[Resolved] Fallout from "Smart Fortress 2012" cleanup.

  • 62 Replies
  • 11194 Views
*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #30 on: March 12, 2012, 11:06:36 PM »
Hi edw

I think we are making progress, but it's hard to see the whole picture because the tools will not operate fully.  So we will try different tools.


Please read carefully and follow these steps:

1.  Download TDSSKiller and transfer it to the Desktop of the infected machine.   

2.  Doubleclick on TDSSKiller.exe to run the application. Now click Start Scan.

3.  Click on Change parameters and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

4.  If an infected file is detected, the default action will be Cure, click on Continue.  If a suspicious file is detected, the default action will be Skip, click on Continue.

Click on Reboot Now if you are asked to reboot the computer.

5.  If reboot is NOT required, click on Report.   Please copy that file.  If a reboot IS required, the report can also be found in your root directory (usually C:\ folder).   It's file name will take the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt]". Please copy that file.

As always please be sure Word Wrap is disabled in Notepad.  Also be sure to check that the data you posted was not cut off by the sites posting size limits.

Now please post the following to me as a reply to this post:
TDSSKiller log
Let me know how your computer is operating
Let me know if you can connect to the internet
If you have any questions or problems, let me know that as well

Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #31 on: March 12, 2012, 11:33:03 PM »
     TDSSkiller reported a rootkit on \Device\Harddisk0\DR0  and a TDSS filesystem.  On "continue", I got a dialog box "Windows No Disk" with exception processing message c0000013 with parameters 75b6bf7c 75b6bf7c 77b6bf7c.  I was offered cancel/try again/continue. Clicking experimentally the application continued to run and requested reboot - which I did.

   Here's the log - looks promising...

22:13:27.0390 2024   TDSS rootkit removing tool 2.7.20.0 Mar  9 2012 17:10:43
22:13:27.0421 2024   ============================================================
22:13:27.0421 2024   Current date / time: 2012/03/12 22:13:27.0421
22:13:27.0421 2024   SystemInfo:
22:13:27.0421 2024   
22:13:27.0421 2024   OS Version: 5.1.2600 ServicePack: 3.0
22:13:27.0421 2024   Product type: Workstation
22:13:27.0421 2024   ComputerName: ASUS-I7-XP
22:13:27.0421 2024   UserName: williams
22:13:27.0421 2024   Windows directory: C:\WINDOWS
22:13:27.0421 2024   System windows directory: C:\WINDOWS
22:13:27.0421 2024   Processor architecture: Intel x86
22:13:27.0421 2024   Number of processors: 8
22:13:27.0421 2024   Page size: 0x1000
22:13:27.0421 2024   Boot type: Safe boot
22:13:27.0421 2024   ============================================================
22:13:28.0890 2024   Drive \Device\Harddisk0\DR0 - Size: 0xE8E1300000 (931.52 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
22:13:28.0890 2024   Drive \Device\Harddisk5\DR11 - Size: 0x7AF00000 (1.92 Gb), SectorSize: 0x200, Cylinders: 0xFA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
22:13:28.0890 2024   \Device\Harddisk0\DR0:
22:13:28.0890 2024   MBR used
22:13:28.0906 2024   \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0x4F5829EF
22:13:28.0906 2024   \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x4F587000, BlocksNum 0x25182000
22:13:28.0906 2024   \Device\Harddisk5\DR11:
22:13:28.0906 2024   MBR used
22:13:28.0906 2024   \Device\Harddisk5\DR11\Partition0: MBR, Type 0xE, StartLBA 0x20, BlocksNum 0x3D77E0
22:13:29.0031 2024   Initialize success
22:13:29.0031 2024   ============================================================
22:13:58.0531 0864   ============================================================
22:13:58.0531 0864   Scan started
22:13:58.0531 0864   Mode: Manual; SigCheck; TDLFS;
22:13:58.0531 0864   ============================================================
22:13:58.0875 0864   Abiosdsk - ok
22:13:58.0937 0864   abp480n5 - ok
22:13:59.0015 0864   ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:14:00.0484 0864   ACPI - ok
22:14:00.0562 0864   ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:14:00.0656 0864   ACPIEC - ok
22:14:00.0718 0864   adpu160m - ok
22:14:00.0843 0864   aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:14:00.0953 0864   aec - ok
22:14:01.0000 0864   AFD             (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
22:14:01.0031 0864   AFD - ok
22:14:01.0093 0864   Aha154x - ok
22:14:01.0156 0864   aic78u2 - ok
22:14:01.0218 0864   aic78xx - ok
22:14:01.0343 0864   AliIde - ok
22:14:01.0437 0864   ALSysIO - ok
22:14:01.0500 0864   amsint - ok
22:14:01.0562 0864   AnyDVD          (fb20f6220bcbbd6a4f870d4bf83bc12b) C:\WINDOWS\system32\Drivers\AnyDVD.sys
22:14:01.0734 0864   AnyDVD - ok
22:14:01.0843 0864   Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:14:01.0953 0864   Arp1394 - ok
22:14:01.0984 0864   asc - ok
22:14:02.0046 0864   asc3350p - ok
22:14:02.0109 0864   asc3550 - ok
22:14:02.0171 0864   AsIO            (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys
22:14:02.0187 0864   AsIO - ok
22:14:02.0328 0864   ASPI32 - ok
22:14:02.0437 0864   AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:14:02.0531 0864   AsyncMac - ok
22:14:02.0578 0864   atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:14:02.0671 0864   atapi - ok
22:14:02.0703 0864   Atdisk - ok
22:14:02.0765 0864   Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:14:02.0859 0864   Atmarpc - ok
22:14:02.0937 0864   audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:14:03.0046 0864   audstub - ok
22:14:03.0125 0864   Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:14:03.0203 0864   Beep - ok
22:14:03.0390 0864   catchme - ok
22:14:03.0468 0864   cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:14:03.0546 0864   cbidf2k - ok
22:14:03.0609 0864   cd20xrnt - ok
22:14:03.0687 0864   Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:14:03.0796 0864   Cdaudio - ok
22:14:03.0828 0864   Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:14:03.0906 0864   Cdfs - ok
22:14:03.0937 0864   Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:14:04.0046 0864   Cdrom - ok
22:14:04.0078 0864   Changer - ok
22:14:04.0234 0864   CmdIde - ok
22:14:04.0390 0864   Cpqarray - ok
22:14:04.0468 0864   cpudrv          (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
22:14:04.0468 0864   cpudrv - ok
22:14:04.0515 0864   cpuz132         (097a0a4899b759a4f032bd464963b4be) C:\WINDOWS\system32\drivers\cpuz132_x32.sys
22:14:04.0546 0864   cpuz132 ( UnsignedFile.Multi.Generic ) - warning
22:14:04.0546 0864   cpuz132 - detected UnsignedFile.Multi.Generic (1)
22:14:04.0625 0864   CVirtA          (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
22:14:04.0656 0864   CVirtA - ok
22:14:04.0734 0864   CVPNDRVA        (57310c245810b26e378de9e6b22db598) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
22:14:04.0781 0864   CVPNDRVA ( UnsignedFile.Multi.Generic ) - warning
22:14:04.0781 0864   CVPNDRVA - detected UnsignedFile.Multi.Generic (1)
22:14:04.0812 0864   dac2w2k - ok
22:14:04.0875 0864   dac960nt - ok
22:14:04.0968 0864   DgiVecp - ok
22:14:05.0062 0864   Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:14:05.0156 0864   Disk - ok
22:14:05.0234 0864   dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:14:05.0375 0864   dmboot - ok
22:14:05.0437 0864   dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:14:05.0515 0864   dmio - ok
22:14:05.0546 0864   dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:14:05.0640 0864   dmload - ok
22:14:05.0718 0864   DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:14:05.0812 0864   DMusic - ok
22:14:05.0859 0864   DNE             (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys
22:14:05.0890 0864   DNE - ok
22:14:06.0000 0864   dpti2o - ok
22:14:06.0062 0864   drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:14:06.0156 0864   drmkaud - ok
22:14:06.0250 0864   ElbyCDIO        (d71233d7ccc2e64f8715a20428d5a33b) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
22:14:06.0265 0864   ElbyCDIO - ok
22:14:06.0437 0864   Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:14:06.0531 0864   Fastfat - ok
22:14:06.0593 0864   Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:14:06.0671 0864   Fdc - ok
22:14:06.0718 0864   Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:14:06.0796 0864   Fips - ok
22:14:06.0843 0864   Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:14:06.0921 0864   Flpydisk - ok
22:14:06.0953 0864   FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:14:07.0046 0864   FltMgr - ok
22:14:07.0109 0864   Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:14:07.0203 0864   Fs_Rec - ok
22:14:07.0234 0864   Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:14:07.0328 0864   Ftdisk - ok
22:14:07.0359 0864   GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:14:07.0359 0864   GEARAspiWDM - ok
22:14:07.0421 0864   Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:14:07.0531 0864   Gpc - ok
22:14:07.0671 0864   HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:14:07.0765 0864   HDAudBus - ok
22:14:07.0859 0864   hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:14:07.0968 0864   hidusb - ok
22:14:08.0031 0864   hpn - ok
22:14:08.0125 0864   HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:14:08.0187 0864   HTTP - ok
22:14:08.0250 0864   i2omgmt - ok
22:14:08.0312 0864   i2omp - ok
22:14:08.0375 0864   i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:14:08.0468 0864   i8042prt - ok
22:14:08.0515 0864   iaStor          (f4037a3fedb92dd97c95f320766ea5c9) C:\WINDOWS\system32\drivers\iaStor.sys
22:14:08.0531 0864   iaStor - ok
22:14:08.0656 0864   Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:14:08.0750 0864   Imapi - ok
22:14:08.0906 0864   ini910u - ok
22:14:09.0140 0864   IntcAzAudAddService (41bb402c2ade27b32439bb765864ab3b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
22:14:09.0437 0864   IntcAzAudAddService - ok
22:14:09.0484 0864   IntelIde - ok
22:14:09.0562 0864   intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:14:09.0671 0864   intelppm - ok
22:14:09.0734 0864   Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:14:09.0812 0864   Ip6Fw - ok
22:14:09.0859 0864   IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:14:09.0937 0864   IpFilterDriver - ok
22:14:09.0968 0864   IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:14:10.0062 0864   IpInIp - ok
22:14:10.0125 0864   IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:14:10.0203 0864   IpNat - ok
22:14:10.0281 0864   IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:14:10.0375 0864   IPSec - ok
22:14:10.0406 0864   IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:14:10.0437 0864   IRENUM - ok
22:14:10.0500 0864   isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:14:10.0593 0864   isapnp - ok
22:14:10.0671 0864   JEPPDRIVE       (d486a98a0a6c541a67cf6f1e7cd26dae) C:\WINDOWS\system32\Drivers\JeppDrive.sys
22:14:10.0687 0864   JEPPDRIVE - ok
22:14:10.0718 0864   JRAID           (a324485106f133e751f4b7f47c4be3ea) C:\WINDOWS\system32\DRIVERS\jraid.sys
22:14:10.0765 0864   JRAID - ok
22:14:10.0812 0864   Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:14:10.0890 0864   Kbdclass - ok
22:14:10.0953 0864   kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:14:11.0046 0864   kmixer - ok
22:14:11.0078 0864   KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:14:11.0156 0864   KSecDD - ok
22:14:11.0265 0864   lbrtfdc - ok
22:14:11.0515 0864   mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:14:11.0609 0864   mnmdd - ok
22:14:11.0671 0864   Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:14:11.0765 0864   Modem - ok
22:14:11.0812 0864   Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:14:11.0890 0864   Mouclass - ok
22:14:11.0937 0864   mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:14:12.0031 0864   mouhid - ok
22:14:12.0062 0864   MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:14:12.0171 0864   MountMgr - ok
22:14:12.0203 0864   MpFilter        (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
22:14:12.0218 0864   MpFilter - ok
22:14:12.0265 0864   mraid35x - ok
22:14:12.0328 0864   MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:14:12.0421 0864   MRxDAV - ok
22:14:12.0453 0864   MRxSmb          (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:14:12.0531 0864   MRxSmb - ok
22:14:12.0625 0864   Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:14:12.0718 0864   Msfs - ok
22:14:12.0796 0864   MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:14:12.0875 0864   MSKSSRV - ok
22:14:12.0953 0864   MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:14:13.0046 0864   MSPCLOCK - ok
22:14:13.0078 0864   MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:14:13.0171 0864   MSPQM - ok
22:14:13.0234 0864   mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:14:13.0312 0864   mssmbios - ok
22:14:13.0359 0864   MTsensor        (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
22:14:13.0390 0864   MTsensor - ok
22:14:13.0421 0864   Mup             (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:14:13.0468 0864   Mup - ok
22:14:13.0531 0864   NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:14:13.0625 0864   NDIS - ok
22:14:13.0656 0864   NdisTapi        (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:14:13.0687 0864   NdisTapi - ok
22:14:13.0718 0864   Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:14:13.0828 0864   Ndisuio - ok
22:14:13.0875 0864   NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:14:13.0953 0864   NdisWan - ok
22:14:13.0984 0864   NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:14:14.0046 0864   NDProxy - ok
22:14:14.0125 0864   NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:14:14.0234 0864   NetBIOS - ok
22:14:14.0281 0864   NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:14:14.0390 0864   NetBT - ok
22:14:14.0593 0864   NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:14:14.0671 0864   NIC1394 - ok
22:14:14.0781 0864   NPF             (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
22:14:14.0812 0864   NPF - ok
22:14:14.0843 0864   Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:14:14.0937 0864   Npfs - ok
22:14:14.0968 0864   Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:14:15.0078 0864   Ntfs - ok
22:14:15.0187 0864   Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:14:15.0296 0864   Null - ok
22:14:15.0453 0864   nv              (8b2c874897ea498da012284e12f9db2b) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:14:15.0968 0864   nv - ok
22:14:16.0093 0864   NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:14:16.0187 0864   NwlnkFlt - ok
22:14:16.0234 0864   NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:14:16.0312 0864   NwlnkFwd - ok
22:14:16.0343 0864   ohci1394        (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:14:16.0437 0864   ohci1394 - ok
22:14:16.0609 0864   Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
22:14:16.0734 0864   Parport - ok
22:14:16.0765 0864   PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:14:16.0843 0864   PartMgr - ok
22:14:16.0890 0864   ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:14:16.0968 0864   ParVdm - ok
22:14:17.0015 0864   PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:14:17.0109 0864   PCI - ok
22:14:17.0140 0864   PCIDump - ok
22:14:17.0203 0864   PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:14:17.0296 0864   PCIIde - ok
22:14:17.0359 0864   Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:14:17.0453 0864   Pcmcia - ok
22:14:17.0484 0864   PDCOMP - ok
22:14:17.0546 0864   PDFRAME - ok
22:14:17.0578 0864   PDRELI - ok
22:14:17.0640 0864   PDRFRAME - ok
22:14:17.0703 0864   perc2 - ok
22:14:17.0765 0864   perc2hib - ok
22:14:18.0015 0864   Pnp680          (c8bff3eddf0c2288db8c1ef56de1fde9) C:\WINDOWS\system32\DRIVERS\pnp680.sys
22:14:18.0015 0864   Pnp680 - ok
22:14:18.0109 0864   PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:14:18.0203 0864   PptpMiniport - ok
22:14:18.0265 0864   PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:14:18.0359 0864   PSched - ok
22:14:18.0390 0864   Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:14:18.0468 0864   Ptilink - ok
22:14:18.0500 0864   ql1080 - ok
22:14:18.0562 0864   Ql10wnt - ok
22:14:18.0593 0864   ql12160 - ok
22:14:18.0656 0864   ql1240 - ok
22:14:18.0718 0864   ql1280 - ok
22:14:18.0812 0864   RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:14:18.0890 0864   RasAcd - ok
22:14:18.0953 0864   Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:14:19.0046 0864   Rasl2tp - ok
22:14:19.0171 0864   RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:14:19.0265 0864   RasPppoe - ok
22:14:19.0296 0864   Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:14:19.0390 0864   Raspti - ok
22:14:19.0437 0864   Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:14:19.0531 0864   Rdbss - ok
22:14:19.0578 0864   RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:14:19.0656 0864   RDPCDD - ok
22:14:19.0734 0864   rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:14:19.0812 0864   rdpdr - ok
22:14:19.0890 0864   RDPWD           (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
22:14:19.0921 0864   RDPWD - ok
22:14:20.0000 0864   redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:14:20.0078 0864   redbook - ok
22:14:20.0312 0864   RTLE8023xp      (3400495f5b219d5153c770a95499579c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
22:14:20.0390 0864   RTLE8023xp - ok
22:14:20.0484 0864   sbp2port        (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
22:14:20.0578 0864   sbp2port - ok
22:14:20.0671 0864   Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:14:20.0718 0864   Secdrv - ok
22:14:20.0828 0864   Ser2pl          (2ec41a96d0dc98bd119bf325e0b9f392) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
22:14:20.0859 0864   Ser2pl - ok
22:14:20.0921 0864   Serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:14:21.0000 0864   Serenum - ok
22:14:21.0046 0864   Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
22:14:21.0140 0864   Serial - ok
22:14:21.0281 0864   Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:14:21.0375 0864   Sfloppy - ok
22:14:21.0484 0864   Simbad - ok
22:14:21.0578 0864   snapman         (90257773f4b4065bd0c6cc2164fd52e5) C:\WINDOWS\system32\DRIVERS\snapman.sys
22:14:21.0578 0864   snapman ( UnsignedFile.Multi.Generic ) - warning
22:14:21.0578 0864   snapman - detected UnsignedFile.Multi.Generic (1)
22:14:21.0640 0864   Sparrow - ok
22:14:21.0718 0864   splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:14:21.0812 0864   splitter - ok
22:14:21.0890 0864   sptd            (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
22:14:21.0906 0864   sptd - ok
22:14:21.0953 0864   sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:14:22.0015 0864   sr - ok
22:14:22.0125 0864   Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:14:22.0171 0864   Srv - ok
22:14:22.0234 0864   SSPORT - ok
22:14:22.0328 0864   swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:14:22.0421 0864   swenum - ok
22:14:22.0468 0864   swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:14:22.0578 0864   swmidi - ok
22:14:22.0640 0864   symc810 - ok
22:14:22.0703 0864   symc8xx - ok
22:14:22.0765 0864   sym_hi - ok
22:14:22.0843 0864   sym_u3 - ok
22:14:22.0906 0864   sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:14:23.0000 0864   sysaudio - ok
22:14:23.0093 0864   Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:14:23.0171 0864   Tcpip - ok
22:14:23.0218 0864   TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:14:23.0296 0864   TDPIPE - ok
22:14:23.0343 0864   TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:14:23.0437 0864   TDTCP - ok
22:14:23.0468 0864   TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:14:23.0562 0864   TermDD - ok
22:14:23.0656 0864   tifsfilter      (7369f74dd9172c6527a8aceb010e28f1) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
22:14:23.0656 0864   tifsfilter ( UnsignedFile.Multi.Generic ) - warning
22:14:23.0656 0864   tifsfilter - detected UnsignedFile.Multi.Generic (1)
22:14:23.0718 0864   timounter       (53fec95b844c46489f6683dc0a606e01) C:\WINDOWS\system32\DRIVERS\timntr.sys
22:14:23.0718 0864   timounter ( UnsignedFile.Multi.Generic ) - warning
22:14:23.0718 0864   timounter - detected UnsignedFile.Multi.Generic (1)
22:14:23.0812 0864   TosIde - ok
22:14:23.0906 0864   truecrypt       (fac6431ba75c6b68553d168d29f470f2) C:\WINDOWS\system32\drivers\truecrypt.sys
22:14:23.0921 0864   truecrypt - ok
22:14:24.0015 0864   Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:14:24.0109 0864   Udfs - ok
22:14:24.0203 0864   ultra - ok
22:14:24.0296 0864   Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:14:24.0375 0864   Update - ok
22:14:24.0484 0864   USBAAPL         (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:14:24.0500 0864   USBAAPL - ok
22:14:24.0546 0864   usbaudio        (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:14:24.0625 0864   usbaudio - ok
22:14:24.0671 0864   usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:14:24.0765 0864   usbccgp - ok
22:14:24.0812 0864   usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:14:24.0906 0864   usbehci - ok
22:14:24.0937 0864   usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:14:25.0031 0864   usbhub - ok
22:14:25.0093 0864   usbscan         (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:14:25.0203 0864   usbscan - ok
22:14:25.0250 0864   USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:14:25.0343 0864   USBSTOR - ok
22:14:25.0390 0864   usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:14:25.0484 0864   usbuhci - ok
22:14:25.0562 0864   VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:14:25.0640 0864   VgaSave - ok
22:14:25.0687 0864   ViaIde - ok
22:14:25.0750 0864   VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:14:25.0828 0864   VolSnap - ok
22:14:25.0968 0864   Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:14:26.0062 0864   Wanarp - ok
22:14:26.0125 0864   Wdf01000        (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
22:14:26.0156 0864   Wdf01000 - ok
22:14:26.0187 0864   WDICA - ok
22:14:26.0281 0864   wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:14:26.0390 0864   wdmaud - ok
22:14:26.0468 0864   WIBUKEY         (afcea7939925378f867dde6af76f3924) C:\WINDOWS\system32\DRIVERS\WibuKey.sys
22:14:26.0500 0864   WIBUKEY ( UnsignedFile.Multi.Generic ) - warning
22:14:26.0500 0864   WIBUKEY - detected UnsignedFile.Multi.Generic (1)
22:14:26.0578 0864   Wibukey2        (1ac50e90995649803bacab62f5f48e2a) C:\WINDOWS\system32\drivers\wibukey2.sys
22:14:26.0593 0864   Wibukey2 - ok
22:14:26.0859 0864   WmiAcpi         (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
22:14:26.0953 0864   WmiAcpi - ok
22:14:27.0078 0864   WS2IFSL         (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:14:27.0187 0864   WS2IFSL - ok
22:14:27.0359 0864   WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:14:27.0390 0864   WudfPf - ok
22:14:27.0421 0864   WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:14:27.0453 0864   WudfRd - ok
22:14:27.0671 0864   MBR (0x1B8)     (0f84f2562620c40d8a3e1908c8075675) \Device\Harddisk0\DR0
22:14:27.0687 0864   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
22:14:27.0687 0864   \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
22:14:27.0750 0864   \Device\Harddisk0\DR0 ( TDSS File System ) - warning
22:14:27.0750 0864   \Device\Harddisk0\DR0 - detected TDSS File System (1)
22:14:27.0781 0864   MBR (0x1B8)     (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk5\DR11
22:14:38.0906 0864   \Device\Harddisk5\DR11 - ok
22:14:38.0953 0864   Boot (0x1200)   (b187844e76dbc97708fe34274082a235) \Device\Harddisk0\DR0\Partition0
22:14:38.0953 0864   \Device\Harddisk0\DR0\Partition0 - ok
22:14:39.0000 0864   Boot (0x1200)   (b1ca16c6cd2292d49453610b60ab868c) \Device\Harddisk0\DR0\Partition1
22:14:39.0015 0864   \Device\Harddisk0\DR0\Partition1 - ok
22:14:39.0062 0864   Boot (0x1200)   (5d1c0eadbf4b0e04fbb14638c75cab2b) \Device\Harddisk5\DR11\Partition0
22:14:39.0062 0864   \Device\Harddisk5\DR11\Partition0 - ok
22:14:39.0093 0864   ============================================================
22:14:39.0093 0864   Scan finished
22:14:39.0093 0864   ============================================================
22:14:39.0265 0756   Detected object count: 8
22:14:39.0265 0756   Actual detected object count: 8
22:16:21.0921 0756   cpuz132 ( UnsignedFile.Multi.Generic ) - skipped by user
22:16:21.0921 0756   cpuz132 ( UnsignedFile.Multi.Generic ) - User select action: Skip
22:16:21.0921 0756   CVPNDRVA ( UnsignedFile.Multi.Generic ) - skipped by user
22:16:21.0921 0756   CVPNDRVA ( UnsignedFile.Multi.Generic ) - User select action: Skip
22:16:21.0953 0756   snapman ( UnsignedFile.Multi.Generic ) - skipped by user
22:16:21.0953 0756   snapman ( UnsignedFile.Multi.Generic ) - User select action: Skip
22:16:21.0984 0756   tifsfilter ( UnsignedFile.Multi.Generic ) - skipped by user
22:16:21.0984 0756   tifsfilter ( UnsignedFile.Multi.Generic ) - User select action: Skip
22:16:22.0015 0756   timounter ( UnsignedFile.Multi.Generic ) - skipped by user
22:16:22.0015 0756   timounter ( UnsignedFile.Multi.Generic ) - User select action: Skip
22:16:22.0046 0756   WIBUKEY ( UnsignedFile.Multi.Generic ) - skipped by user
22:16:22.0046 0756   WIBUKEY ( UnsignedFile.Multi.Generic ) - User select action: Skip
22:16:22.0281 0756   \Device\Harddisk0\DR0\# - copied to quarantine
22:16:22.0281 0756   \Device\Harddisk0\DR0 - copied to quarantine
22:16:22.0343 0756   \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
22:16:22.0359 0756   \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
22:16:22.0359 0756   \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
22:16:22.0359 0756   \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
22:16:22.0359 0756   \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
22:16:22.0359 0756   \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
22:16:22.0375 0756   \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
22:16:22.0375 0756   \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
22:16:22.0375 0756   \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
22:16:22.0375 0756   \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
22:16:22.0421 0756   \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
22:16:22.0421 0756   \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
22:16:22.0421 0756   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
22:16:22.0437 0756   \Device\Harddisk0\DR0 - ok
22:19:34.0562 0756   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
22:19:34.0562 0756   \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
22:19:34.0562 0756   \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
22:19:51.0359 2016   Deinitialize success

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #32 on: March 13, 2012, 12:02:13 AM »
Hi edw

We make progress.  Do you have internet?

If not, let's try this again:

1.  Copy the code in the code box below.  Then click Start/Run and paste it into the input box.  Click OK.

Code: [Select]

cmd "netsh winsock reset"


2.  Now reboot into normal operating mode.

3. Download  aswMBR and save it to your desktop.  Double click the aswMBR.exe.  It will open a command window and run.

4.  Click Scan.  When finished click save log.  Save it to your desktop as aswMBR.txt.

As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
aswMBR.txt
Let me know how your computer and browser are operating
If you have any other questions or problems, let me know that as well


Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #33 on: March 13, 2012, 12:23:45 AM »
  No Internet before or after the winsock reset.

  asrMBR.exe ran - but was unable to update signatures without Internet.

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-12 23:18:38
-----------------------------
23:18:38.375    OS Version: Windows 5.1.2600 Service Pack 3
23:18:38.375    Number of processors: 8 586 0x1A04
23:18:38.375    ComputerName: ASUS-I7-XP  UserName: williams
23:18:39.890    Initialize success
23:19:11.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:19:11.359    Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8
23:19:11.375    Disk 0 MBR read successfully
23:19:11.375    Disk 0 MBR scan
23:19:11.375    Disk 0 Windows 7 default MBR code
23:19:11.375    Disk 0 Partition - 00     0F Extended LBA            649989 MB offset 16065
23:19:11.390    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       303876 MB offset 1331195904
23:19:11.468    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       649989 MB offset 16128
23:19:11.468    Disk 0 scanning sectors +1953533952
23:19:11.531    Disk 0 scanning C:\WINDOWS\system32\drivers
23:19:19.187    Service scanning
23:19:31.156    Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
23:19:34.687    Modules scanning
23:19:40.562    Disk 0 trace - called modules:
23:19:40.578    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spby.sys hal.dll >>UNKNOWN [0x8b11d938]<<
23:19:40.578    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x899a8218]
23:19:40.578    3 CLASSPNP.SYS[b8118fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a9b3028]
23:19:40.578    Scan finished successfully
23:20:13.953    Disk 0 MBR has been saved successfully to "R:\MBR.dat"
23:20:13.968    The log file has been saved successfully to "R:\aswMBR.txt"



*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #34 on: March 13, 2012, 12:26:08 AM »
  The Windows 7 MBR is from a beta version I had on Drive D - currently expired and inoperative.

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #35 on: March 13, 2012, 12:00:49 PM »
Hi edw
Run aswMBR again.  Click scan and when finished click Fix.  Post logs.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #36 on: March 13, 2012, 10:22:46 PM »
  Clicking "Fix" was a dimmed out option.  "Fix MBR" is possible.

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-12 23:18:38
-----------------------------
23:18:38.375    OS Version: Windows 5.1.2600 Service Pack 3
23:18:38.375    Number of processors: 8 586 0x1A04
23:18:38.375    ComputerName: ASUS-I7-XP  UserName: williams
23:18:39.890    Initialize success
23:19:11.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:19:11.359    Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8
23:19:11.375    Disk 0 MBR read successfully
23:19:11.375    Disk 0 MBR scan
23:19:11.375    Disk 0 Windows 7 default MBR code
23:19:11.375    Disk 0 Partition - 00     0F Extended LBA            649989 MB offset 16065
23:19:11.390    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       303876 MB offset 1331195904
23:19:11.468    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       649989 MB offset 16128
23:19:11.468    Disk 0 scanning sectors +1953533952
23:19:11.531    Disk 0 scanning C:\WINDOWS\system32\drivers
23:19:19.187    Service scanning
23:19:31.156    Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
23:19:34.687    Modules scanning
23:19:40.562    Disk 0 trace - called modules:
23:19:40.578    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spby.sys hal.dll >>UNKNOWN [0x8b11d938]<<
23:19:40.578    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x899a8218]
23:19:40.578    3 CLASSPNP.SYS[b8118fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a9b3028]
23:19:40.578    Scan finished successfully
23:20:13.953    Disk 0 MBR has been saved successfully to "R:\MBR.dat"
23:20:13.968    The log file has been saved successfully to "R:\aswMBR.txt"



*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #37 on: March 13, 2012, 10:36:39 PM »
Hi edw
Click Fix MBR

Run OTL again and post the results (no extras.txt this time).
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #38 on: March 13, 2012, 10:42:51 PM »
  Somehow I got yesterday's log.  I ran it again

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-12 23:18:38
-----------------------------
23:18:38.375    OS Version: Windows 5.1.2600 Service Pack 3
23:18:38.375    Number of processors: 8 586 0x1A04
23:18:38.375    ComputerName: ASUS-I7-XP  UserName: williams
23:18:39.890    Initialize success
23:19:11.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:19:11.359    Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8
23:19:11.375    Disk 0 MBR read successfully
23:19:11.375    Disk 0 MBR scan
23:19:11.375    Disk 0 Windows 7 default MBR code
23:19:11.375    Disk 0 Partition - 00     0F Extended LBA            649989 MB offset 16065
23:19:11.390    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       303876 MB offset 1331195904
23:19:11.468    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       649989 MB offset 16128
23:19:11.468    Disk 0 scanning sectors +1953533952
23:19:11.531    Disk 0 scanning C:\WINDOWS\system32\drivers
23:19:19.187    Service scanning
23:19:31.156    Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
23:19:34.687    Modules scanning
23:19:40.562    Disk 0 trace - called modules:
23:19:40.578    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spby.sys hal.dll >>UNKNOWN [0x8b11d938]<<
23:19:40.578    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x899a8218]
23:19:40.578    3 CLASSPNP.SYS[b8118fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a9b3028]
23:19:40.578    Scan finished successfully
23:20:13.953    Disk 0 MBR has been saved successfully to "R:\MBR.dat"
23:20:13.968    The log file has been saved successfully to "R:\aswMBR.txt"



*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #39 on: March 13, 2012, 10:45:44 PM »
  We crossed in the mail.  I'll do that soon - dinner calls...

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #40 on: March 14, 2012, 12:16:10 AM »
Hi edw

All three logs have same date and time.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #41 on: March 14, 2012, 12:17:11 AM »
  Here we go:

OTL logfile created on: 3/13/2012 11:07:47 PM - Run 2
OTL by OldTimer - Version 3.2.36.3     Folder = C:\Documents and Settings\williams\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.99 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 78.47% Memory free
4.83 Gb Paging File | 4.27 Gb Available in Paging File | 88.41% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 634.76 Gb Total Space | 422.39 Gb Free Space | 66.54% Space Free | Partition Type: NTFS
Drive D: | 296.75 Gb Total Space | 149.29 Gb Free Space | 50.31% Space Free | Partition Type: NTFS
Drive R: | 1.92 Gb Total Space | 0.30 Gb Free Space | 15.46% Space Free | Partition Type: FAT
 
Computer Name: ASUS-I7-XP | User Name: williams | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012/03/11 01:05:14 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\williams\Desktop\google.exe
PRC - [2012/02/20 07:10:31 | 005,860,984 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
PRC - [2012/02/14 16:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\williams\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/12/28 13:22:34 | 000,995,328 | ---- | M] (Seattle Avionics, Inc.) -- C:\Program Files\Seattle Avionics\Data Manager\DataManager.exe
PRC - [2011/11/15 10:20:26 | 000,095,608 | ---- | M] (Dyn, Inc.) -- C:\Program Files\DynDNS Updater\DynUpSvc.exe
PRC - [2011/11/15 10:20:26 | 000,078,192 | ---- | M] (Dyn, Inc.) -- C:\Program Files\DynDNS Updater\DynTray.exe
PRC - [2011/09/29 10:59:42 | 000,022,016 | ---- | M] (Altaro) -- C:\Program Files\Altaro\Oops!Backup\OopsBackup.Service.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/12/16 12:57:20 | 000,956,416 | ---- | M] (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) -- C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
PRC - [2010/11/05 23:54:22 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/11/05 23:54:20 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/04/06 10:29:24 | 000,462,848 | ---- | M] () -- C:\Program Files\SmartDraw VP\Messages\SDNotify.exe
PRC - [2010/04/01 02:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/11/11 16:17:02 | 000,771,360 | ---- | M] (Apple Inc.) -- C:\Program Files\AirPort\APAgent.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/11/28 14:02:56 | 000,988,701 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
PRC - [2005/11/28 14:02:54 | 000,172,032 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2005/11/28 14:02:54 | 000,118,784 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2003/05/15 01:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2000/11/01 15:02:40 | 000,821,248 | ---- | M] (Insight Software Solutions, Inc.) -- C:\Program Files\Capture Express\CAPEXP.EXE
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012/02/16 04:09:45 | 001,712,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\96e485c02ad346a2bd26a635e7fcb023\Microsoft.VisualBasic.ni.dll
MOD - [2012/02/16 04:08:45 | 000,169,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\IsdiInterop\b3e81fd9c1ade6e33caecc88a8fa6852\IsdiInterop.ni.dll
MOD - [2012/02/16 04:08:39 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\29bdc8352d3c26e3c572ea60639dec3b\System.Web.ni.dll
MOD - [2012/02/16 04:08:35 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\c14e58265386feb509cc61bb5e8dd296\System.Runtime.Remoting.ni.dll
MOD - [2012/02/16 04:08:34 | 000,475,136 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\IAStorUtil\0b1511cce24703a70176793a84157d6c\IAStorUtil.ni.dll
MOD - [2012/02/16 04:08:34 | 000,218,624 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\IAStorDataMgr\fc601f9ac8267faabddf6356592707cb\IAStorDataMgr.ni.dll
MOD - [2012/02/16 04:08:33 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\11dcb806c92f55111f5fa9f1a90e3bdd\System.ServiceProcess.ni.dll
MOD - [2012/02/16 04:08:30 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll
MOD - [2012/02/16 04:08:29 | 000,019,968 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\IAStorDataMgrSvc\aa0eef53ddfffe7448c69e4c5e3cc8ae\IAStorDataMgrSvc.ni.exe
MOD - [2012/02/16 04:07:02 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll
MOD - [2012/02/16 04:06:59 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll
MOD - [2012/02/16 04:06:51 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll
MOD - [2012/02/16 04:06:42 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\ae888f8633fce3ff1de98e32bce0abbf\System.Data.ni.dll
MOD - [2012/02/16 04:06:10 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\174c2f776741812aed02c337bbcd1dae\WindowsBase.ni.dll
MOD - [2012/02/16 04:06:04 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll
MOD - [2012/02/16 04:05:36 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2011/12/28 13:22:28 | 000,016,384 | ---- | M] () -- C:\Program Files\Seattle Avionics\Data Manager\CRC32.dll
MOD - [2011/10/13 03:07:14 | 000,014,336 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\IAStorCommon\eb908ce5af4529075e181e94c4587e87\IAStorCommon.ni.dll
MOD - [2011/10/13 03:06:59 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll
MOD - [2011/10/13 03:04:39 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/12/16 12:36:18 | 000,315,392 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libtidy.dll
MOD - [2010/12/16 12:36:16 | 000,433,664 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libxml2.dll
MOD - [2010/12/16 12:36:10 | 000,200,704 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libpcre.dll
MOD - [2010/11/05 23:50:02 | 000,058,880 | ---- | M] () -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010/04/06 10:29:24 | 000,462,848 | ---- | M] () -- C:\Program Files\SmartDraw VP\Messages\SDNotify.exe
MOD - [2007/03/29 15:48:21 | 000,022,723 | R--- | M] () -- C:\WINDOWS\system32\ml285pl3.dll
MOD - [1999/09/08 17:24:04 | 000,031,232 | ---- | M] () -- C:\Program Files\Capture Express\QCAPHK.DLL
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2011/11/15 10:20:26 | 000,095,608 | ---- | M] (Dyn, Inc.) [Auto | Running] -- C:\Program Files\DynDNS Updater\DynUpSvc.exe -- (Dyn Updater)
SRV - [2011/09/29 10:59:42 | 000,022,016 | ---- | M] (Altaro) [Auto | Running] -- C:\Program Files\Altaro\Oops!Backup\OopsBackup.Service.exe -- (OopsBackup.Service.exe)
SRV - [2011/09/19 19:29:43 | 000,597,281 | ---- | M] () [Auto | Stopped] -- C:\Program Files\emailrelay\emailrelay-service.exe -- (emailrelay)
SRV - [2011/05/21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/11/05 23:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
SRV - [2010/06/25 10:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/11/23 15:28:28 | 000,683,008 | ---- | M] (Synametrics Technologies) [Auto | Stopped] -- C:\Programs\DeltaCopy\DCServce.exe -- (DeltaCopyService)
SRV - [2008/04/17 10:08:46 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/01/05 00:06:02 | 000,163,840 | ---- | M] (Alex Feinman) [On_Demand | Stopped] -- C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe -- (Imapi Helper)
SRV - [2005/11/28 14:02:54 | 000,172,032 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Auto | Stopped] --  -- (SSPORT)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Auto | Stopped] --  -- (DgiVecp)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (ats1rxlf)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (aswMBR)
DRV - File not found [Kernel | Auto | Stopped] --  -- (ASPI32)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (ALSysIO)
DRV - [2012/01/29 13:22:55 | 000,121,208 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2010/10/14 07:48:52 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/06/25 10:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2010/02/01 13:10:50 | 000,024,344 | ---- | M] (SMART Modular) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\JeppDrive.sys -- (JEPPDRIVE)
DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/10/04 11:28:47 | 000,217,664 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2009/08/29 19:46:44 | 000,249,152 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/08/29 19:46:44 | 000,030,688 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/08/29 19:46:43 | 000,096,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/03/27 02:16:28 | 000,012,672 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz132_x32.sys -- (cpuz132)
DRV - [2008/11/18 12:27:58 | 000,083,296 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2008/07/03 17:03:14 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/17 10:07:52 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/03/29 18:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2008/02/09 20:58:00 | 000,066,736 | R--- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pnp680.sys -- (Pnp680)
DRV - [2007/12/17 18:14:06 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/05/31 07:19:22 | 000,096,896 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/22 06:20:00 | 000,072,704 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WibuKey.sys -- (WIBUKEY)
DRV - [2006/11/09 06:20:00 | 000,016,384 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Wibukey2.sys -- (Wibukey2)
DRV - [2005/07/25 10:04:08 | 000,048,640 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2004/08/13 11:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope = {65497A31-B9C8-47B3-A77C-A65B6E43BF95}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{65497A31-B9C8-47B3-A77C-A65B6E43BF95}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {aff87fa2-a58e-4edd-b852-0a20203c1e17}:0.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.http: "192.168.1.4"
FF - prefs.js..network.proxy.http_port: 9999
FF - prefs.js..network.proxy.type: 4
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/24 20:10:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/12 08:54:25 | 000,000,000 | ---D | M]
 
[2009/09/03 22:44:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\williams\Application Data\Mozilla\Extensions
[2009/09/03 22:44:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\williams\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2012/02/16 08:56:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\extensions
[2011/09/13 23:39:15 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/05/11 21:23:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/30 09:26:14 | 000,002,399 | ---- | M] () -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\searchplugins\daemon-search.xml
[2012/01/10 10:02:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\WILLIAMS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9G2MVWEG.DEFAULT\EXTENSIONS\{AFF87FA2-A58E-4EDD-B852-0A20203C1E17}.XPI
[2011/06/16 07:08:09 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/02/24 20:10:15 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/07 20:13:56 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2012/02/24 20:10:12 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/24 20:10:12 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - Extension: Entanglement = C:\Documents and Settings\williams\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Documents and Settings\williams\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
 
O1 HOSTS File: ([2012/03/12 12:57:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe File not found
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Oops!Backup] C:\Program Files\Altaro\Oops!Backup\OopsBackup.exe (Altaro)
O4 - HKCU..\Run: [Seattle Avionics Data Manager] C:\Program Files\Seattle Avionics\Data Manager\DataManager.exe (Seattle Avionics, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dyn Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe (Dyn, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk = C:\WINDOWS\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\williams\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\williams\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Documents and Settings\williams\Start Menu\Programs\Startup\Shortcut to CAPEXP.lnk = C:\Program Files\Capture Express\CAPEXP.EXE (Insight Software Solutions, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Evernote 4.0 - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://lumahai.dyndns.org/activex/AMC.cab (AxisMediaControlEmb Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5BCB5AC2-47E7-4067-BB2B-3D43F96FC119}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71}: NameServer = 206.13.28.12,206.13.31.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\williams\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\williams\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\eudora51\EuShlExt.dll (Qualcomm Inc.)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/07 19:58:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012/03/12 23:18:30 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\williams\Desktop\aswMBR.exe
[2012/03/12 22:16:22 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/03/12 22:13:08 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\williams\Desktop\tdsskiller.exe
[2012/03/12 19:04:55 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/12 12:35:47 | 000,000,000 | ---D | C] -- C:\gotcha
[2012/03/12 08:12:16 | 004,434,343 | R--- | C] (Swearware) -- C:\Documents and Settings\williams\Desktop\gotcha.exe
[2012/03/12 00:00:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/11 01:16:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Desktop\RK_Quarantine
[2012/03/11 01:15:13 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\williams\Desktop\google.exe
[2012/03/10 20:49:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2012/03/10 19:50:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/10 19:50:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/10 19:50:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/10 19:50:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/10 19:50:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/10 19:50:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/09 23:49:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/03/09 09:22:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\williams\Start Menu\Programs\Administrative Tools
[2012/03/09 03:04:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/03/08 20:20:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/03/08 19:48:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Core Temp
[2012/03/08 19:48:45 | 000,000,000 | ---D | C] -- C:\Program Files\Core Temp
[2012/03/08 10:15:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Application Data\Malwarebytes
[2012/03/08 10:15:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/08 10:15:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/08 10:15:30 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/08 10:15:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/08 09:52:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/08 09:35:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Start Menu\Programs\Smart Fortress 2012
[2012/03/08 09:31:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E
[2012/02/29 23:07:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/29 23:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/15 10:39:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\williams\My Documents\Dropbox
[2012/02/15 10:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Start Menu\Programs\Dropbox
[2012/02/15 10:36:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Application Data\Dropbox
 
========== Files - Modified Within 30 Days ==========
 
[2012/03/13 23:09:58 | 000,462,914 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/13 23:09:58 | 000,079,116 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/13 23:08:22 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/13 23:05:49 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/13 23:05:29 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2012/03/13 23:05:29 | 000,002,349 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk
[2012/03/13 23:05:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/13 23:05:11 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\SDMsgUpdate (TE).job
[2012/03/13 23:03:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/13 21:19:10 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/12 23:06:24 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\williams\Desktop\aswMBR.exe
[2012/03/12 22:08:22 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\williams\Desktop\tdsskiller.exe
[2012/03/12 12:57:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/12 08:01:12 | 004,434,343 | R--- | M] (Swearware) -- C:\Documents and Settings\williams\Desktop\gotcha.exe
[2012/03/11 01:05:14 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\williams\Desktop\google.exe
[2012/03/11 01:03:14 | 001,219,072 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\RogueKiller.exe
[2012/03/08 23:35:23 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/08 20:21:44 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/03/08 19:48:46 | 000,000,818 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\Core Temp.lnk
[2012/03/08 10:26:52 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/03/08 10:15:32 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/08 10:01:41 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\williams\My Documents\fixexe.zip
[2012/03/08 09:59:06 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\fixexe.zip
[2012/03/01 00:56:42 | 000,001,027 | ---- | M] () -- C:\Documents and Settings\williams\Start Menu\Programs\Startup\Dropbox.lnk
[2012/03/01 00:56:42 | 000,001,027 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\Dropbox.lnk
[2012/03/01 00:10:00 | 000,000,361 | ---- | M] () -- C:\Documents and Settings\williams\My Documents\fixexe.inf
[2012/03/01 00:10:00 | 000,000,326 | ---- | M] () -- C:\Documents and Settings\williams\My Documents\fixexe.reg
[2012/02/27 12:36:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/21 09:56:14 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AnyDVD.lnk
[2012/02/18 13:56:29 | 000,001,480 | ---- | M] () -- C:\WINDOWS\AUTOLNCH.REG
[2012/02/16 08:55:19 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/16 04:01:33 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
 
========== Files Created - No Company Name ==========
 
[2012/03/11 01:15:09 | 001,219,072 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\RogueKiller.exe
[2012/03/10 19:50:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/10 19:50:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/10 19:50:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/10 19:50:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/10 19:50:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/08 19:48:46 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\Core Temp.lnk
[2012/03/08 10:26:52 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/03/08 10:15:32 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/08 10:02:48 | 000,000,361 | ---- | C] () -- C:\Documents and Settings\williams\My Documents\fixexe.inf
[2012/03/08 10:02:48 | 000,000,326 | ---- | C] () -- C:\Documents and Settings\williams\My Documents\fixexe.reg
[2012/03/08 10:01:41 | 000,000,633 | ---- | C] () -- C:\Documents and Settings\williams\My Documents\fixexe.zip
[2012/03/08 09:58:56 | 000,000,633 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\fixexe.zip
[2012/02/21 09:56:14 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AnyDVD.lnk
[2012/02/15 10:39:35 | 000,001,027 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\Dropbox.lnk
[2012/02/15 10:37:17 | 000,001,027 | ---- | C] () -- C:\Documents and Settings\williams\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/15 04:42:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 04:42:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2011/10/23 15:05:30 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/10/23 15:05:30 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/10/23 15:05:30 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/05/21 06:01:00 | 002,123,582 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/04/10 08:36:50 | 000,423,520 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/04 23:05:42 | 000,000,183 | ---- | C] () -- C:\Documents and Settings\williams\Application Data\PropCalc Preferences
[2010/10/14 07:56:57 | 008,977,408 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\toolboxDatabase
[2010/10/10 19:17:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\williams\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/13 18:55:36 | 000,022,723 | R--- | C] () -- C:\WINDOWS\System32\ml285pl3.dll
[2010/06/25 10:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2010/05/02 23:18:12 | 000,000,748 | ---- | C] () -- C:\WINDOWS\GARMINWT.INI
[2010/04/29 08:30:09 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/29 08:18:45 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
 
========== LOP Check ==========
 
[2012/03/08 09:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E
[2011/01/25 23:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Altaro
[2010/10/14 07:48:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011/10/22 14:09:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dyn
[2009/12/31 12:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DynDNS
[2009/08/30 23:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2010/01/01 11:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2012/03/13 23:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OopsBackup
[2010/04/25 17:36:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/08/30 23:38:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2011/09/18 14:21:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tomvale Aviation Calculator
[2011/05/09 23:00:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/04/14 22:09:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/04 11:47:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/15 18:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/05/28 09:09:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Amazon
[2011/04/05 19:51:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\calibre
[2009/04/12 12:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\DAEMON Tools
[2009/08/30 09:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\DAEMON Tools Lite
[2009/04/12 12:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\DAEMON Tools Pro
[2012/03/13 23:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Dropbox
[2011/06/16 08:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\ElevatedDiagnostics
[2010/01/07 20:06:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Foxit
[2010/07/26 22:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Foxit Software
[2010/05/15 09:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\GARMIN
[2010/10/14 07:51:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\GetRightToGo
[2010/05/23 11:02:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\GPS Utility
[2011/03/22 22:26:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\gtk-2.0
[2010/10/17 17:28:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\MechanicToolboxPreferences
[2009/08/30 14:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Milestone
[2010/01/01 11:27:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Nuance
[2009/08/15 13:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Publish Providers
[2009/09/02 20:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Qualcomm
[2010/04/25 17:36:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\ScanSoft
[2010/08/26 22:59:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Seattle Avionics
[2011/06/04 12:41:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\SmartDraw
[2009/08/15 13:31:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Sony
[2010/01/07 20:41:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\SSH
[2011/03/25 22:52:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\SystemRequirementsLab
[2011/09/28 09:10:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Taunton
[2009/10/04 11:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\TrueCrypt
[2010/01/03 14:30:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\UDC Profiles
[2011/10/23 15:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Windows Desktop Search
[2011/11/13 19:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Windows Search
[2012/03/13 23:08:22 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/03/13 23:05:11 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
 
========== Purity Check ==========
 
 

< End of report >

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #42 on: March 14, 2012, 12:30:29 AM »
   Here's a current one, finally!


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-13 23:23:02
-----------------------------
23:23:02.484    OS Version: Windows 5.1.2600 Service Pack 3
23:23:02.484    Number of processors: 8 586 0x1A04
23:23:02.484    ComputerName: ASUS-I7-XP  UserName: williams
23:23:04.390    Initialize success
23:23:10.250    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:23:10.250    Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8
23:23:10.250    Disk 0 MBR read successfully
23:23:10.250    Disk 0 MBR scan
23:23:10.250    Disk 0 Windows XP default MBR code
23:23:10.250    Disk 0 Partition - 00     0F Extended LBA            649989 MB offset 16065
23:23:10.265    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       303876 MB offset 1331195904
23:23:10.328    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       649989 MB offset 16128
23:23:10.328    Disk 0 scanning sectors +1953533952
23:23:10.406    Disk 0 scanning C:\WINDOWS\system32\drivers
23:23:20.125    Service scanning
23:23:33.828    Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
23:23:37.359    Modules scanning
23:23:43.750    Disk 0 trace - called modules:
23:23:43.796    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spzv.sys hal.dll >>UNKNOWN [0x8b11d938]<<
23:23:43.796    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x899a9840]
23:23:43.796    3 CLASSPNP.SYS[b8118fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8b044028]
23:23:43.796    Scan finished successfully
23:23:58.343    Disk 0 MBR has been saved successfully to "R:\MBR.dat"
23:23:58.359    The log file has been saved successfully to "R:\aswMBR.txt"



*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #43 on: March 14, 2012, 01:07:14 AM »
Hi edw

1.   Double click on the OTL icon to run it (Vista and Windows 7 users right click and select Run as  Administrator). Make sure all other windows are closed and to let it run uninterrupted. 

2.  In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".  On the upper right be sure Use Company-Name WhiteList and Skip Microsoft Files are checked.  Copy the code in the code box below and paste it into the Custom Scan box .

Code: [Select]
:OTL
[2012/03/08 09:35:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Start Menu\Programs\Smart Fortress 2012
[2012/03/08 09:31:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E

:FILES

:Commands
[REBOOT]



3.  Click on the Run Fix button.  The fix log is saved on your C: drive under OTL\Moved Files as date-some number.log. 

4.  Run RogueKiller again.  Uncheck the following entry:

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Now click delete.

5.  Click the ProxyFix tab.

6.  Try to run ComboFix in normal mode again.  If you get it to run, post the log.

As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
OTL Fix Log
RKreport.txt
Let me know how your computer is operating and if you have internet connection
If you have any questions or problems, let me know that as well



Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #44 on: March 14, 2012, 01:48:09 AM »
  Everything ran OK.  Combofix complained about the lack of a recovery panel.  Still no Internet.  The logs:

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: williams [Admin rights]
Mode: Remove -- Date: 03/14/2012 00:27:25

Bad processes: 0

Registry Entries: 7
[] HKLM\[...]\Windows :  () -> ACCESS DENIED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{5BCB5AC2-47E7-4067-BB2B-3D43F96FC119} : NameServer (8.8.8.8,68.87.76.182,68.87.78.134,8.8.8.8,8.8.4.4) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> NOT REMOVED, USE DNSFIX
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[] HKLM\[...]\Windows :  () -> ACCESS DENIED

Particular Files / Folders:

Driver: [LOADED]

Infection : 

HOSTS File:
127.0.0.1       localhost


MBR Check:

+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] c264d044ed26103fc4120b6a340b9a95
[BSP] da52c49325212b90e913c710c5e35f47 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16065 | Size: 649989 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 1331195904 | Size: 303876 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



ComboFix 12-03-12.02 - williams 03/14/2012   0:31.2.8 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3062.2358 [GMT -7:00]
Running from: c:\documents and settings\williams\Desktop\gotcha.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\williams\System\win_qs8.jqx
c:\scanjet\PrecisionScanPro\HPLamp.exe
c:\windows\$NtUninstallKB5333$\2317917949\@
c:\windows\$NtUninstallKB5333$\2317917949\cfg.ini
c:\windows\$NtUninstallKB5333$\2317917949\Desktop.ini
c:\windows\$NtUninstallKB5333$\2317917949\L\saitnncd
c:\windows\$NtUninstallKB5333$\2317917949\oemid
c:\windows\$NtUninstallKB5333$\2317917949\U\00000001.@
c:\windows\$NtUninstallKB5333$\2317917949\U\00000002.@
c:\windows\$NtUninstallKB5333$\2317917949\U\00000004.@
c:\windows\$NtUninstallKB5333$\2317917949\U\80000000.@
c:\windows\$NtUninstallKB5333$\2317917949\U\80000004.@
c:\windows\$NtUninstallKB5333$\2317917949\U\80000032.@
c:\windows\$NtUninstallKB5333$\2317917949\version
c:\windows\$NtUninstallKB5333$\3745068186
c:\windows\system32\PowerToyReadme.htm
.
-- Previous Run --
.
c:\windows\system32\drivers\ipsec.sys was missing
Restored copy from - c:\windows\system32\dllcache\ipsec.sys
.
--------
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-14 to 2012-03-14  )))))))))))))))))))))))))))))))
.
.
2012-03-13 05:16 . 2012-03-13 05:16   --------   d-----w-   C:\TDSSKiller_Quarantine
2012-03-12 19:53 . 2008-04-14 12:00   75264   ----a-w-   c:\windows\system32\drivers\ipsec.sys
2012-03-12 07:00 . 2012-03-12 07:00   --------   d-----w-   C:\_OTL
2012-03-10 06:49 . 2012-03-11 02:47   --------   d-----w-   c:\windows\system32\NtmsData
2012-03-10 03:33 . 2008-04-14 08:10   43904   -c----w-   c:\windows\system32\dllcache\sbp2port.sys
2012-03-10 03:33 . 2008-04-14 08:10   43904   ----a-w-   c:\windows\system32\drivers\sbp2port.sys
2012-03-09 10:04 . 2012-03-09 10:04   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-03-09 02:48 . 2012-03-09 06:50   --------   d-----w-   c:\program files\Core Temp
2012-03-08 17:58 . 2012-03-08 17:58   29904   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3FF63C55-B7A2-433B-A8C2-BC04FDB1A254}\MpKsl0a732e9c.sys
2012-03-08 17:32 . 2012-02-08 06:03   6552120   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3FF63C55-B7A2-433B-A8C2-BC04FDB1A254}\mpengine.dll
2012-03-08 17:15 . 2012-03-08 17:15   --------   d-----w-   c:\documents and settings\williams\Application Data\Malwarebytes
2012-03-08 17:15 . 2012-03-08 17:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-08 17:15 . 2012-03-08 17:15   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-03-08 17:15 . 2011-12-10 23:24   20464   ------w-   c:\windows\system32\drivers\mbam.sys
2012-03-08 16:34 . 2012-03-08 16:34   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2012-03-08 16:31 . 2012-03-08 16:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E
2012-02-29 16:22 . 2012-02-29 16:22   41680   ----a-w-   c:\windows\system32\drivers\haktfvqm.sys
2012-02-29 16:16 . 2012-02-29 16:16   41680   ----a-w-   c:\windows\system32\drivers\svkrnvma.sys
2012-02-15 17:36 . 2012-03-14 07:25   --------   d-----w-   c:\documents and settings\williams\Application Data\Dropbox
2012-02-15 11:42 . 2012-01-11 19:06   3072   -c----w-   c:\windows\system32\dllcache\iacenc.dll
2012-02-15 11:42 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\iacenc.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-08 17:41 . 2011-05-30 05:40   414368   ------w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 17:18 . 2010-06-23 15:28   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-18 20:56 . 2010-01-01 19:44   1480   ------w-   c:\windows\AUTOLNCH.REG
2012-02-08 06:03 . 2010-06-24 15:32   6552120   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-29 20:22 . 2012-01-29 20:22   121208   ------w-   c:\windows\system32\drivers\AnyDVD.sys
2012-01-12 16:53 . 2008-04-14 12:00   1859968   ----a-w-   c:\windows\system32\win32k.sys
2012-01-12 00:19 . 2012-01-12 00:19   4448256   ------w-   c:\windows\system32\GPhotos.scr
2011-12-17 19:46 . 2008-04-14 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00   385024   ------w-   c:\windows\system32\html.iec
2012-02-25 03:10 . 2011-05-08 17:12   134104   ------w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-02-20 5860984]
"Seattle Avionics Data Manager"="c:\program files\Seattle Avionics\Data Manager\DataManager.exe" [2011-12-28 995328]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Oops!Backup"="c:\program files\Altaro\Oops!Backup\OopsBackup.exe" [2011-09-29 3335680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2008-11-18 36864]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 16876032]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CAPEXP.EXE [2000-11-1 821248]
.
c:\documents and settings\williams\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\williams\Application Data\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
Shortcut to CAPEXP.lnk - c:\program files\Capture Express\CAPEXP.EXE [2010-11-21 821248]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Dyn Updater Tray Icon.lnk - c:\program files\DynDNS Updater\DynTray.exe [2011-11-15 78192]
Evernote Clipper.lnk - c:\windows\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico [2011-1-4 293950]
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-12-16 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\eudora51\EuShlExt.dll" [2006-08-17 86016]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\X-Plane 9\\X-Plane.exe"=
"c:\\Program Files\\NETGEAR ReadyNAS\\RAIDar.exe"=
"d:\\Drivesavers\\1st_Partition_C\\HP DS9100C\\Link\\hpnsjtr.exe"=
"c:\\HPDS9100C\\Link\\hpnsjtr.exe"=
"d:\\Drivesavers\\2nd_Partition_D\\Programs\\Cessna NAVIII G1000 Trainer v8.01\\CDUSIMv2.exe"=
"c:\\Garmin_simulators\\Cessna NAVIII G1000 Trainer v8.01\\CDUSIMv2.exe"=
"c:\\Program Files\\AirPort\\APUtil.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GNS\\G530SIM.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GNS\\hsi400wx.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GDU\\CDUSIMv2.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GSM\\gsim_server.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\emailrelay\\emailrelay.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Documents and Settings\\williams\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5353:UDP"= 5353:UDP:Bonjour
.
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [8/30/2009 9:21 AM 66736]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/12/2009 12:32 PM 691696]
R2 Dyn Updater;Dyn Updater;c:\program files\DynDNS Updater\DynUpSvc.exe [11/15/2011 10:20 AM 95608]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [3/25/2011 11:06 PM 13336]
R2 OopsBackup.Service.exe;Oops!Backup Service;c:\program files\Altaro\Oops!Backup\OopsBackup.Service.exe [9/29/2011 10:59 AM 22016]
S2 DeltaCopyService;DeltaCopy Server;c:\programs\DeltaCopy\DCServce.exe [11/23/2009 3:28 PM 683008]
S2 emailrelay;E-MailRelay;c:\program files\emailrelay\emailrelay-service.exe [9/19/2011 7:29 PM 597281]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 10:08 PM 135664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [10/23/2011 3:06 PM 2214504]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\williams\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\williams\LOCALS~1\Temp\ALSysIO.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 10:08 PM 135664]
S3 JEPPDRIVE;JeppDrive Service;c:\windows\system32\drivers\JeppDrive.sys [3/5/2010 9:06 PM 24344]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 11:15 AM 31125880]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 10:07 AM 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [4/13/2009 1:09 PM 16384]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:08]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:08]
.
2012-03-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2012-03-14 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2011-05-30 17:29]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71}: NameServer = 206.13.28.12,206.13.31.12
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://lumahai.dyndns.org/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 192.168.1.4
FF - prefs.js: network.proxy.http_port - 9999
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-HP Lamp - c:\scanjet\PrecisionScanPro\HPLamp.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 00:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-963894560-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F0D00B61-F3DB-1E1B-99C7-C909CB0F78D3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gccehgpngdcogmpmaeidhjfknjeongaldolnfaoemimoaakfmcglplipjkocfmmjffdpggaifdefcj"=hex:6c,
   61,69,70,6d,69,66,6f,64,67,70,63,69,63,6f,65,64,6f,70,6a,70,61,64,6a,00,d3
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1148)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(1524)
c:\windows\system32\WININET.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp1.dll
c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Capture Express\QCAPHK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-14  00:41:42
ComboFix-quarantined-files.txt  2012-03-14 07:41
.
Pre-Run: 453,438,984,192 bytes free
Post-Run: 453,380,505,600 bytes free
.
- - End Of File - - CDF593E2CED3B3BD164D5317B91A948A


  Signing off until tomorrow AM.