space | 86.39% Space Free | Partition Type: NTFS

Computer Name: 10R0MQ1 | User Name: dave | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/11 15:10:47 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dave\Desktop\OTL.exe
PRC - [2011/11/11 15:09:57 | 001,564,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\dave\Desktop\tdsskiller\TDSSKiller.exe
PRC - [2011/10/07 20:09:46 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/10 13:18:09 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2011/01/10 13:18:08 | 001,893,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2011/01/10 13:18:08 | 001,839,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2011/01/10 13:18:08 | 001,459,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2011/01/05 13:09:24 | 000,477,456 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/04/14 09:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2011/10/22 07:43:14 | 008,522,400 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/10/07 20:09:46 | 001,833,944 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/08/28 13:52:20 | 001,044,816 | ---- | M] (Flexera Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/14 00:43:32 | 000,722,616 | ---- | M] (iolo technologies, LLC) [Disabled | Stopped] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2011/02/02 13:08:16 | 000,018,656 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe -- (Autodesk Content Service)
SRV - [2011/01/25 01:57:18 | 000,274,514 | ---- | M] (IDT, Inc.) [Disabled | Stopped] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2011/01/12 07:59:46 | 000,375,056 | ---- | M] (Intel(R) Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2011/01/12 07:59:42 | 000,915,728 | ---- | M] (Intel(R) Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2011/01/10 13:18:09 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2011/01/10 13:18:09 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2011/01/10 13:18:08 | 001,893,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2011/01/10 13:18:08 | 001,839,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2011/01/10 13:18:08 | 000,357,744 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2011/01/05 13:22:50 | 000,936,208 | ---- | M] (Intel(R) Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2011/01/05 13:09:24 | 000,477,456 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2010/12/03 15:19:26 | 002,656,280 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2010/12/03 15:19:20 | 000,325,656 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2010/09/17 11:37:36 | 000,539,944 | ---- | M] (Altiris Inc.) [Disabled | Stopped] -- C:\WINDOWS\AltirisAgentInstSvc.exe -- (Altiris Agent Installation Service)
SRV - [2010/09/07 16:05:51 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2010/02/10 17:50:50 | 000,072,296 | ---- | M] (O2Micro International) [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\o2flash.exe -- (o2flash)
SRV - [2003/04/18 18:06:26 | 000,008,192 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\srvany.exe -- (O2SDIOAssist)

========== Driver Services (SafeList) ==========

DRV - [2011/11/08 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/11/08 04:00:00 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/09/15 03:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111110.035\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/15 03:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111110.035\NAVENG.SYS -- (NAVENG)
DRV - [2011/08/19 04:26:50 | 004,334,624 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam Pro 9000(UVC)
DRV - [2011/08/19 04:26:46 | 000,315,808 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2011/04/26 13:22:12 | 000,125,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/23 13:51:56 | 000,063,976 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\o2sdjxp.sys -- (O2SDJRDR)
DRV - [2011/02/04 07:38:44 | 000,051,752 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2011/02/04 07:38:42 | 000,229,416 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2011/02/04 07:38:38 | 000,284,792 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2011/01/27 14:43:20 | 000,007,680 | ---- | M] (MSI) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\NTIOLib.sys -- (NTIOLib_1_0_8)
DRV - [2011/01/25 01:57:18 | 001,660,547 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2011/01/10 13:18:09 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2011/01/10 13:18:09 | 000,284,720 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2011/01/10 13:18:09 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2011/01/10 13:18:06 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2011/01/04 11:14:38 | 007,391,744 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETwNx32.sys -- (NETwNx32) ___ Intel(R)
DRV - [2011/01/04 02:58:42 | 000,061,728 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\o2mdrxp.sys -- (O2MDRRDR)
DRV - [2010/12/13 09:33:36 | 000,043,888 | ---- | M] (ST Microelectronics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelern.sys -- (Acceler)
DRV - [2010/10/19 16:33:40 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (MEI) Intel(R)
DRV - [2010/10/15 08:29:16 | 000,260,864 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV - [2010/08/20 11:04:38 | 000,017,648 | ---- | M] (ST Microelectronics) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\stdcfltn.sys -- (stdcfltn)
DRV - [2010/05/19 21:15:04 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2010/05/10 10:44:42 | 000,025,912 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\msibios32_100507.sys -- (MSI_MSIBIOS_010507)
DRV - [2009/04/21 22:13:34 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/login.asp
IE - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:60283

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 60283
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/08/24 17:46:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/08 07:05:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/07 20:09:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/08/24 17:46:23 | 000,000,000 | ---D | M]

[2011/08/24 17:22:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\dave\Application Data\Mozilla\Extensions
[2011/08/24 17:21:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/08 07:05:18 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2011/04/26 12:13:48 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/27 13:00:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/10/07 20:09:46 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/07 20:09:45 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2008/04/14 09:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: consentpromptbehavioradmin = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Privacy present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\SQM present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Privacy present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\SQM present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Privacy present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\SQM present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Privacy present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\SQM present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation present
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Policies\Microsoft\Internet Explorer\Privacy present
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Policies\Microsoft\Internet Explorer\SQM present
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303912342156 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1303928978968 (MUWebControl Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/RELEASECAB/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.atc.int
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0D5055C3-AF5F-4ACD-91B2-33C0322E466B}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766 Winlogon: Shell - (explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-504249514-2004877394-1847928074-225766 Winlogon: Shell - (C:\Documents and Settings\dave\Application Data\623A1\423E8.exe) -C:\Documents and Settings\dave\Application Data\623A1\423E8.exe ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/08/29 18:29:27 | 000,000,000 | ---D | M] - C:\autodesk -- [ NTFS ]
O32 - AutoRun File - [2011/04/26 12:01:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/11 15:10:47 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\dave\Desktop\OTL.exe
[2011/11/11 15:09:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\Desktop\tdsskiller
[2011/11/11 12:25:24 | 000,607,260 | ---- | C] (Swearware) -- C:\Documents and Settings\dave\Desktop\dds(1).scr
[2011/11/11 11:31:05 | 000,000,000 | ---D | C] -- C:\Program Files\LP
[2011/11/11 03:07:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\BhoScanner
[2011/11/10 03:39:50 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\dave\Desktop\HijackThis.exe
[2011/11/09 11:52:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\dave\Recent
[2011/11/09 07:24:13 | 000,000,000 | ---D | C] -- C:\Program Files\A1E73
[2011/11/07 18:43:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/11/07 18:43:38 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/11/07 18:38:54 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/11/07 17:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/11/06 12:19:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\Application Data\623A1
[2011/10/22 07:49:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\Local Settings\Application Data\ApplicationHistory
[2011/10/15 11:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\My Documents\Time & Expenses
[2011/10/13 18:14:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\Application Data\Apple Computer
[2011/10/13 18:14:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/10/13 18:13:50 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/10/13 18:13:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2011/10/13 18:13:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2011/10/13 18:13:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\Local Settings\Application Data\Apple
[2011/10/13 18:13:13 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/10/13 18:13:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2011/10/13 18:13:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\Local Settings\Application Data\Apple Computer
[2011/10/12 18:18:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dave\Application Data\SystemRequirementsLab
[2011/04/27 03:17:14 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2011/11/11 15:10:47 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dave\Desktop\OTL.exe
[2011/11/11 15:09:44 | 001,545,878 | ---- | M] () -- C:\Documents and Settings\dave\Desktop\tdsskiller.zip
[2011/11/11 12:26:10 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\dave\Desktop\hnzodu44.exe
[2011/11/11 12:25:24 | 000,607,260 | ---- | M] (Swearware) -- C:\Documents and Settings\dave\Desktop\dds(1).scr
[2011/11/11 12:03:00 | 000,507,176 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/11 12:03:00 | 000,090,186 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/11 11:31:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/11 11:31:05 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
[2011/11/11 11:30:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/11 11:26:55 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/11/10 04:43:18 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
[2011/11/10 03:39:50 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\dave\Desktop\HijackThis.exe
[2011/11/08 04:15:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2011/11/07 18:20:36 | 000,000,127 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/10/22 08:00:27 | 000,352,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/22 07:43:14 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2011/11/11 15:09:43 | 001,545,878 | ---- | C] () -- C:\Documents and Settings\dave\Desktop\tdsskiller.zip
[2011/11/11 12:26:10 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\dave\Desktop\hnzodu44.exe
[2011/11/07 18:05:43 | 000,000,127 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/10/13 18:13:16 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/08/31 18:31:52 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2011/08/30 03:26:21 | 000,836,504 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/08/29 03:28:53 | 001,017,662 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-504249514-2004877394-1847928074-225766-0.dat
[2011/08/29 03:28:52 | 000,339,510 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/08/26 06:18:51 | 000,167,519 | ---- | C] () -- C:\WINDOWS\hphins32.dat.temp
[2011/08/26 06:18:51 | 000,000,632 | ---- | C] () -- C:\WINDOWS\hphmdl32.dat.temp
[2011/08/24 17:36:20 | 000,162,218 | ---- | C] () -- C:\WINDOWS\hphins32.dat
[2011/08/24 17:36:20 | 000,000,632 | ---- | C] () -- C:\WINDOWS\hphmdl32.dat
[2011/08/19 04:26:20 | 010,898,456 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2011/08/19 04:26:20 | 000,336,408 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2011/08/19 04:26:20 | 000,104,472 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2011/07/26 01:48:54 | 000,028,418 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2011/04/28 11:39:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2011/04/27 10:51:58 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\instsrv.exe
[2011/04/27 10:51:58 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\srvany.exe
[2011/04/27 05:22:42 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\drivers\IntelMEFWVer.dll
[2011/04/27 03:17:14 | 000,201,496 | ---- | C] () -- C:\WINDOWS\System32\igfcg600m.bin
[2011/04/27 03:17:13 | 000,145,804 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng600.bin
[2011/04/27 03:17:12 | 000,783,644 | ---- | C] () -- C:\WINDOWS\System32\igkrng600.bin
[2011/04/27 03:17:12 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2011/04/26 14:51:30 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2011/04/26 14:51:29 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2011/04/26 14:51:29 | 000,507,176 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/26 14:51:29 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2011/04/26 14:51:29 | 000,090,186 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/26 14:51:29 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2011/04/26 14:51:29 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2011/04/26 14:51:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2011/04/26 14:51:27 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2011/04/26 14:51:27 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2011/04/26 14:51:25 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2011/04/26 14:51:25 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2011/04/26 12:14:05 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/26 12:04:32 | 000,000,051 | ---- | C] () -- C:\WINDOWS\smsts.ini
[2011/04/26 12:03:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/04/26 12:00:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/04/26 12:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2011/04/26 06:56:17 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/04/26 06:55:30 | 000,352,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/17 11:54:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AeXNSC.exe
[2010/06/30 22:37:20 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\lpng.dll

< End of report >


----------



## dave07060033 (Nov 10, 2011)

Hello?


----------



## DFW (Jun 12, 2004)

*Good Morning dave07060033*

*If you have not done already please reboot your system and let TDSSKiller remove the file, please make sure you post
the TDSSKiller log along with the others from this post, it will be on your C Drive.*

*We need to run an OTL Fix*


Right-click *OTL.exe* and select * " Run as administrator " *to run it.
*Copy* and *Paste* the following code into the







textbox. Do not include the word *Code*

```
:processes
killallprocesses

:OTL
IE - HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:60283
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found


:files
C:\Documents and Settings\dave\Application Data\623A1
C:\WINDOWS\System32\drivers\lvuvc.hs
ipconfig /flushdns /c

:commands
[emptyflash]
[emptytemp]
[resethosts]
[clearallrestorepoints]
[REBOOT]
```

Then click the *Run Fix* button at the top.
*Click*







.
*OTL may ask to reboot the machine. Please do so if asked.*
 The report should appear in Notepad after the reboot.*Copy* and *Paste* that report in your next reply.

*Next*

Please download *aswMBR* and save it to your Desktop.


Double click *aswMBR.exe* to run it.
Click the *Scan* button.
After a short while when the scan reports *"Scan finished successfully"*, click *Save log* & save the log to your *desktop*.
Click *OK* > *Exit.*
*Note:* Do not attempt to fix anything at this stage!
Two files will be created,* aswMBR.txt* & a file named* MBR.dat*.
 *MBR.dat* is a backup of the MBR(master boot record), do not delete it..
*I strongly suggest you keep a copy of this backup stored on an external device.*
Copy & Paste the contents of *aswMBR.txt* into your next reply.

*Please post back

OTL Log
TDSSKiller Log
aswMBR Log

*


----------



## dave07060033 (Nov 10, 2011)

*OTL Log*

All processes killed
========== PROCESSES ==========
========== OTL ==========
HKU\S-1-5-21-504249514-2004877394-1847928074-225766\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/JavaPlugin\ deleted successfully.
C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\dave\Application Data\623A1 not found.
C:\WINDOWS\System32\drivers\lvuvc.hs moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\dave\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\dave\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: dave
->Flash cache emptied: 2130 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 42347992 bytes
->Temporary Internet Files folder emptied: 2417129 bytes
->Java cache emptied: 0 bytes

User: All Users

User: dave
->Temp folder emptied: 33298245 bytes
->Temporary Internet Files folder emptied: 26638623 bytes
->Java cache emptied: 378784 bytes
->FireFox cache emptied: 42478989 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 127493 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 2709984 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1313 bytes

Total Files Cleaned = 144.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 11122011_061400

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

*TDSSKILLER Log*

15:10:14.0359 2512 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
15:10:15.0390 2512 ============================================================
15:10:15.0390 2512 Current date / time: 2011/11/11 15:10:15.0390
15:10:15.0390 2512 SystemInfo:
15:10:15.0390 2512 
15:10:15.0390 2512 OS Version: 5.1.2600 ServicePack: 3.0
15:10:15.0390 2512 Product type: Workstation
15:10:15.0390 2512 ComputerName: 10R0MQ1
15:10:15.0390 2512 UserName: dave
15:10:15.0390 2512 Windows directory: C:\WINDOWS
15:10:15.0390 2512 System windows directory: C:\WINDOWS
15:10:15.0390 2512 Processor architecture: Intel x86
15:10:15.0390 2512 Number of processors: 4
15:10:15.0390 2512 Page size: 0x1000
15:10:15.0390 2512 Boot type: Normal boot
15:10:15.0390 2512 ============================================================
15:10:16.0843 2512 Initialize success
15:10:18.0687 2260 ============================================================
15:10:18.0687 2260 Scan started
15:10:18.0687 2260 Mode: Manual; 
15:10:18.0687 2260 ============================================================
15:10:19.0609 2260 Abiosdsk - ok
15:10:19.0656 2260 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
15:10:19.0656 2260 abp480n5 - ok
15:10:19.0703 2260 Acceler (3e58933198689f24cfa6ed4b93a80deb) C:\WINDOWS\system32\DRIVERS\Accelern.sys
15:10:19.0703 2260 Acceler - ok
15:10:19.0734 2260 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:10:19.0734 2260 ACPI - ok
15:10:19.0734 2260 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
15:10:19.0734 2260 ACPIEC - ok
15:10:19.0750 2260 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
15:10:19.0750 2260 adpu160m - ok
15:10:19.0781 2260 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:10:19.0781 2260 aec - ok
15:10:19.0828 2260 AESTAud (822d53766d57c90c437536232ece9023) C:\WINDOWS\system32\drivers\AESTAud.sys
15:10:19.0828 2260 AESTAud - ok
15:10:19.0875 2260 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:10:19.0875 2260 AFD - ok
15:10:19.0875 2260 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
15:10:19.0890 2260 agp440 - ok
15:10:19.0890 2260 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
15:10:19.0890 2260 agpCPQ - ok
15:10:19.0890 2260 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
15:10:19.0890 2260 Aha154x - ok
15:10:19.0906 2260 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
15:10:19.0906 2260 aic78u2 - ok
15:10:19.0921 2260 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
15:10:19.0921 2260 aic78xx - ok
15:10:19.0921 2260 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
15:10:19.0921 2260 AliIde - ok
15:10:19.0937 2260 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
15:10:19.0937 2260 alim1541 - ok
15:10:19.0953 2260 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
15:10:19.0953 2260 amdagp - ok
15:10:19.0953 2260 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
15:10:19.0953 2260 amsint - ok
15:10:19.0968 2260 ApfiltrService (9910a9c7d307a9e156d951248601c33e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
15:10:19.0984 2260 ApfiltrService - ok
15:10:19.0984 2260 Arp1394  (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:10:20.0000 2260 Arp1394 - ok
15:10:20.0000 2260 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
15:10:20.0000 2260 asc - ok
15:10:20.0015 2260 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
15:10:20.0015 2260 asc3350p - ok
15:10:20.0015 2260 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
15:10:20.0015 2260 asc3550 - ok
15:10:20.0046 2260 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:10:20.0046 2260 AsyncMac - ok
15:10:20.0062 2260 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:10:20.0062 2260 atapi - ok
15:10:20.0062 2260 Atdisk - ok
15:10:20.0093 2260 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:10:20.0093 2260 Atmarpc - ok
15:10:20.0109 2260 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:10:20.0109 2260 audstub - ok
15:10:20.0156 2260 b57w2k (b45e2ef91664a9ddbfe5bb1534ffd89c) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
15:10:20.0156 2260 b57w2k - ok
15:10:20.0171 2260 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:10:20.0171 2260 Beep - ok
15:10:20.0203 2260 BTWUSB (083497b731aa32288a9a84b49757307c) C:\WINDOWS\system32\Drivers\btwusb.sys
15:10:20.0203 2260 BTWUSB - ok
15:10:20.0218 2260 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
15:10:20.0218 2260 cbidf - ok
15:10:20.0218 2260 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:10:20.0218 2260 cbidf2k - ok
15:10:20.0265 2260 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:10:20.0265 2260 CCDECODE - ok
15:10:20.0281 2260 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
15:10:20.0281 2260 cd20xrnt - ok
15:10:20.0281 2260 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:10:20.0281 2260 Cdaudio - ok
15:10:20.0296 2260 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:10:20.0296 2260 Cdfs - ok
15:10:20.0328 2260 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:10:20.0328 2260 Cdrom - ok
15:10:20.0328 2260 Changer - ok
15:10:20.0343 2260 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
15:10:20.0343 2260 CmBatt - ok
15:10:20.0359 2260 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
15:10:20.0359 2260 CmdIde - ok
15:10:20.0375 2260 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
15:10:20.0375 2260 Compbatt - ok
15:10:20.0390 2260 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
15:10:20.0390 2260 Cpqarray - ok
15:10:20.0421 2260 cpudrv - ok
15:10:20.0437 2260 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
15:10:20.0437 2260 dac2w2k - ok
15:10:20.0453 2260 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
15:10:20.0453 2260 dac960nt - ok
15:10:20.0468 2260 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:10:20.0468 2260 Disk - ok
15:10:20.0531 2260 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:10:20.0562 2260 dmboot - ok
15:10:20.0593 2260 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:10:20.0593 2260 dmio - ok
15:10:20.0593 2260 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:10:20.0593 2260 dmload - ok
15:10:20.0625 2260 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:10:20.0625 2260 DMusic - ok
15:10:20.0640 2260 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
15:10:20.0640 2260 dpti2o - ok
15:10:20.0656 2260 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:10:20.0656 2260 drmkaud - ok
15:10:20.0718 2260 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
15:10:20.0718 2260 eeCtrl - ok
15:10:20.0750 2260 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
15:10:20.0750 2260 EraserUtilRebootDrv - ok
15:10:20.0781 2260 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:10:20.0796 2260 Fastfat - ok
15:10:20.0843 2260 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
15:10:20.0843 2260 Fdc - ok
15:10:20.0859 2260 FilterService - ok
15:10:20.0875 2260 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:10:20.0875 2260 Fips - ok
15:10:20.0890 2260 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
15:10:20.0890 2260 Flpydisk - ok
15:10:20.0890 2260 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:10:20.0906 2260 FltMgr - ok
15:10:20.0921 2260 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:10:20.0921 2260 Fs_Rec - ok
15:10:20.0921 2260 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:10:20.0937 2260 Ftdisk - ok
15:10:20.0953 2260 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:10:20.0953 2260 Gpc - ok
15:10:20.0968 2260 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:10:20.0968 2260 HDAudBus - ok
15:10:21.0000 2260 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:10:21.0000 2260 HidUsb - ok
15:10:21.0015 2260 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
15:10:21.0015 2260 hpn - ok
15:10:21.0046 2260 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:10:21.0046 2260 HPZid412 - ok
15:10:21.0046 2260 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:10:21.0046 2260 HPZipr12 - ok
15:10:21.0093 2260 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:10:21.0093 2260 HPZius12 - ok
15:10:21.0140 2260 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:10:21.0140 2260 HTTP - ok
15:10:21.0171 2260 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
15:10:21.0187 2260 i2omgmt - ok
15:10:21.0203 2260 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
15:10:21.0203 2260 i2omp - ok
15:10:21.0234 2260 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:10:21.0234 2260 i8042prt - ok
15:10:21.0343 2260 ialm (70faf4239ea830b12952a8cd665d4dca) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
15:10:21.0390 2260 ialm - ok
15:10:21.0453 2260 iaStor (f4037a3fedb92dd97c95f320766ea5c9) C:\WINDOWS\system32\DRIVERS\iaStor.sys
15:10:21.0453 2260 iaStor - ok
15:10:21.0500 2260 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:10:21.0500 2260 Imapi - ok
15:10:21.0546 2260 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
15:10:21.0546 2260 ini910u - ok
15:10:21.0578 2260 IntcDAud (34ee48d11c584eedb59fd0d537ac2296) C:\WINDOWS\system32\DRIVERS\IntcDAud.sys
15:10:21.0593 2260 IntcDAud - ok
15:10:21.0656 2260 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
15:10:21.0656 2260 IntelIde - ok
15:10:21.0734 2260 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:10:21.0734 2260 intelppm - ok
15:10:21.0843 2260 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:10:21.0843 2260 Ip6Fw - ok
15:10:21.0859 2260 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:10:21.0859 2260 IpFilterDriver - ok
15:10:21.0875 2260 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:10:21.0875 2260 IpInIp - ok
15:10:21.0906 2260 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:10:21.0906 2260 IpNat - ok
15:10:21.0921 2260 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:10:21.0921 2260 IPSec - ok
15:10:21.0953 2260 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:10:21.0953 2260 IRENUM - ok
15:10:21.0968 2260 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:10:21.0968 2260 isapnp - ok
15:10:22.0000 2260 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:10:22.0000 2260 Kbdclass - ok
15:10:22.0015 2260 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:10:22.0015 2260 kmixer - ok
15:10:22.0031 2260 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:10:22.0031 2260 KSecDD - ok
15:10:22.0046 2260 lbrtfdc - ok
15:10:22.0109 2260 LVRS (7521c0c58ee91be90b6cc33e792d10c7) C:\WINDOWS\system32\DRIVERS\lvrs.sys
15:10:22.0125 2260 LVRS - ok
15:10:22.0250 2260 LVUVC (37e57c48af530df01cdd4e8a2ad77b51) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
15:10:22.0375 2260 LVUVC - ok
15:10:22.0421 2260 MEI (d86ac00883b9c98b570e7643aaf8e554) C:\WINDOWS\system32\DRIVERS\HECI.sys
15:10:22.0421 2260 MEI - ok
15:10:22.0437 2260 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:10:22.0437 2260 mnmdd - ok
15:10:22.0500 2260 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:10:22.0500 2260 Modem - ok
15:10:22.0531 2260 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:10:22.0531 2260 Mouclass - ok
15:10:22.0562 2260 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:10:22.0562 2260 mouhid - ok
15:10:22.0593 2260 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:10:22.0593 2260 MountMgr - ok
15:10:22.0625 2260 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
15:10:22.0625 2260 mraid35x - ok
15:10:22.0640 2260 MRxDAV (e3f17e1ea5256709d4e97ef0da04b3c9) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:10:22.0656 2260 MRxDAV - ok
15:10:22.0687 2260 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:10:22.0703 2260 MRxSmb - ok
15:10:22.0718 2260 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:10:22.0718 2260 Msfs - ok
15:10:22.0796 2260 MSI_MSIBIOS_010507 (3846c05a66a3f5cd1d33e1a323c1762c) C:\PROGRA~1\MSI\MSIWDev\msibios32_100507.sys
15:10:22.0812 2260 MSI_MSIBIOS_010507 - ok
15:10:22.0828 2260 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:10:22.0828 2260 MSKSSRV - ok
15:10:22.0843 2260 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:10:22.0843 2260 MSPCLOCK - ok
15:10:22.0843 2260 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:10:22.0843 2260 MSPQM - ok
15:10:22.0875 2260 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:10:22.0875 2260 mssmbios - ok
15:10:22.0921 2260 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
15:10:22.0921 2260 MSTEE - ok
15:10:22.0937 2260 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:10:22.0937 2260 Mup - ok
15:10:22.0968 2260 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:10:22.0968 2260 NABTSFEC - ok
15:10:23.0062 2260 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20111110.035\NAVENG.SYS
15:10:23.0062 2260 NAVENG - ok
15:10:23.0125 2260 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20111110.035\NAVEX15.SYS
15:10:23.0140 2260 NAVEX15 - ok
15:10:23.0187 2260 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:10:23.0187 2260 NDIS - ok
15:10:23.0218 2260 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:10:23.0218 2260 NdisIP - ok
15:10:23.0250 2260 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:10:23.0250 2260 NdisTapi - ok
15:10:23.0296 2260 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:10:23.0296 2260 Ndisuio - ok
15:10:23.0312 2260 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:10:23.0312 2260 NdisWan - ok
15:10:23.0328 2260 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:10:23.0328 2260 NDProxy - ok
15:10:23.0328 2260 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:10:23.0328 2260 NetBIOS - ok
15:10:23.0359 2260 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:10:23.0359 2260 NetBT - ok
15:10:23.0593 2260 NETwNx32 (652308afd32697467903776cb6a85eb2) C:\WINDOWS\system32\DRIVERS\NETwNx32.sys
15:10:23.0781 2260 NETwNx32 - ok
15:10:23.0781 2260 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:10:23.0781 2260 NIC1394 - ok
15:10:23.0796 2260 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:10:23.0796 2260 Npfs - ok
15:10:23.0843 2260 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:10:23.0843 2260 Ntfs - ok
15:10:23.0921 2260 NTIOLib_1_0_8 (aa70ed3b0d93c1073260a5043805b6db) C:\PROGRA~1\MSI\MSIWDev\NTIOLib.sys
15:10:23.0937 2260 NTIOLib_1_0_8 - ok
15:10:23.0968 2260 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:10:23.0968 2260 Null - ok
15:10:24.0000 2260 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:10:24.0000 2260 NwlnkFlt - ok
15:10:24.0015 2260 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:10:24.0015 2260 NwlnkFwd - ok
15:10:24.0031 2260 O2MDRRDR (f24dc5d512ff86576f406e9c1427e8bb) C:\WINDOWS\system32\DRIVERS\O2MDRxp.sys
15:10:24.0031 2260 O2MDRRDR - ok
15:10:24.0046 2260 O2SDJRDR (3083b3d0c74b59facde7f0cbbf25e659) C:\WINDOWS\system32\DRIVERS\o2sdjxp.sys
15:10:24.0046 2260 O2SDJRDR - ok
15:10:24.0093 2260 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:10:24.0093 2260 ohci1394 - ok
15:10:24.0109 2260 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:10:24.0109 2260 Parport - ok
15:10:24.0109 2260 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:10:24.0125 2260 PartMgr - ok
15:10:24.0140 2260 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:10:24.0140 2260 ParVdm - ok
15:10:24.0171 2260 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:10:24.0171 2260 PCI - ok
15:10:24.0187 2260 PCIDump - ok
15:10:24.0203 2260 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:10:24.0203 2260 PCIIde - ok
15:10:24.0203 2260 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
15:10:24.0218 2260 Pcmcia - ok
15:10:24.0218 2260 PDCOMP - ok
15:10:24.0218 2260 PDFRAME - ok
15:10:24.0234 2260 PDRELI - ok
15:10:24.0234 2260 PDRFRAME - ok
15:10:24.0250 2260 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
15:10:24.0250 2260 perc2 - ok
15:10:24.0250 2260 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
15:10:24.0265 2260 perc2hib - ok
15:10:24.0296 2260 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:10:24.0296 2260 PptpMiniport - ok
15:10:24.0312 2260 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:10:24.0312 2260 PSched - ok
15:10:24.0312 2260 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:10:24.0312 2260 Ptilink - ok
15:10:24.0328 2260 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
15:10:24.0328 2260 ql1080 - ok
15:10:24.0328 2260 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
15:10:24.0343 2260 Ql10wnt - ok
15:10:24.0343 2260 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
15:10:24.0343 2260 ql12160 - ok
15:10:24.0359 2260 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
15:10:24.0359 2260 ql1240 - ok
15:10:24.0359 2260 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
15:10:24.0359 2260 ql1280 - ok
15:10:24.0375 2260 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:10:24.0375 2260 RasAcd - ok
15:10:24.0390 2260 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:10:24.0390 2260 Rasl2tp - ok
15:10:24.0390 2260 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:10:24.0390 2260 RasPppoe - ok
15:10:24.0406 2260 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:10:24.0406 2260 Raspti - ok
15:10:24.0421 2260 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:10:24.0421 2260 Rdbss - ok
15:10:24.0437 2260 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:10:24.0437 2260 RDPCDD - ok
15:10:24.0453 2260 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:10:24.0453 2260 rdpdr - ok
15:10:24.0500 2260 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
15:10:24.0500 2260 RDPWD - ok
15:10:24.0515 2260 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:10:24.0531 2260 redbook - ok
15:10:24.0593 2260 s24trans (27fc71da659305e260acbda15a318399) C:\WINDOWS\system32\DRIVERS\s24trans.sys
15:10:24.0593 2260 s24trans - ok
15:10:24.0625 2260 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
15:10:24.0625 2260 sdbus - ok
15:10:24.0656 2260 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:10:24.0656 2260 Secdrv - ok
15:10:24.0687 2260 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
15:10:24.0687 2260 Serial - ok
15:10:24.0750 2260 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:10:24.0765 2260 Sfloppy - ok
15:10:24.0765 2260 Simbad - ok
15:10:24.0812 2260 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
15:10:24.0812 2260 sisagp - ok
15:10:24.0843 2260 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
15:10:24.0843 2260 SLIP - ok
15:10:24.0875 2260 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
15:10:24.0875 2260 Sparrow - ok
15:10:24.0953 2260 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
15:10:24.0953 2260 SPBBCDrv - ok
15:10:25.0000 2260 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:10:25.0000 2260 splitter - ok
15:10:25.0031 2260 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:10:25.0031 2260 sr - ok
15:10:25.0062 2260 SRTSP (b36f8d6a02ff2b3a53e250a629782f29) C:\WINDOWS\system32\Drivers\SRTSP.SYS
15:10:25.0062 2260 SRTSP - ok
15:10:25.0093 2260 SRTSPL (e99bd98ac171a29fc1ba9376be87ae73) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
15:10:25.0093 2260 SRTSPL - ok
15:10:25.0109 2260 SRTSPX (1af34729898063e9b7df8d149d767e07) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
15:10:25.0109 2260 SRTSPX - ok
15:10:25.0140 2260 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:10:25.0156 2260 Srv - ok
15:10:25.0187 2260 stdcfltn (1e72739a30a0d3e3fc95ebb07f83912d) C:\WINDOWS\system32\DRIVERS\stdcfltn.sys
15:10:25.0187 2260 stdcfltn - ok
15:10:25.0265 2260 STHDA (a553c4dc4a0a2d3b8b11202115321ace) C:\WINDOWS\system32\drivers\sthda.sys
15:10:25.0296 2260 STHDA - ok
15:10:25.0328 2260 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
15:10:25.0328 2260 streamip - ok
15:10:25.0359 2260 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:10:25.0375 2260 swenum - ok
15:10:25.0390 2260 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:10:25.0390 2260 swmidi - ok
15:10:25.0406 2260 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
15:10:25.0406 2260 symc810 - ok
15:10:25.0406 2260 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
15:10:25.0406 2260 symc8xx - ok
15:10:25.0421 2260 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
15:10:25.0421 2260 SymEvent - ok
15:10:25.0437 2260 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
15:10:25.0437 2260 sym_hi - ok
15:10:25.0437 2260 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
15:10:25.0453 2260 sym_u3 - ok
15:10:25.0468 2260 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:10:25.0468 2260 sysaudio - ok
15:10:25.0500 2260 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:10:25.0500 2260 Tcpip - ok
15:10:25.0531 2260 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:10:25.0546 2260 TDPIPE - ok
15:10:25.0578 2260 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:10:25.0578 2260 TDTCP - ok
15:10:25.0593 2260 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:10:25.0593 2260 TermDD - ok
15:10:25.0609 2260 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
15:10:25.0609 2260 TosIde - ok
15:10:25.0640 2260 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:10:25.0640 2260 Udfs - ok
15:10:25.0640 2260 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
15:10:25.0640 2260 ultra - ok
15:10:25.0656 2260 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:10:25.0671 2260 Update - ok
15:10:25.0718 2260 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
15:10:25.0718 2260 usbaudio - ok
15:10:25.0765 2260 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:10:25.0765 2260 usbccgp - ok
15:10:25.0781 2260 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:10:25.0781 2260 usbehci - ok
15:10:25.0796 2260 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:10:25.0796 2260 usbhub - ok
15:10:25.0843 2260 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:10:25.0843 2260 usbprint - ok
15:10:25.0875 2260 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:10:25.0875 2260 usbscan - ok
15:10:25.0890 2260 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:10:25.0890 2260 USBSTOR - ok
15:10:25.0921 2260 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
15:10:25.0921 2260 usbvideo - ok
15:10:25.0937 2260 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:10:25.0937 2260 VgaSave - ok
15:10:25.0953 2260 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
15:10:25.0953 2260 viaagp - ok
15:10:25.0968 2260 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
15:10:25.0968 2260 ViaIde - ok
15:10:25.0984 2260 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:10:25.0984 2260 VolSnap - ok
15:10:26.0000 2260 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:10:26.0000 2260 Wanarp - ok
15:10:26.0062 2260 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
15:10:26.0062 2260 Wdf01000 - ok
15:10:26.0078 2260 WDICA - ok
15:10:26.0093 2260 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:10:26.0093 2260 wdmaud - ok
15:10:26.0156 2260 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
15:10:26.0156 2260 WmiAcpi - ok
15:10:26.0187 2260 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
15:10:26.0187 2260 WSTCODEC - ok
15:10:26.0203 2260 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:10:26.0203 2260 WudfPf - ok
15:10:26.0218 2260 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:10:26.0218 2260 WudfRd - ok
15:10:26.0250 2260 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
15:10:26.0281 2260 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
15:10:26.0281 2260 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
15:10:26.0312 2260 Boot (0x1200) (ccc50c77a14518c52895c54413140658) \Device\Harddisk0\DR0\Partition0
15:10:26.0312 2260 \Device\Harddisk0\DR0\Partition0 - ok
15:10:26.0312 2260 ============================================================
15:10:26.0312 2260 Scan finished
15:10:26.0312 2260 ============================================================
15:10:26.0328 3416 Detected object count: 1
15:10:26.0328 3416 Actual detected object count: 1
15:18:56.0921 3416 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
15:18:56.0921 3416 \Device\Harddisk0\DR0 - ok
15:18:56.0921 3416 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure 
05:18:47.0593 2576 Deinitialize success

*aswMBR Log*

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-12 06:22:00
-----------------------------
06:22:00.531 OS Version: Windows 5.1.2600 Service Pack 3
06:22:00.531 Number of processors: 4 586 0x2A07
06:22:00.531 ComputerName: 10R0MQ1 UserName: 
06:22:01.453 Initialize success
06:24:34.859 AVAST engine defs: 11111200
06:25:40.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
06:25:40.656 Disk 0 Vendor: WDC_WD2500BEKT-75PVMT0 01.01A01 Size: 238475MB BusType: 3
06:25:40.828 Disk 0 MBR read successfully
06:25:40.828 Disk 0 MBR scan
06:25:40.875 Disk 0 Windows 7 default MBR code
06:25:40.875 Disk 0 scanning sectors +488392065
06:25:40.968 Disk 0 scanning C:\WINDOWS\system32\drivers
06:25:54.437 Service scanning
06:25:55.687 Modules scanning
06:26:00.000 Disk 0 trace - called modules:
06:26:00.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
06:26:00.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a792ab8]
06:26:00.015 3 CLASSPNP.SYS[b9988fd7] -> nt!IofCallDriver -> [0x8a79fbb8]
06:26:00.015 5 stdcfltn.sys[b9ce9896] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a7e0d98]
06:26:00.718 AVAST engine scan C:\WINDOWS
06:26:01.500 File: C:\WINDOWS\AltirisAgentInstSvc.exe **INFECTED** Win32:Malware-gen
06:26:04.562 AVAST engine scan C:\WINDOWS\system32
06:28:10.000 AVAST engine scan C:\WINDOWS\system32\drivers
06:28:24.078 AVAST engine scan C:\Documents and Settings\dave
06:28:24.203 File: C:\Documents and Settings\dave\Application Data\623A1\0F6E8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:24.343 File: C:\Documents and Settings\dave\Application Data\623A1\29A48.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:24.421 File: C:\Documents and Settings\dave\Application Data\623A1\2B798.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:24.484 File: C:\Documents and Settings\dave\Application Data\623A1\30909.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:24.593 File: C:\Documents and Settings\dave\Application Data\623A1\423E8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:24.687 File: C:\Documents and Settings\dave\Application Data\623A1\53C98.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:24.781 File: C:\Documents and Settings\dave\Application Data\623A1\580D8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:24.906 File: C:\Documents and Settings\dave\Application Data\623A1\5F088.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:25.000 File: C:\Documents and Settings\dave\Application Data\623A1\664C8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:25.109 File: C:\Documents and Settings\dave\Application Data\623A1\8F508.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:25.250 File: C:\Documents and Settings\dave\Application Data\623A1\9C9C8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:25.421 File: C:\Documents and Settings\dave\Application Data\623A1\A09A8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:25.562 File: C:\Documents and Settings\dave\Application Data\623A1\A9698.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:25.687 File: C:\Documents and Settings\dave\Application Data\623A1\ACEA1.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:25.765 File: C:\Documents and Settings\dave\Application Data\623A1\AD008.exe **INFECTED** Win32:Cycbot-OH [Trj]
06:28:25.921 File: C:\Documents and Settings\dave\Application Data\623A1\B31C8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:26.078 File: C:\Documents and Settings\dave\Application Data\623A1\C0388.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:26.171 File: C:\Documents and Settings\dave\Application Data\623A1\C7708.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:26.328 File: C:\Documents and Settings\dave\Application Data\623A1\CE4A8.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:26.468 File: C:\Documents and Settings\dave\Application Data\623A1\E2908.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:26.578 File: C:\Documents and Settings\dave\Application Data\623A1\E5108.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:26.671 File: C:\Documents and Settings\dave\Application Data\623A1\EA778.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:28:26.843 File: C:\Documents and Settings\dave\Application Data\623A1\F4D18.exe **INFECTED** Win32:Cycbot-OD [Trj]
06:29:08.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\dave\Desktop\MBR.dat"
06:29:08.593 The log file has been saved successfully to "C:\Documents and Settings\dave\Desktop\aswMBR.txt"


----------



## DFW (Jun 12, 2004)

*Hi dave07060033*

*I must warn you that one or more of the identified infections is a backdoor trojan.*

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Cycbot

http://www.eset.eu/encyclopaedia/win32-cycbot-af-trojan-scar-drqx-backdoor-gbot-origin?lng=en

This allows hackers to remotely control your computer, *steal critical system information* and *Download and Execute files*

If you have done any banking or other financial transactions on the PC or if it should contain any other sensitive information, since you have been infected please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

*Please let us know what you have decided to do in your next post.*


----------



## dave07060033 (Nov 10, 2011)

For now I would like to remove it and I will probably do a reinstall of the OS later


----------



## DFW (Jun 12, 2004)

*Hi dave07060033*

*Download and Run ComboFix (by sUBs)*

Download ComboFix from *here* to your Desktop.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix.


 *You must download it to and run it from your Desktop*
 Now *STOP all your monitoring programs* (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.


> For instructions on how to disable your security programs, please see this topic below
> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs



 Double click combofix.exe & follow the prompts.
ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, *we must have this pre-installed *on your machine before doing any malware removal.
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Click on Yes, to continue scanning for malware.
 When finished, it will produce a log. *Please save that log to post in your next reply*
 *Re-enable all the programs that were disabled* during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix *SHOULD NOT* be used unless requested by a forum helper 

*Run a ESET online scan*

You can use either Internet Explorer or Mozilla FireFox for this scan.


First please *Disable* any* Antivirus * you have active, as shown in *This topic*.
*Note: Don't forget to re-enable it after the scan.*
Next hold down Control then click on the following link to open a new window to *ESET online scannner*
Select the option *YES, I accept the Terms of Use* then click on *Start*.


> *Note:* If using Mozilla Firefox you will need to download *esetsmartinstaller_enu.exe* when prompted then double click on it to install.
> _All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox._



When prompted allow the *Add-On/Active X* to install.
Make sure that the option *Remove found threats* is *NOT* checked, and the option *Scan archives* is checked.
Now click on *Advanced Settings* and select the following:


*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Now click on *Start*.
The *virus signature database... *will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the* Online Scan* will begin automatically.
*Do not* touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select *Uninstall application on close* if you so wish, *make sure you copy the logfile first!*
Now click on *Finish*.
Use notepad to open the logfile located at *C:\Program Files\ESET\EsetOnlineScanner\log.txt*.
Copy and paste that log as a reply to this topic.

*Please post back

Eset Online Scan Log
Combofix Log

*


----------



## dave07060033 (Nov 10, 2011)

*ComboFix Log File*

ComboFix 11-11-12.02 - dave 11/12/2011 8:08.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3241.2391 [GMT -5:00]
Running from: c:\documents and settings\dave\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\LP
c:\program files\LP\0806\11.tmp
c:\program files\LP\0806\16.tmp
c:\program files\LP\0806\1C.tmp
c:\program files\LP\0806\3.tmp
c:\program files\LP\0806\3D0.exe
c:\program files\LP\0806\4.tmp
c:\program files\LP\0806\5.tmp
c:\program files\LP\B8A6\4.tmp
c:\program files\LP\B8A6\5.exe
c:\program files\LP\B8A6\5.tmp
c:\program files\LP\B8A6\81C.exe
c:\windows\AeXNSC.exe
c:\windows\system32\instsrv.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-12 to 2011-11-12 )))))))))))))))))))))))))))))))
.
.
2011-11-12 11:14 . 2011-11-12 11:14 -------- d-----w- C:\_OTL
2011-11-09 12:24 . 2011-11-12 11:20 -------- d-----w- c:\program files\A1E73
2011-11-07 23:43 . 2011-11-07 23:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-07 23:38 . 2011-11-07 23:38 -------- d--h--w- c:\windows\PIF
2011-11-07 22:55 . 2011-11-11 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-11-06 17:19 . 2011-11-12 11:20 -------- d-----w- c:\documents and settings\dave\Application Data\623A1
2011-10-22 12:49 . 2011-10-22 12:50 -------- d-----w- c:\documents and settings\dave\Local Settings\Application Data\ApplicationHistory
2011-10-16 23:55 . 2011-10-16 23:55 18139008 ----a-w- c:\program files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
2011-10-13 23:14 . 2011-10-16 12:25 -------- d-----w- c:\documents and settings\dave\Application Data\Apple Computer
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-10-13 23:13 . 2011-10-13 23:14 -------- d-----w- c:\program files\QuickTime
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-10-13 23:13 . 2011-10-13 23:13 --------  d-----w- c:\program files\Common Files\Apple
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\dave\Local Settings\Application Data\Apple
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\program files\Apple Software Update
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\dave\Local Settings\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-22 12:43 . 2011-08-24 23:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2011-04-26 17:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 12:05 . 2010-10-25 20:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-09-28 07:06 . 2011-04-26 19:51 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2011-04-26 19:51 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2011-04-26 19:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2011-04-26 19:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 23:31 . 2011-08-31 23:31 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-08-22 23:48 . 2011-04-26 19:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2011-04-26 19:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2011-04-26 19:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2011-04-26 19:51 385024 ----a-w- c:\windows\system32\html.iec
2011-08-19 09:26 . 2011-08-19 09:26 545056 ----a-w- c:\windows\system32\LVUI2.dll
2011-08-19 09:26 . 2011-08-19 09:26 540960 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-08-19 09:26 . 2011-08-19 09:26 4334624 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-08-19 09:26 . 2011-08-19 09:26 315808 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-08-19 09:26 . 2011-08-19 09:26 307488 ----a-w- c:\windows\system32\lvcodec2.dll
2011-08-19 09:26 . 2011-08-19 09:26 196896 ----a-w- c:\windows\system32\lvci13301394.dll
2011-08-19 09:26 . 2011-08-19 09:26 336408 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-08-19 09:26 . 2011-08-19 09:26 10898456 ----a-w- c:\windows\system32\LogiDPP.dll
2011-08-19 09:26 . 2011-08-19 09:26 104472 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-08-17 13:49 . 2011-04-26 19:51 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-08 01:09 . 2011-08-24 22:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 14:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Autodesk Content Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"UNS"=2 (0x2)
"STacSV"=2 (0x2)
"osppsvc"=3 (0x3)
"ose"=3 (0x3)
"O2SDIOAssist"=2 (0x2)
"o2flash"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LMS"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ioloSystemService"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"EvtEng"=2 (0x2)
"Altiris Agent Installation Service"=2 (0x2)
"UMVPFSrv"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDHookService"=2 (0x2)
"SDScannerService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management 
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [4/27/2011 3:16 AM 17648]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [4/27/2011 3:16 AM 43888]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/27/2011 3:13 AM 113664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/8/2011 4:00 AM 106104]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [4/27/2011 3:17 AM 260864]
R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [4/27/2011 5:22 AM 41088]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [4/27/2011 3:22 AM 7391744]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [4/27/2011 10:51 AM 61728]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [4/27/2011 10:51 AM 63976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\progra~1\MSI\MSIWDev\msibios32_100507.sys [5/10/2010 10:44 AM 25912]
S3 NTIOLib_1_0_8;NTIOLib_1_0_8;c:\progra~1\MSI\MSIWDev\NTIOLib.sys [1/27/2011 2:43 PM 7680]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/26/2011 2:51 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Altiris Agent Installation Service;Altiris Agent Installation Service;c:\windows\AltirisAgentInstSvc.exe [8/24/2011 4:06 PM 539944]
S4 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 1:08 PM 18656]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/31/2011 6:34 PM 722616]
S4 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [4/27/2011 10:51 AM 8192]
S4 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [4/27/2011 5:22 AM 2656280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2011-11-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/login.asp
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:60283
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\dave\Application Data\Mozilla\Firefox\Profiles\jy1o5e9x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60283
FF - prefs.js: network.proxy.type - 1
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-3D0.exe - c:\program files\LP\0806\3D0.exe
SafeBoot-Symantec Antvirus
MSConfigStartUp-81C - c:\program files\LP\B8A6\81C.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-12 08:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-11-12 08:12:33
ComboFix-quarantined-files.txt 2011-11-12 13:12
.
Pre-Run: 221,113,413,632 bytes free
Post-Run: 221,159,944,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F5136620021613E46791AEF02B6DED53

*ESET Log File*

C:\Documents and Settings\dave\Application Data\623A1\0F6E8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\29A48.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\2B798.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\30909.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\423E8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\53C98.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\580D8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\5F088.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\664C8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\8F508.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\9C9C8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\A09A8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\A9698.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\ACEA1.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\AD008.exe a variant of Win32/Kryptik.ABW trojan
C:\Documents and Settings\dave\Application Data\623A1\B31C8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\C0388.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\C7708.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\CE4A8.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\E2908.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\E5108.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\EA778.exe Win32/Cycbot.AF trojan
C:\Documents and Settings\dave\Application Data\623A1\F4D18.exe Win32/Cycbot.AF trojan
C:\Program Files\A1E73\lvvm.exe a variant of Win32/Kryptik.ABW trojan
C:\Qoobox\Quarantine\C\Program Files\LP\B8A6\5.exe.vir a variant of Win32/Kryptik.ABW trojan
C:\System Volume Information\_restore{75798BF8-5303-4F8D-A03A-831C2FD2E049}\RP69\A0019132.exe Win32/Cycbot.AF trojan
C:\System Volume Information\_restore{75798BF8-5303-4F8D-A03A-831C2FD2E049}\RP70\A0019162.exe a variant of Win32/Kryptik.ABW trojan


----------



## DFW (Jun 12, 2004)

*Check - Reset Proxy settings*

*Internet Explorer Proxy settings*:
Open *Internet Explorer* > click *Tools* > *Internet Options* > *Connections* tab.
Click the *LAN Settings...* button and *uncheck* *Use a proxy server for your LAN*
or change the settings to the proxy you normally use if you previously reconfigured it.
Remove any *unknown addresses *from the Address box. *80 is the default Port *so it does not have to be changed.
Click *OK*... then click *OK* again.
*Close* Internet Explorer and -restart- the computer.
Information with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide.

*Firefox Proxy settings*:
Open *Firefox*, click *Tools* > *Options* > *Advanced* and click the *Network* Tab.
Under the Connection section click on the *Settings...* button.
Under *Configure Proxies to Access the Internet*, *check* *No proxy*. This is the default option if you don't use a proxy.
Click *OK*... then click *OK* again.
Close Firefox and Restart the computer.

*Run Combofix Script*
Stop all your monitoring programs this time (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.


> For instructions on how to disable your security programs, please see this topic below
> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs



 Now please open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:


```
Folder::
c:\documents and settings\dave\Application Data\623A1
C:\Program Files\A1E73
c:\documents and settings\dave\Local Settings\Application Data\ApplicationHistory

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Autodesk Content Service"=-
"WMPNetworkSvc"=-
"WLANKEEPER"=-
"UNS"=-
"STacSV"=-
"osppsvc"=-
"ose"=-
"O2SDIOAssist"=-
"o2flash"=-
"LVPrcSrv"=-
"LMS"=-
"LiveUpdate"=-
"JavaQuickStarterService"=-
"ioloSystemService"=-
"idsvc"=-
"FLEXnet Licensing Service"=-
"EvtEng"=-
"Altiris Agent Installation Service"=-
"UMVPFSrv"=-
"SDUpdateService"=-
"SDHookService"=-
"SDScannerService"=-
```

 Save this as *CFScript.txt* and change the "*Save as type*" to "*All Files*" and place it on your desktop.










 Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe.*
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
 When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

*CAUTION*: *Do not mouse-click ComboFix's window while it is running. That may cause it to stall*.

*Download and Run MalwareBytes' Anti-Malware* It is free for home use.
Please go here to the *Download Location*, click on *Download* in the *Free* column..
When the next page comes up, click on the *Download Now* button.

After clicking on the download and choosing *Save*, the "Save to location" dialog will come up.
Click the *browse folders* button, then click on Desktop on the left as the location for the installer and click *Save* again. Close the dialog when the download is complete.
You should now have a desktop icon named *mbam-setup.exe*. (If the download was saved somewhere else, locate it and copy or move it to your desktop).
Double Click the download to run the installer.
Let it install where it wants to, with the default settings, and click *Finish*.
If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
If necessary, start Malwarebytes Anti-Malware again.
(You can Decline any Offer for a Trial if you don't want the paid version)
Once the program has started up, select *Perform Quick Scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
If it found any malware items,* check* all items except items in the C:\System Volume Information folder... and click *Remove Selected*.
When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.

*Please post back

A good description on how things are now with your system after running the above..

MalwareBytes Log
Combofix Log*

.


----------



## dave07060033 (Nov 10, 2011)

*MalwareBytes Log*

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8148

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/12/2011 3:56:03 PM
mbam-log-2011-11-12 (15-56-03).txt

Scan type: Quick scan
Objects scanned: 201102
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*ComboFix Log
*
ComboFix 11-11-12.04 - dave 11/12/2011 15:41:33.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3241.2672 [GMT -5:00]
Running from: c:\documents and settings\dave\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dave\Desktop\cfscript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\A1E73
c:\program files\A1E73\lvvm.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-12 to 2011-11-12 )))))))))))))))))))))))))))))))
.
.
2011-11-12 11:14 . 2011-11-12 11:14 -------- d-----w- C:\_OTL
2011-11-07 23:43 . 2011-11-07 23:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-07 23:38 . 2011-11-07 23:38 -------- d--h--w- c:\windows\PIF
2011-11-07 22:55 . 2011-11-11 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-11-06 17:19 . 2011-11-12 11:20 -------- d-----w- c:\documents and settings\dave\Application Data\623A1
2011-10-22 12:49 . 2011-10-22 12:50 -------- d-----w- c:\documents and settings\dave\Local Settings\Application Data\ApplicationHistory
2011-10-16 23:55 . 2011-10-16 23:55 18139008 ----a-w- c:\program files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
2011-10-13 23:14 . 2011-10-16 12:25 -------- d-----w- c:\documents and settings\dave\Application Data\Apple Computer
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-13 23:14 . 2011-10-13 23:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-10-13 23:13 . 2011-10-13 23:14 -------- d-----w- c:\program files\QuickTime
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\program files\Common Files\Apple
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\dave\Local Settings\Application Data\Apple
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\program files\Apple Software Update
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-10-13 23:13 . 2011-10-13 23:13 -------- d-----w- c:\documents and settings\dave\Local Settings\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-22 12:43 . 2011-08-24 23:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2011-04-26 17:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 12:05 . 2010-10-25 20:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-09-28 07:06 . 2011-04-26 19:51 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2011-04-26 19:51 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2011-04-26 19:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2011-04-26 19:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 23:31 . 2011-08-31 23:31 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-08-22 23:48 . 2011-04-26 19:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2011-04-26 19:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2011-04-26 19:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2011-04-26 19:51 385024 ----a-w- c:\windows\system32\html.iec
2011-08-19 09:26 . 2011-08-19 09:26 545056 ----a-w- c:\windows\system32\LVUI2.dll
2011-08-19 09:26 . 2011-08-19 09:26 540960 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-08-19 09:26 . 2011-08-19 09:26 4334624 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-08-19 09:26 . 2011-08-19 09:26 315808 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-08-19 09:26 . 2011-08-19 09:26 307488 ----a-w- c:\windows\system32\lvcodec2.dll
2011-08-19 09:26 . 2011-08-19 09:26 196896 ----a-w- c:\windows\system32\lvci13301394.dll
2011-08-19 09:26 . 2011-08-19 09:26 336408 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-08-19 09:26 . 2011-08-19 09:26 10898456 ----a-w- c:\windows\system32\LogiDPP.dll
2011-08-19 09:26 . 2011-08-19 09:26 104472 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-08-17 13:49 . 2011-04-26 19:51 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-08 01:09 . 2011-08-24 22:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_13.11.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-26 19:51 . 2011-11-12 20:39 90186 c:\windows\system32\perfc009.dat
- 2011-04-26 19:51 . 2011-11-12 11:19 90186 c:\windows\system32\perfc009.dat
+ 2011-04-26 19:51 . 2011-11-12 20:39 507176 c:\windows\system32\perfh009.dat
- 2011-04-26 19:51 . 2011-11-12 11:19 507176 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 14:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management 
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [4/27/2011 3:16 AM 17648]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [4/27/2011 3:16 AM 43888]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/27/2011 3:13 AM 113664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/8/2011 4:00 AM 106104]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [4/27/2011 3:17 AM 260864]
R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [4/27/2011 5:22 AM 41088]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [4/27/2011 3:22 AM 7391744]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [4/27/2011 10:51 AM 61728]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [4/27/2011 10:51 AM 63976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\progra~1\MSI\MSIWDev\msibios32_100507.sys [5/10/2010 10:44 AM 25912]
S3 NTIOLib_1_0_8;NTIOLib_1_0_8;c:\progra~1\MSI\MSIWDev\NTIOLib.sys [1/27/2011 2:43 PM 7680]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/26/2011 2:51 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Altiris Agent Installation Service;Altiris Agent Installation Service;c:\windows\AltirisAgentInstSvc.exe [8/24/2011 4:06 PM 539944]
S4 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 1:08 PM 18656]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/31/2011 6:34 PM 722616]
S4 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [4/27/2011 10:51 AM 8192]
S4 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [4/27/2011 5:22 AM 2656280]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2011-11-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/login.asp
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:60283
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\dave\Application Data\Mozilla\Firefox\Profiles\jy1o5e9x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60283
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-12 15:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-11-12 15:48:17
ComboFix-quarantined-files.txt 2011-11-12 20:48
ComboFix2.txt 2011-11-12 13:12
.
Pre-Run: 221,097,369,600 bytes free
Post-Run: 221,082,161,152 bytes free
.
- - End Of File - - D35DCB1C86CDC8A2D394DE2A1D21EC17


----------



## DFW (Jun 12, 2004)

*Hi again

Did you reset the proxy server settings on both IE and firefox as asked in my last post.??

When you have finished this fix please post a good description on how things are now with your system
*

*Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.*

Please follow these steps to remove older version Java components and update.

*Updating Java:*
Download the latest version of Java Runtime Environment (JRE) .
http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html
Scroll down to where it says "The J2SE Runtime Environment JRE 7 Update 1 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
*Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.*
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

*Run Combofix Script*
Stop all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.


> For instructions on how to disable your security programs, please see this topic below
> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs



 Now please open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:


```
Folder::
c:\documents and settings\dave\Application Data\623A1
c:\documents and settings\dave\Local Settings\Application Data\ApplicationHistory
```

 Save this as *CFScript.txt* and change the "*Save as type*" to "*All Files*" and place it on your desktop.










 Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe.*
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
 When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

*CAUTION*: *Do not mouse-click ComboFix's window while it is running. That may cause it to stall*.

*Please post back

Combofix Log
Proxy server information
description on how things are now with your system.*


----------



## dave07060033 (Nov 10, 2011)

I did reset the proxy server settings and that seems to be working, I'm not getting any more strange messages about proxy servers or having any redirects like I was before.


----------



## DFW (Jun 12, 2004)

That great we have just a little more to do

Go to the java link
http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html

tick Accept License Agreement download the one below

*Windows x86 Offline	19.26 MB jre-7u1-windows-i586.exe*


----------



## dave07060033 (Nov 10, 2011)

_The machine seems to be running better, I did the steps you outlined for changing the proxy server info. I haven't had any more redirects since then. Here's the combo fix log:_

ComboFix 11-11-13.01 - dave 11/13/2011 8:09.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3241.2419 [GMT -5:00]
Running from: c:\documents and settings\dave\Desktop\AV\ComboFix.exe
Command switches used :: c:\documents and settings\dave\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\dave\Application Data\623A1
c:\documents and settings\dave\Application Data\623A1\0F6E8.exe
c:\documents and settings\dave\Application Data\623A1\1E73.23A
c:\documents and settings\dave\Application Data\623A1\29A48.exe
c:\documents and settings\dave\Application Data\623A1\2B798.exe
c:\documents and settings\dave\Application Data\623A1\30909.exe
c:\documents and settings\dave\Application Data\623A1\423E8.exe
c:\documents and settings\dave\Application Data\623A1\53C98.exe
c:\documents and settings\dave\Application Data\623A1\580D8.exe
c:\documents and settings\dave\Application Data\623A1\5F088.exe
c:\documents and settings\dave\Application Data\623A1\664C8.exe
c:\documents and settings\dave\Application Data\623A1\8F508.exe
c:\documents and settings\dave\Application Data\623A1\9C9C8.exe
c:\documents and settings\dave\Application Data\623A1\A09A8.exe
c:\documents and settings\dave\Application Data\623A1\A9698.exe
c:\documents and settings\dave\Application Data\623A1\ACEA1.exe
c:\documents and settings\dave\Application Data\623A1\AD008.exe
c:\documents and settings\dave\Application Data\623A1\B31C8.exe
c:\documents and settings\dave\Application Data\623A1\C0388.exe
c:\documents and settings\dave\Application Data\623A1\C7708.exe
c:\documents and settings\dave\Application Data\623A1\CE4A8.exe
c:\documents and settings\dave\Application Data\623A1\E2908.exe
c:\documents and settings\dave\Application Data\623A1\E5108.exe
c:\documents and settings\dave\Application Data\623A1\EA778.exe
c:\documents and settings\dave\Application Data\623A1\F4D18.exe
c:\documents and settings\dave\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\dave\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 13:06 . 2011-11-13 13:06 -------- d-----w- c:\program files\Common Files\Java
2011-11-13 13:06 . 2011-11-13 13:06 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-12 20:51 . 2011-11-12 20:51 -------- d-----w- c:\documents and settings\dave\Application Data\Malwarebytes
2011-11-12 20:51 . 2011-11-12 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-12 20:51 . 2011-11-12 20:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-12 20:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-12 11:14 . 2011-11-12 11:14 -------- d-----w- C:\_OTL
2011-11-07 23:43 . 2011-11-07 23:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-07 23:38 . 2011-11-07 23:38 -------- d--h--w- c:\windows\PIF
2011-11-07 22:55 . 2011-11-11 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-16 23:55 . 2011-10-16 23:55 18139008 ----a-w- c:\program files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-13 13:06 . 2011-04-26 17:14 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-22 12:43 . 2011-08-24 23:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2011-04-26 17:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 12:05 . 2010-10-25 20:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-09-28 07:06 . 2011-04-26 19:51 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2011-04-26 19:51 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2011-04-26 19:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2011-04-26 19:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 23:31 . 2011-08-31 23:31 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-08-22 23:48 . 2011-04-26 19:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2011-04-26 19:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2011-04-26 19:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2011-04-26 19:51 385024 ----a-w- c:\windows\system32\html.iec
2011-08-19 09:26 . 2011-08-19 09:26 545056 ----a-w- c:\windows\system32\LVUI2.dll
2011-08-19 09:26 . 2011-08-19 09:26 540960 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-08-19 09:26 . 2011-08-19 09:26 4334624 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-08-19 09:26 . 2011-08-19 09:26 315808 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-08-19 09:26 . 2011-08-19 09:26 307488 ----a-w- c:\windows\system32\lvcodec2.dll
2011-08-19 09:26 . 2011-08-19 09:26 196896 ----a-w- c:\windows\system32\lvci13301394.dll
2011-08-19 09:26 . 2011-08-19 09:26 336408 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-08-19 09:26 . 2011-08-19 09:26 10898456 ----a-w- c:\windows\system32\LogiDPP.dll
2011-08-19 09:26 . 2011-08-19 09:26 104472 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-08-17 13:49 . 2011-04-26 19:51 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-08 01:09 . 2011-08-24 22:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_13.11.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-13 13:06 . 2011-11-13 13:06 16384 c:\windows\temp\Perflib_Perfdata_ae4.dat
+ 2011-04-26 19:51 . 2011-11-13 13:09 90186 c:\windows\system32\perfc009.dat
- 2011-04-26 19:51 . 2011-11-12 11:19 90186 c:\windows\system32\perfc009.dat
+ 2011-04-27 17:47 . 2011-11-13 00:25 34144 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\oisicon.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 34144 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 42848 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\msouc.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 42848 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\msouc.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 19296 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 19296 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-04-26 19:51 . 2011-11-12 11:19 507176 c:\windows\system32\perfh009.dat
+ 2011-04-26 19:51 . 2011-11-13 13:09 507176 c:\windows\system32\perfh009.dat
+ 2011-11-13 13:06 . 2011-11-13 13:06 214408 c:\windows\system32\javaws.exe
+ 2011-11-13 13:06 . 2011-11-13 13:06 173960 c:\windows\system32\javaw.exe
+ 2011-11-13 13:06 . 2011-11-13 13:06 173960 c:\windows\system32\java.exe
+ 2011-11-13 13:06 . 2011-11-13 13:06 176640 c:\windows\Installer\1862b.msi
+ 2011-11-13 13:06 . 2011-11-13 13:06 938496 c:\windows\Installer\18626.msi
- 2011-04-27 17:47 . 2011-11-12 10:27 415584 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pubs.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 415584 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pubs.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 303456 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\outicon.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 303456 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 571232 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\misc.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 571232 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\misc.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 326496 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 326496 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 1479520 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 1479520 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 1858400 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\wordicon.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 1858400 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\wordicon.exe
+ 2011-04-27 17:47 . 2011-11-13 00:25 3792736 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pptico.exe
- 2011-04-27 17:47 . 2011-11-12 10:27 3792736 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pptico.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 14:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management 
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [4/27/2011 3:16 AM 17648]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [4/27/2011 3:16 AM 43888]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/27/2011 3:13 AM 113664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/8/2011 4:00 AM 106104]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [4/27/2011 3:17 AM 260864]
R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [4/27/2011 5:22 AM 41088]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [4/27/2011 3:22 AM 7391744]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [4/27/2011 10:51 AM 61728]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [4/27/2011 10:51 AM 63976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\progra~1\MSI\MSIWDev\msibios32_100507.sys [5/10/2010 10:44 AM 25912]
S3 NTIOLib_1_0_8;NTIOLib_1_0_8;c:\progra~1\MSI\MSIWDev\NTIOLib.sys [1/27/2011 2:43 PM 7680]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/26/2011 2:51 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Altiris Agent Installation Service;Altiris Agent Installation Service;c:\windows\AltirisAgentInstSvc.exe [8/24/2011 4:06 PM 539944]
S4 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 1:08 PM 18656]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/31/2011 6:34 PM 722616]
S4 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [4/27/2011 10:51 AM 8192]
S4 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [4/27/2011 5:22 AM 2656280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2011-11-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-504249514-2004877394-1847928074-225766.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/login.asp
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\dave\Application Data\Mozilla\Firefox\Profiles\jy1o5e9x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.spsu.edu/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60283
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-13 08:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-11-13 08:15:49
ComboFix-quarantined-files.txt 2011-11-13 13:15
ComboFix2.txt 2011-11-12 20:48
ComboFix3.txt 2011-11-12 13:12
.
Pre-Run: 220,696,039,424 bytes free
Post-Run: 220,674,957,312 bytes free
.
- - End Of File - - 40C1A10F3D4550249C923762FA7B76DC


----------



## DFW (Jun 12, 2004)

Hi * dave07060033*

Firefox is still showing a bad Proxy, please just reset it again now all the infection is gone and it should be fine., then
clean up and your good to go.:up:

*Check - Reset Proxy Firefox settings*

*Firefox Proxy settings*:
Open *Firefox*, click *Tools* > *Options* > *Advanced* and click the *Network* Tab.
Under the Connection section click on the *Settings...* button.
Under *Configure Proxies to Access the Internet*, *check* *No proxy*. This is the default option if you don't use a proxy.
Click *OK*... then click *OK* again.
Close Firefox and Restart the computer.

*Let's clear out the programs we've been using to clean up your computer, 
they are not suitable for general malware removal and could cause damage if used inappropriately.*

*Time for some housekeeping*

 Click on *Start *>> *Run...*
 Now type in *ComboFix /Uninstall* into the box and click *OK*.
 Note the *space* between the *X* and the */Uninstall*, it needs to be there.








The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.


Double click on OTL to run it.
Click the *CleanUp!* button.
Select *Yes* when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select *Yes*.
The tool will delete itself once it finishes, if not delete it by yourself.

*Keep Malwarebyte's Anti-Malware Installed*
This is a excellent application and I advise you keep this installed. Check for updates and run a scan once at least once per week.

*Next Delete DDS from your desktop if still present*

*Visit Microsoft often.*
Keep on top of critical updates , as well as other updates for your computer.
What is Windows Update?
Microsoft Update Home

Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update,
you can use the *Secunia Software Inspector* - I suggest that you run it at least once a month

* Read, stay informed. *
To help minimize the chances of becoming re-infected, please read.
*Computer Security - a short guide to staying safer online*

*Install WinPatrol: *

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

*Please post back letting me know the clean up and FF proxy reset went well.*

.


----------



## dave07060033 (Nov 10, 2011)

Everything went very well. Thank you so much for your help. So I understood you to say the security of this machine could never be 100% trusted again?


----------



## DFW (Jun 12, 2004)

*Hi dave07060033*

Removing the actual infection part of a backdoor is no more difficult than removing any other infection, what's "special" about a backdoor is that it's given your attacker opportunity to have a "look round" your computer, if in fact it did, we just dont know, 
and during that time he/she can have made any number of modifications to your system, some of which may be in areas we cant see.

Because of this, it's impossible for us to say that your computer is 100% secure once the infection and the more "obvious" modifications have been removed and/or reset to normal.

The warning I gave was not meant to cause you any unnecessary worry, but it was given for your protection only, your system may be OK, we have cleaned all the Malware out, but because of the above I cannot say 100% that it will be,
it would be wrong and unfair to you to say your 100% secure.

DFW


----------



## dave07060033 (Nov 10, 2011)

It's running smoother than it has ever ran so I owe you a ton of thanks for getting it back to normal. I will get my wife to make a donation off her computer, thanks again for your hard work, you did an outstanding job!


----------



## DFW (Jun 12, 2004)

*You are very welcome dave07060033, and thank you. *


----------

