Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log


  • This topic is locked This topic is locked
18 replies to this topic

#1 lll blaze lll

lll blaze lll

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 07 February 2010 - 02:49 AM

Skipping the introduction here and straight to things. My pc runs just fine, but I want things to the best of there ability and in full health. I'm getting better at this everyday. I actually repair pcs for a small fee. If anyone would like to help me understand HijackThis I would love it since it will be a part of my PC repair process. Anyways onward with things.
My brother installed SweetIM the other day so I could send him neat smileys through Yahoo Messenger. Well I didn't want this program. It changed my home page and from what i've read via google it's technically a spyware application. I've fixed my homepage since then. It doesn't show up in my Add and Remove programs list but it still shows in my search bar in my Firefox browser. I believe I have already tried uninstalling this using I would love to remove that and even the default google search bar that showed up naturally when I installed Firefox. It's not as simple as just removing it from the Addons menu.

\/ \/ \/ \/ \/
I'm pretty sure as part of this removal process I just need to remove the entries that are marked sweetIM in my HijackThis log but I want to remove ALL unwanted entries. Below is my log and thank anyone reading this for their time. Along the lines of reading this are there any startup processes recommended for removal?

If it helps to quicken your reply, I have Malwarebytes, Ad-Aware, SUPERantiSpyware and have ran scans and removed any entries found. I also use Avast Anti-virus and Peer Guardian.

Okay and lastly. I read that I should change the name of HijackThis to something like 'Crusty.exe' etc. Is that really necessary? It does make sense that malware can hide itself from programs though.

UPDATE: I found this removal process for SweetIM http://www.msghelp.net/showthread.php?tid=70936 So unless you want to post your method i'll just go about removing SweetIM this way. I still would like my HijackThis log analyzed and remove any unwanted entries.
----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:46 AM, on 2/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Alarm Clock\Alarm Clock.exe
C:\Program Files\Trend Micro\HijackThis\crusty.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-21-1454471165-682003330-1801674531-1003\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (User '?')
O4 - HKUS\S-1-5-21-1454471165-682003330-1801674531-1003\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (User '?')
O4 - HKUS\S-1-5-21-1454471165-682003330-1801674531-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1454471165-682003330-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1454471165-682003330-1801674531-1003\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - S-1-5-21-1454471165-682003330-1801674531-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
-----------------------------------------------

Edited by lll blaze lll, 07 February 2010 - 04:28 AM.
Mod Edit: Moved From XP - AA

Posted Image

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 14 February 2010 - 08:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 lll blaze lll

lll blaze lll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 15 February 2010 - 11:46 PM

Ahh, thank you for your time and your reply. As I stated in my original post i'm wanting to remove all search bars from my Firefox browser. I also want to remove all entries that are not necessary in my Hijack This Log. If there are any startup programs that are not needed I would like those to be removed aswell. Below is the logs you requested. Might I add for some weird reason when I reattached my Ethernet cable my pc froze. So I had to redo the logs since I didn't save them (copy and paste) and the 2nd time I booted I disabled the the LAN. When I went to re-enable it froze when I selected Enable. I disabled all protection after disconnecting from the internet like you asked. On top of things I have one question for you. Is Gmer's file name randomized to hide from Malware?


DDS (Ver_09-12-01.01) - NTFSx86
Run by Blaze at 18:42:21.31 on Mon 02/15/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\bryan\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &Search
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bryan\applic~1\mozilla\firefox\profiles\vnojncvc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-14 05:29:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-14 05:25:02 0 d-----r- c:\program files\Skype
2010-02-08 04:57:19 0 d-----w- c:\windows\system32\Adobe
2010-02-07 07:11:52 0 d-----w- c:\program files\Trend Micro
2010-02-05 01:34:51 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2010-02-05 01:34:51 0 d-----w- c:\program files\CPUID
2010-02-05 01:34:44 0 d-----w- c:\program files\Ask.com
2010-02-04 22:29:49 0 d-----w- c:\program files\Microsoft
2010-02-04 22:29:21 0 d-----w- c:\program files\Windows Live SkyDrive
2010-02-03 07:46:42 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-02-03 07:46:36 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-02-03 07:46:36 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-02-03 07:46:36 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-02-03 07:46:36 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-02-03 07:46:36 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-02-03 06:23:24 4444 ----a-w- c:\windows\system32\pid.PNF
2010-02-03 06:20:18 16535 ----a-r- c:\windows\SET4F.tmp
2010-02-03 06:20:14 1088840 ----a-r- c:\windows\SET43.tmp
2010-02-03 06:20:12 1296669 ----a-r- c:\windows\SET40.tmp
2010-02-03 00:01:43 0 d-----w- c:\windows\system32\en
2010-01-29 07:20:11 1 ----a-w- c:\windows\DCEBOOT.CFG
2010-01-29 02:36:36 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-29 02:34:29 0 d-----w- c:\program files\Panda Security
2010-01-26 05:08:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-26 04:30:18 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-26 04:27:49 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-26 04:26:27 0 d-----w- c:\program files\Lavasoft
2010-01-26 03:41:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-26 03:39:38 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-26 03:39:37 0 d-----w- c:\docume~1\bryan\applic~1\SUPERAntiSpyware.com
2010-01-26 03:39:03 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-26 01:20:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 01:20:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 01:20:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-09-24 10:11:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009092420090925\index.dat

============= FINISH: 18:42:41.00 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-15 20:48:42
Windows 5.1.2600 Service Pack 3
Running: pbwif89p.exe; Driver: C:\DOCUME~1\Bryan\LOCALS~1\Temp\kwlyyaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5AAD6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5AAD574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5AADA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5AAD14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5AAD64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5AAD08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5AAD0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5AAD76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5AAD72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5AAD8AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Attached Files


Posted Image

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 16 February 2010 - 03:37 PM

Ok, no baddies, lets have a deeper look so we can remove some things.

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    safebootminimal
    safebootnetwork
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 21 February 2010 - 06:13 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 23 February 2010 - 12:29 PM

Reopened by user request.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 lll blaze lll

lll blaze lll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 25 February 2010 - 01:45 AM

Here you go. smile.gif the 'Extra.txt' file didn't pop up (minimized) or create. But here's OTL.txt atleast.

OTL logfile created on: 2/25/2010 12:35:22 AM - Run 3
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Bryan\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.00 Mb Total Physical Memory | 177.00 Mb Available Physical Memory | 23.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): c:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.04 Gb Total Space | 0.14 Gb Free Space | 0.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: B-956125E7AD354
Current User Name: Bryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/16 22:33:36 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bryan\My Documents\Downloads\OTL.exe
PRC - [2010/02/04 23:51:23 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/30 17:24:34 | 000,703,488 | ---- | M] (FileZilla Project) -- C:\Program Files\FileZilla Server\FileZilla server.exe
PRC - [2009/11/24 17:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/11 04:17:36 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/14 07:45:34 | 000,319,488 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2009/06/05 10:48:14 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/01 14:35:36 | 000,067,112 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2001/09/06 19:37:09 | 000,049,152 | ---- | M] () -- C:\Program Files\Alarm Clock\Alarm Clock.exe


========== Modules (SafeList) ==========

MOD - [2010/02/16 22:33:36 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bryan\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/04 22:30:47 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/30 17:24:34 | 000,703,488 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2009/11/24 17:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/14 07:45:34 | 000,319,488 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2009/06/05 10:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/06 13:46:48 | 000,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "SweetIM Search"
FF - prefs.js..browser.search.defaulturl: "http://search.sweetim.com/search.asp?src=2&q="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "MyWebSearch"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028
FF - prefs.js..extensions.enabledItems: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}:2.0.2
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: "Yahoo"
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p="
FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/06 00:28:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/04 23:51:37 | 000,000,000 | ---D | M]

[2009/05/31 13:43:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Extensions
[2010/02/21 19:02:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions
[2009/11/05 18:20:20 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/01/25 22:14:17 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/02/04 23:49:50 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/06 16:04:41 | 000,000,000 | ---D | M] (Tiny Menu) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
[2010/02/05 02:33:32 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/08/27 18:30:12 | 000,009,941 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\mywebsearch.xml
[2009/06/01 00:11:12 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\search-the-web.xml
[2009/08/27 18:07:01 | 000,003,915 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\sweetim.xml
[2010/02/21 19:02:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/12/02 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [CloneCDTray] C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Program Files\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)
O4 - Startup: C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/24 20:37:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell - "" = AutoRun
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/02/03 01:47:17 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: winmgmt - C:\WINDOWS\system32\wbem\winmgmt.exe (Microsoft Corporation)

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: mcmscsvc - Service
SafeBootMin: MCODS - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: WinMgmt - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: mcmscsvc - Service
SafeBootNet: MCODS - Service
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WinMgmt - Service
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/19 12:17:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bryan\Desktop\funnies
[2010/02/13 23:37:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bryan\Recent
[2010/02/13 23:29:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bryan\Application Data\skypePM
[2010/02/13 23:25:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bryan\Application Data\Skype
[2010/02/13 23:25:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/02/13 23:25:02 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/02/13 23:24:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/02/11 21:22:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bryan\Desktop\Bruno (2009) DVDRip-MAXSPEED
[2009/12/09 15:35:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/27 00:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/09/27 15:57:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/25 20:18:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/25 20:18:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/13 14:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/26 08:21:38 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Bryan\Application Data\pcouffin.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/25 00:01:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/02/24 22:30:09 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/24 20:41:31 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\Bryan\Desktop\here.bmp
[2010/02/24 16:30:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/24 10:31:21 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/24 04:30:27 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/23 04:31:28 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/23 03:24:54 | 000,055,860 | ---- | M] () -- C:\Documents and Settings\Bryan\Desktop\sea-the-light.jpg
[2010/02/23 01:22:14 | 000,074,562 | ---- | M] () -- C:\Documents and Settings\Bryan\Desktop\BlazeAkuma.png
[2010/02/20 13:30:58 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/02/20 13:30:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/20 13:30:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/20 13:29:04 | 007,864,320 | ---- | M] () -- C:\Documents and Settings\Bryan\ntuser.dat
[2010/02/20 13:29:04 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Bryan\ntuser.ini
[2010/02/18 15:58:15 | 000,103,936 | ---- | M] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/18 15:21:23 | 000,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/15 19:10:56 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\Bryan\Desktop\Attach.zip
[2010/02/13 23:29:59 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/02/13 23:25:05 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/02/12 16:14:17 | 000,000,040 | ---- | M] () -- C:\WINDOWS\nero.INI
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/24 20:41:31 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\Bryan\Desktop\here.bmp
[2010/02/23 03:24:53 | 000,055,860 | ---- | C] () -- C:\Documents and Settings\Bryan\Desktop\sea-the-light.jpg
[2010/02/23 01:22:12 | 000,074,562 | ---- | C] () -- C:\Documents and Settings\Bryan\Desktop\BlazeAkuma.png
[2010/02/15 19:10:56 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\Bryan\Desktop\Attach.zip
[2010/02/13 23:29:59 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/02/13 23:25:05 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/01/28 20:11:54 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\housecall.guid.cache
[2009/08/25 20:49:37 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\PUTTY.RND
[2009/02/26 08:21:59 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\vso_ts_preview.xml
[2009/02/26 08:21:44 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.log
[2009/02/26 08:21:38 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\inst.exe
[2009/02/26 08:21:38 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.cat
[2009/02/26 08:21:38 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.inf
[2009/01/27 21:03:53 | 000,000,208 | ---- | C] () -- C:\WINDOWS\SIMSYNTH.INI
[2009/01/23 06:57:29 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/01/23 06:57:27 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/23 06:57:26 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/01/23 06:57:25 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/01/23 06:57:25 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/07/27 19:31:36 | 000,000,073 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2008/04/05 08:28:55 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2007/02/06 12:40:32 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2007/02/06 04:23:26 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\Bryan\Application Data\.zreglib
[2007/02/06 04:21:16 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/01/29 05:11:11 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\unzdll.dll
[2007/01/27 16:45:41 | 000,103,936 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/27 16:28:54 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[1999/03/01 22:14:09 | 000,000,136 | ---- | C] () -- C:\WINDOWS\System32\mstraps.dll

========== LOP Check ==========

[2010/01/25 22:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/20 14:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/01/14 01:46:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/09/17 14:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/18 20:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/01/25 22:28:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/10/20 14:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Aim
[2007/02/02 23:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Jasc
[2009/11/14 23:15:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\NLOP
[2007/02/06 07:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Opera
[2009/08/25 21:43:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\PokerCreations
[2010/02/18 20:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\uTorrent
[2009/11/15 12:28:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Viewpoint
[2009/02/26 09:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Vso
[2010/02/24 22:30:09 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/02/24 04:30:27 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/02/24 10:31:21 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/02/24 16:30:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/02/23 04:31:28 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/02/25 00:01:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
[2010/02/20 13:30:58 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:51:44 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E2028C8
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Posted Image

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 25 February 2010 - 02:22 PM

Ask Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know as stated in the following Articles:

http://www.benedelman.org/spyware/ask-toolbars/
http://vil.nai.com/vil/content/v_185490.htm


I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Ask Toolbar.



How is it running?



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 lll blaze lll

lll blaze lll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 27 February 2010 - 02:27 AM

Interesting. I indeed do not recall ever being asked to install the Ask Toolbar during any installations. Even further interesting. There was a fatal error during uninstalling via the Add and Remove programs tool. Here's the error;

"Error 1720. There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor. Custom action vb_IS_FF_OPEN_UNINSTALL script error -2147217407,: Line 9, Column 5,"

-

ESET Scan
_________

C:\Documents and Settings\Bryan\Desktop\AIO_FL_STUDIO8_Plugins_Extras_Packs.iso multiple threats deleted

I recognize this file. Fortunately I never burned it to a disc and ran it even though that's not necessary for a virus (I believe)

-

Aside from all that everything has always seemed to run fine.
Posted Image

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 27 February 2010 - 07:41 AM

Please post back with a fresh OTL logfile smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 lll blaze lll

lll blaze lll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 01 March 2010 - 09:48 PM

Here you are sir. Remember just like last time the Extra.txt didn't create.

---

OTL logfile created on: 3/1/2010 8:38:53 PM - Run 4
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Bryan\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.00 Mb Total Physical Memory | 245.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): c:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.04 Gb Total Space | 2.74 Gb Free Space | 3.91% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: B-956125E7AD354
Current User Name: Bryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/01 20:36:36 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bryan\My Documents\Downloads\OTL(2).exe
PRC - [2010/02/04 23:51:23 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/04 22:30:47 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/01/27 04:31:51 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/12/30 17:24:34 | 000,703,488 | ---- | M] (FileZilla Project) -- C:\Program Files\FileZilla Server\FileZilla server.exe
PRC - [2009/11/24 17:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/11 04:17:36 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/14 07:45:34 | 000,319,488 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/30 01:39:34 | 001,432,064 | ---- | M] (Phoenix Labs) -- C:\Program Files\PeerGuardian2\pg2.exe
PRC - [2006/08/01 14:35:36 | 000,067,112 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/03/01 20:36:36 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bryan\My Documents\Downloads\OTL(2).exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/04 22:30:47 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/30 17:24:34 | 000,703,488 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2009/11/24 17:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/08/14 07:45:34 | 000,319,488 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "SweetIM Search"
FF - prefs.js..browser.search.defaulturl: "http://search.sweetim.com/search.asp?src=2&q="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "MyWebSearch"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028
FF - prefs.js..extensions.enabledItems: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}:2.0.2
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: "Yahoo"
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p="
FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/06 00:28:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/04 23:51:37 | 000,000,000 | ---D | M]

[2009/05/31 13:43:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Extensions
[2010/03/01 04:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions
[2009/09/07 10:52:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/05 18:20:20 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/01/25 22:14:17 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/02/04 23:49:50 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/06 16:04:41 | 000,000,000 | ---D | M] (Tiny Menu) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
[2010/02/05 02:33:32 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/08/27 18:30:12 | 000,009,941 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\mywebsearch.xml
[2009/06/01 00:11:12 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\search-the-web.xml
[2009/08/27 18:07:01 | 000,003,915 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\sweetim.xml
[2010/03/01 04:07:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/12/02 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [CloneCDTray] C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Program Files\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)
O4 - Startup: C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/24 20:37:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell - "" = AutoRun
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/02/03 01:47:17 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: winmgmt - C:\WINDOWS\system32\wbem\winmgmt.exe (Microsoft Corporation)

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: mcmscsvc - Service
SafeBootMin: MCODS - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: WinMgmt - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: mcmscsvc - Service
SafeBootNet: MCODS - Service
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WinMgmt - Service
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/26 02:30:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/12/09 15:35:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/27 00:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/09/27 15:57:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/25 20:18:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/25 20:18:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/13 14:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/26 08:21:38 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Bryan\Application Data\pcouffin.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/01 20:01:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/03/01 16:30:11 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/03/01 10:31:49 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/01 10:31:48 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/03/01 10:31:48 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/03/01 10:31:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/03/01 03:57:12 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/03/01 03:52:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/01 03:52:46 | 000,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/01 03:52:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/28 18:45:50 | 008,126,464 | ---- | M] () -- C:\Documents and Settings\Bryan\ntuser.dat
[2010/02/28 18:45:44 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Bryan\ntuser.ini
[2010/02/18 15:58:15 | 000,103,936 | ---- | M] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/28 20:11:54 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\housecall.guid.cache
[2009/08/25 20:49:37 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\PUTTY.RND
[2009/02/26 08:21:59 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\vso_ts_preview.xml
[2009/02/26 08:21:44 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.log
[2009/02/26 08:21:38 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\inst.exe
[2009/02/26 08:21:38 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.cat
[2009/02/26 08:21:38 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.inf
[2009/01/27 21:03:53 | 000,000,208 | ---- | C] () -- C:\WINDOWS\SIMSYNTH.INI
[2009/01/23 06:57:29 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/01/23 06:57:27 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/23 06:57:26 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/01/23 06:57:25 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/01/23 06:57:25 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/07/27 19:31:36 | 000,000,073 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2008/04/05 08:28:55 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2007/02/06 12:40:32 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2007/02/06 04:23:26 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\Bryan\Application Data\.zreglib
[2007/02/06 04:21:16 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/01/29 05:11:11 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\unzdll.dll
[2007/01/27 16:45:41 | 000,103,936 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/27 16:28:54 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[1999/03/01 22:14:09 | 000,000,136 | ---- | C] () -- C:\WINDOWS\System32\mstraps.dll

========== LOP Check ==========

[2010/01/25 22:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/20 14:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/01/14 01:46:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/09/17 14:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/18 20:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/01/25 22:28:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/10/20 14:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Aim
[2007/02/02 23:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Jasc
[2009/11/14 23:15:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\NLOP
[2007/02/06 07:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Opera
[2009/08/25 21:43:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\PokerCreations
[2010/02/18 20:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\uTorrent
[2009/11/15 12:28:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Viewpoint
[2009/02/26 09:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Vso
[2010/03/01 10:31:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/03/01 10:31:48 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/03/01 10:31:48 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/03/01 16:30:11 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/03/01 10:31:49 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/03/01 20:01:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
[2010/03/01 03:57:12 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:51:44 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E2028C8
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Posted Image

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 03 March 2010 - 12:41 PM

Hi,

How is it running now?


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 lll blaze lll

lll blaze lll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 03 March 2010 - 01:29 PM

Things are running just fine as normal. Remember though I originally wanted to remove my SweetIM Search bar or any Search bars in my firefox browser. No reboot necessary :-D So 3 of these keys weren't found. Is that good or bad?

Here's a pictures of what I want to remove


And the log for you

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.

Posted Image

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 22,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:00 AM

Posted 03 March 2010 - 02:22 PM

Ok,

Now please post the follow up scan smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 lll blaze lll

lll blaze lll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 03 March 2010 - 03:16 PM

Your requested quick scan with the custom scan settings. smile.gif



OTL logfile created on: 3/3/2010 2:09:40 PM - Run 5
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Bryan\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.00 Mb Total Physical Memory | 161.00 Mb Available Physical Memory | 21.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 62.00% Paging File free
Paging file location(s): c:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.04 Gb Total Space | 2.65 Gb Free Space | 3.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: B-956125E7AD354
Current User Name: Bryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/01 20:36:36 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bryan\My Documents\Downloads\OTL(2).exe
PRC - [2010/02/04 23:51:23 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/30 17:24:34 | 000,703,488 | ---- | M] (FileZilla Project) -- C:\Program Files\FileZilla Server\FileZilla server.exe
PRC - [2009/11/24 17:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/11 04:17:36 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/14 07:45:34 | 000,319,488 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 05:42:30 | 000,343,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mspaint.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/30 01:39:34 | 001,432,064 | ---- | M] (Phoenix Labs) -- C:\Program Files\PeerGuardian2\pg2.exe
PRC - [2006/08/01 14:35:36 | 000,067,112 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/03/01 20:36:36 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bryan\My Documents\Downloads\OTL(2).exe
MOD - [2008/05/13 09:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL


========== Win32 Services (SafeList) ==========

SRV - [2010/02/04 22:30:47 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/30 17:24:34 | 000,703,488 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2009/11/24 17:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/08/14 07:45:34 | 000,319,488 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "SweetIM Search"
FF - prefs.js..browser.search.defaulturl: "http://search.sweetim.com/search.asp?src=2&q="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "MyWebSearch"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028
FF - prefs.js..extensions.enabledItems: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}:2.0.2
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: "Yahoo"
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p="
FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/06 00:28:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/04 23:51:37 | 000,000,000 | ---D | M]

[2009/05/31 13:43:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Extensions
[2010/03/01 04:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions
[2009/09/07 10:52:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/05 18:20:20 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/01/25 22:14:17 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/02/04 23:49:50 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/06 16:04:41 | 000,000,000 | ---D | M] (Tiny Menu) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
[2010/02/05 02:33:32 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/08/27 18:30:12 | 000,009,941 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\mywebsearch.xml
[2009/06/01 00:11:12 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\search-the-web.xml
[2009/08/27 18:07:01 | 000,003,915 | ---- | M] () -- C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\vnojncvc.default\searchplugins\sweetim.xml
[2010/03/01 04:07:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/12/02 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [CloneCDTray] C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Program Files\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)
O4 - Startup: C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/24 20:37:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell - "" = AutoRun
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1f8dc6c0-1d83-11de-9837-0015609a8a9b}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/02/03 01:47:17 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: winmgmt - C:\WINDOWS\system32\wbem\winmgmt.exe (Microsoft Corporation)

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: mcmscsvc - Service
SafeBootMin: MCODS - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: WinMgmt - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: mcmscsvc - Service
SafeBootNet: MCODS - Service
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WinMgmt - Service
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/03 12:15:58 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/26 02:30:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/12/09 15:35:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/27 00:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/09/27 15:57:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/25 20:18:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/25 20:18:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/13 14:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/26 08:21:38 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Bryan\Application Data\pcouffin.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/03 14:01:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/03/03 12:26:57 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\Bryan\Desktop\RemoveIT.bmp
[2010/03/03 10:30:10 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/03/03 04:31:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/03 04:31:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/03/03 04:31:14 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/03/03 04:31:14 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/03/02 16:14:16 | 000,000,040 | ---- | M] () -- C:\WINDOWS\nero.INI
[2010/03/01 03:57:12 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/03/01 03:52:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/01 03:52:46 | 000,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/01 03:52:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/28 18:45:50 | 008,126,464 | ---- | M] () -- C:\Documents and Settings\Bryan\ntuser.dat
[2010/02/28 18:45:44 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Bryan\ntuser.ini
[2010/02/18 15:58:15 | 000,103,936 | ---- | M] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/03 12:26:56 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\Bryan\Desktop\RemoveIT.bmp
[2010/01/28 20:11:54 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\housecall.guid.cache
[2009/08/25 20:49:37 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\PUTTY.RND
[2009/02/26 08:21:59 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\vso_ts_preview.xml
[2009/02/26 08:21:44 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.log
[2009/02/26 08:21:38 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\inst.exe
[2009/02/26 08:21:38 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.cat
[2009/02/26 08:21:38 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Bryan\Application Data\pcouffin.inf
[2009/01/27 21:03:53 | 000,000,208 | ---- | C] () -- C:\WINDOWS\SIMSYNTH.INI
[2009/01/23 06:57:29 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/01/23 06:57:27 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/23 06:57:26 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/01/23 06:57:25 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/01/23 06:57:25 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/07/27 19:31:36 | 000,000,073 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2008/04/05 08:28:55 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2007/02/06 12:40:32 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2007/02/06 04:23:26 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\Bryan\Application Data\.zreglib
[2007/02/06 04:21:16 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/01/29 05:11:11 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\unzdll.dll
[2007/01/27 16:45:41 | 000,103,936 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/27 16:28:54 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[1999/03/01 22:14:09 | 000,000,136 | ---- | C] () -- C:\WINDOWS\System32\mstraps.dll

========== LOP Check ==========

[2010/01/25 22:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/20 14:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/01/14 01:46:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/09/17 14:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/18 20:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/01/25 22:28:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/10/20 14:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Aim
[2007/02/02 23:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Jasc
[2009/11/14 23:15:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\NLOP
[2007/02/06 07:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Opera
[2009/08/25 21:43:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\PokerCreations
[2010/02/18 20:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\uTorrent
[2009/11/15 12:28:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Viewpoint
[2009/02/26 09:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Vso
[2010/03/03 04:31:14 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/03/03 04:31:14 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/03/03 10:30:10 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/03/03 04:31:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/03/03 04:31:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/03/03 14:01:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
[2010/03/01 03:57:12 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:51:44 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E2028C8
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users