Rootkit left after trojan removal (lot of hidden code)

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Rootkit left after trojan removal (lot of hidden code) various log files attached

#1 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 03 January 2010 - 10:37 AM

Hello,

This is a followup from previous postings on "security/I am infected what can I do" on the topic of siszyd32.exe (which was the first indication I had that something was wrong). Having followed the instructions on that thread all the way to the RootRepeal scan & posting that log I was asked by boopme to run HJT/DDS, and RootRepeal. Having looked at the logs there are some suspicious driver file changes on 28th Dec (the same day my website got hacked through my ftp login details (which for convenience were saved in the client software quickconnect list (oops).

When RootRepeal had completed the following dialogue box came up:
"Warning - the number of SSDT entries from the kernel and the number on-disk are different (297 and 284)
29

F-Secure Blacklight didn't find anything, and I couldn't get the gmer one to complete its scan

I'd be hugely grateful for any advice you can give.
Ronnie.

PS: (anti-virus detected & quarantined another trojan today 4th Jan, so have updated the logs as of today. Will not reconnect affected computer to network until instructed to download something !)

log files 1 pasted (& 2 attached) :

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ronnie & Fiona at 9:54:50.51 on 04/01/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.456 [GMT 0:00]

AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
c:\xampp\apache\bin\httpd.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband\PCguard\rps.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\spnsrvnt.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\JAVA\JRE15~1.0_0\bin\java.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\xampp\apache\bin\httpd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
C:\WINDOWS\system32\NILaunch.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Spb Backup\SpbBackupSync.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Ronnie & Fiona\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.uk.acer.yahoo.com
uSearch Page = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp] Alaunch
mRun: [SkyTel] SkyTel.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless N DWA-140] c:\program files\d-link\d-link wireless n dwa-140\AirNCFG.exe
mRun: [Net-It Launcher] c:\windows\system32\NILaunch.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [Vdesudajuga] rundll32.exe "c:\windows\ikutijihanoti.dll",Startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\ronnie~1\startm~1\programs\startup\winmys~1.lnk - c:\xampp\mysql\bin\winmysqladmin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spbbac~1.lnk - c:\program files\spb backup\SpbBackupSync.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ronnie~1\applic~1\mozilla\firefox\profiles\ui2ykfs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\virgin broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {4EABB6BA-314C-49F1-BB8F-737E0A202A09} - c:\documents and settings\ronnie & fiona\local settings\application data\{4eabb6ba-314c-49f1-bb8f-737e0a202a09}\
FF - HiddenExtension: XULRunner: {5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1} - c:\documents and settings\ronnie & fiona\local settings\application data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
FF - HiddenExtension: XULRunner: {2D5A99E6-D256-442E-89D4-075B5C0E9314} - c:\documents and settings\ronnie & fiona\local settings\application data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-30 64288]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-10-20 179984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2008-12-9 24636]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-22 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\virgin broadband\pcguard\safeconnect\bin\SanaAgent.exe [2008-11-14 4937752]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-5-16 660992]
R3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\virgin broadband\pcguard\RpsSecurityAwareR.exe [2009-5-27 170736]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectDriver.sys [2008-11-14 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectFilter.sys [2008-11-14 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectShim.sys [2008-11-14 27376]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S0 jnvac;jnvac;c:\windows\system32\drivers\ixqdjr.sys --> c:\windows\system32\drivers\ixqdjr.sys [?]
S2 COSIDS_TB;COSIDS_TB;c:\progra~1\cosids\bin\TbMux32.exe [2009-11-23 165376]
S2 gupdate1c9afca31f46688;Google Update Service (gupdate1c9afca31f46688);c:\program files\google\update\GoogleUpdate.exe [2009-3-28 133104]
S3 lac97inf;lac97inf;\??\c:\docume~1\ronnie~1\locals~1\temp\lac97inf.sys --> c:\docume~1\ronnie~1\locals~1\temp\lac97inf.sys [?]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-22 910600]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-1-3 476416]

=============== Created Last 30 ================

2010-01-03 14:59:01 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2010-01-01 10:46:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-01 10:46:19 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 10:46:19 0 d-----w- c:\docume~1\ronnie~1\applic~1\SUPERAntiSpyware.com
2010-01-01 10:45:56 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-01 01:36:16 0 d-----w- c:\docume~1\ronnie~1\applic~1\Malwarebytes
2010-01-01 01:35:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:35:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-01 01:35:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:35:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 05:03:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-30 23:49:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-30 23:36:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 23:34:44 0 d-----w- c:\program files\Lavasoft
2009-12-30 11:07:20 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-28 08:40:06 0 ----a-w- c:\windows\Oguda.bin
2009-12-28 08:40:05 120 ----a-w- c:\windows\Tcozijohapuhido.dat
2009-12-28 08:38:23 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-28 08:38:23 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-28 08:38:17 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-28 08:38:17 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-28 08:38:07 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2009-12-28 08:38:07 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-27 13:49:55 0 d-----w- c:\program files\Myopoly5
2009-12-27 13:47:51 286720 ------w- c:\windows\Setup1.exe
2009-12-27 13:47:47 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-12-07 22:42:08 0 d-----w- c:\windows\system32\CatRoot_bak

==================== Find3M ====================

2010-01-04 00:06:54 220448 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-01 10:54:29 342356 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-01 10:54:29 33868832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-01 10:54:29 19364 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-08 19:09:19 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

============= FINISH: 9:55:30.04 ===============

Attached File(s)

ark.txt (47.89K)
Number of downloads: 3
Attach.txt (18.33K)
Number of downloads: 11

This post has been edited by rocketronnie: 04 January 2010 - 06:01 AM

#2 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 11 January 2010 - 11:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Please download OTL from following mirror:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#3 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 11 January 2010 - 01:44 PM

Hi,

Thank you very much for replying to my post. The help is VERY much appreciated. I'll very quickly post the logs and then go offline & say more from my other computer

OTL logfile created on: 11/01/2010 18:26:20 - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\Ronnie & Fiona\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 268.00 Mb Available Physical Memory | 26.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 60.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 113.27 Gb Total Space | 63.51 Gb Free Space | 56.07% Space Free | Partition Type: NTFS
Drive D: | 113.73 Gb Total Space | 26.52 Gb Free Space | 23.31% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACE-ACER
Current User Name: Ronnie & Fiona
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/11 18:24:30 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ronnie & Fiona\Desktop\OTL.exe
PRC - [2009/12/30 23:43:07 | 00,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/12/30 23:42:56 | 01,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/12/22 16:57:09 | 00,392,520 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Rps.exe
PRC - [2009/12/16 19:26:52 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/16 16:26:56 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/05/27 12:10:56 | 00,170,736 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
PRC - [2009/05/27 12:10:02 | 00,371,440 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe
PRC - [2009/05/27 11:20:32 | 00,308,464 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
PRC - [2009/05/27 11:20:30 | 02,303,216 | ---- | M] (Virgin Broadband) -- C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
PRC - [2009/04/03 13:51:32 | 00,143,360 | ---- | M] (Kaspersky Lab.) -- C:\Program Files\Virgin Broadband\PCguard\Kav\Bin\ScanningProcess.exe
PRC - [2009/03/16 11:29:28 | 06,562,432 | ---- | M] () -- C:\xampp\mysql\bin\mysqld.exe
PRC - [2008/12/09 23:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\httpd.exe
PRC - [2008/12/09 23:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) -- c:\xampp\apache\bin\httpd.exe
PRC - [2008/11/14 17:28:10 | 04,937,752 | R--- | M] (Sana Security) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe
PRC - [2008/09/22 15:58:44 | 00,693,512 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
PRC - [2008/07/08 02:47:06 | 00,430,080 | ---- | M] () -- C:\Program Files\Spb Backup\SpbBackupSync.exe
PRC - [2007/03/14 18:29:20 | 01,388,544 | ---- | M] (D-Link) -- C:\Program Files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
PRC - [2007/01/31 13:55:42 | 00,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2007/01/19 11:49:04 | 00,049,152 | ---- | M] (Wireless Service) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
PRC - [2006/11/13 13:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/09/12 01:58:14 | 16,264,192 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2006/08/03 22:34:04 | 00,045,056 | ---- | M] (Acer Inc.) -- C:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
PRC - [2006/08/01 04:02:46 | 00,346,112 | ---- | M] (HiTRUST) -- C:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
PRC - [2006/06/01 21:40:54 | 00,413,696 | ---- | M] (Acer Inc.) -- C:\acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2006/05/11 22:22:48 | 00,028,672 | ---- | M] (Acer Inc.) -- C:\acer\Empowering Technology\ePerformance\MemCheck.exe
PRC - [2006/04/28 00:47:00 | 00,143,426 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/04/19 02:54:50 | 00,049,152 | ---- | M] ( ) -- C:\WINDOWS\system32\SysMonitor.exe
PRC - [2006/02/17 23:26:32 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/01/03 01:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/11/10 20:03:52 | 00,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
PRC - [2005/11/10 18:27:06 | 00,049,248 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_06\bin\java.exe
PRC - [2005/08/03 00:19:16 | 00,077,312 | ---- | M] (Microsoft) -- C:\WINDOWS\arpwrmsg.exe
PRC - [2005/08/03 00:19:16 | 00,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe
PRC - [2004/08/10 20:00:00 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/10 20:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2004/08/10 20:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2001/10/22 04:20:00 | 00,126,976 | ---- | M] (Rainbow Technologies) -- C:\WINDOWS\system32\spnsrvnt.exe
PRC - [1999/03/23 20:07:08 | 00,004,096 | ---- | M] () -- C:\Program Files\cosids\Apache Group\Apache\ApchT2kW.exe
PRC - [1998/02/05 19:16:18 | 00,024,576 | ---- | M] () -- C:\WINDOWS\system32\NILaunch.exe

========== Modules (SafeList) ==========

MOD - [2010/01/11 18:24:30 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ronnie & Fiona\Desktop\OTL.exe
MOD - [2006/07/06 04:31:58 | 00,167,936 | ---- | M] (HiTRUST) -- C:\WINDOWS\system32\sysenv.dll
MOD - [2006/03/09 00:11:40 | 00,022,016 | ---- | M] (HiTRUST) -- C:\WINDOWS\system32\MSNChatHook.dll
MOD - [2006/03/07 04:25:40 | 00,199,168 | ---- | M] (HiTRUST) -- C:\WINDOWS\system32\CryptoAPI.dll
MOD - [2006/02/22 18:19:46 | 01,047,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mfc71u.dll
MOD - [2005/03/02 18:09:30 | 00,169,984 | ---- | M] () -- C:\WINDOWS\ikutijihanoti.dll
MOD - [2004/08/10 20:00:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/10 20:00:00 | 00,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2003/03/19 04:14:50 | 00,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2003/02/21 13:42:20 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/12/30 23:42:56 | 01,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/05/27 12:10:56 | 00,170,736 | ---- | M] (Virgin Media) [On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe -- (Radialpoint Security Services)
SRV - [2009/05/27 12:10:02 | 00,371,440 | ---- | M] (Virgin Media) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- (RP_FWS)
SRV - [2009/03/28 17:25:21 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9afca31f46688) Google Update Service (gupdate1c9afca31f46688)
SRV - [2009/03/28 17:24:56 | 00,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/16 11:29:28 | 06,562,432 | ---- | M] () [Auto | Running] -- C:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2008/12/09 23:10:14 | 00,024,636 | ---- | M] (Apache Software Foundation) [Auto | Running] -- c:\xampp\apache\bin\httpd.exe -- (Apache2.2)
SRV - [2008/11/14 17:28:10 | 04,937,752 | R--- | M] (Sana Security) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe -- (RadialpointSafeConnectAgent)
SRV - [2008/09/22 15:58:48 | 00,910,600 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008/09/22 15:58:44 | 00,693,512 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2007/01/31 13:55:42 | 00,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/19 11:49:26 | 00,049,152 | ---- | M] (Wireless Service) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/09/09 17:39:40 | 00,425,984 | ---- | M] (ATI Technologies Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2006/05/11 22:22:48 | 00,028,672 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\acer\Empowering Technology\ePerformance\MemCheck.exe -- (AcerMemUsageCheckService)
SRV - [2006/04/28 00:47:00 | 00,143,426 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/02/17 23:26:32 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2005/11/14 08:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/08/03 00:19:16 | 00,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
SRV - [2001/11/20 15:37:06 | 00,165,376 | ---- | M] (TransAction Software, D 81737 Munich) [Auto | Stopped] -- C:\Program Files\cosids\bin\tbmux32.exe -- (COSIDS_TB)
SRV - [2001/10/22 04:20:00 | 00,126,976 | ---- | M] (Rainbow Technologies) [Auto | Running] -- C:\WINDOWS\system32\spnsrvnt.exe -- (SuperProServer)
SRV - [1999/03/23 20:07:08 | 00,004,096 | ---- | M] () [Auto | Running] -- C:\Program Files\cosids\Apache Group\Apache\ApchT2kW.exe -- (TIS 2000 Apache Web Server)

========== Driver Services (SafeList) ==========

DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/12/02 13:19:06 | 00,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/06/21 19:53:32 | 00,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/04/03 13:51:32 | 00,179,984 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2008/11/26 14:19:56 | 00,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2008/11/14 17:28:36 | 00,161,304 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys -- (RadialpointSafeConnectDriver)
DRV - [2008/11/14 17:28:36 | 00,029,720 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys -- (RadialpointSafeConnectFilter)
DRV - [2008/11/14 17:28:36 | 00,027,376 | ---- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys -- (RadialpointSafeConnectShim)
DRV - [2008/08/28 12:16:40 | 00,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008/08/06 20:20:08 | 00,048,384 | ---- | M] (Radialpoint, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rp_pkt32.sys -- (RPPKT) Radialpoint Filter (x86)
DRV - [2007/03/13 12:35:56 | 00,476,416 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2006/11/06 18:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh)
DRV - [2006/11/01 20:48:24 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2006/09/24 17:59:00 | 00,250,368 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/09/12 04:27:00 | 04,381,184 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/09/09 17:46:54 | 01,754,624 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/04/28 00:47:00 | 03,663,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/04/08 03:17:34 | 00,012,288 | ---- | M] (HiTRUST) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psdfilter.sys -- (psdfilter)
DRV - [2006/03/09 00:10:52 | 00,060,416 | ---- | M] (HiTRUST) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psdvdisk.sys -- (psdvdisk)
DRV - [2005/12/11 11:55:38 | 00,028,195 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2005/08/26 12:06:28 | 00,660,992 | ---- | M] (Animation Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVHybrid.sys -- (LVHybrid)
DRV - [2005/06/28 23:43:40 | 00,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2005/06/04 20:07:00 | 00,319,104 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2005/05/13 02:54:10 | 00,020,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/01/13 21:46:16 | 00,069,632 | ---- | M] () [Kernel | On_Demand | Running] -- C:\acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2005/01/08 01:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/12/17 02:14:44 | 00,013,952 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2004/08/10 20:00:00 | 00,027,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2004/08/10 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 06:10:14 | 00,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2004/08/03 23:00:14 | 00,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2004/08/03 22:59:34 | 00,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2001/04/06 08:11:00 | 00,073,216 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default Font Size = 01 00 00 00 [binary data]
IE - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
IE - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
IE - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\S-1-5-21-1999078760-3644901915-825374499-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?rls=ig&hl=en"
FF - prefs.js..extensions.enabledItems: {4EABB6BA-314C-49F1-BB8F-737E0A202A09}:1.9.1
FF - prefs.js..extensions.enabledItems: {5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}:1.9.1
FF - prefs.js..extensions.enabledItems: {2D5A99E6-D256-442E-89D4-075B5C0E9314}:1.9.1
FF - prefs.js..extensions.enabledItems: {2293AE61-7DD8-4B82-99A5-038E4BE10F5F}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}: C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}\ [2009/12/28 08:40:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}: C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1} [2010/01/01 08:55:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D5A99E6-D256-442E-89D4-075B5C0E9314}: C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314} [2010/01/04 08:59:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}: C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F} [2010/01/09 19:57:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/01 00:16:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/16 19:26:59 | 00,000,000 | ---D | M]

[2009/02/10 18:52:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronnie & Fiona\Application Data\Mozilla\Extensions
[2010/01/05 18:03:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronnie & Fiona\Application Data\Mozilla\Firefox\Profiles\ui2ykfs4.default\extensions
[2009/06/21 20:08:41 | 00,002,399 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\Application Data\Mozilla\Firefox\Profiles\ui2ykfs4.default\searchplugins\daemon-search.xml
[2009/02/10 18:52:05 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/24 19:10:36 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/24 19:10:36 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/24 19:10:36 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/24 19:10:36 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PopKill Class) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll (Virgin Media)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll (HiTRUST)
O3 - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe ( )
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlwaysReady Power Message APP] C:\WINDOWS\arpwrmsg.exe (Microsoft)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [Broadbandadvisor.exe] C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe (Virgin Broadband)
O4 - HKLM..\Run: [D-Link D-Link Wireless N DWA-140] C:\Program Files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe (D-Link)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
O4 - HKLM..\Run: [eRecoveryService] C:\acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe ()
O4 - HKLM..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [Vdesudajuga] C:\WINDOWS\ikutijihanoti.DLL ()
O4 - HKU\S-1-5-21-1999078760-3644901915-825374499-1005..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1999078760-3644901915-825374499-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1999078760-3644901915-825374499-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk = C:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe (Acer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe ()
O4 - Startup: C:\Documents and Settings\Ronnie & Fiona\Start Menu\Programs\Startup\WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1999078760-3644901915-825374499-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} https://internetbankingplus2.firstdirect.co...frontdoorFD.cab (first direct internet banking plus digital safe)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/01 20:49:08 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/11 18:24:29 | 00,543,744 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ronnie & Fiona\Desktop\OTL.exe
[2010/01/09 19:57:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}
[2010/01/04 08:59:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}
[2010/01/03 15:39:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronnie & Fiona\Desktop\logs for bleeping computer
[2010/01/01 10:46:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/01 10:46:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com
[2010/01/01 10:46:19 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/01 10:45:56 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/01 08:55:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
[2010/01/01 01:36:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronnie & Fiona\Application Data\Malwarebytes
[2010/01/01 01:35:48 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/01 01:35:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/01 01:35:41 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/01 01:35:40 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/30 23:49:17 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/12/30 23:36:33 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/12/30 23:34:44 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/12/30 23:34:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/12/28 08:40:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}
[2009/12/28 08:38:23 | 00,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2009/12/28 08:38:23 | 00,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2009/12/28 08:38:17 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2009/12/28 08:38:07 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2009/12/28 08:38:07 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2009/12/27 13:49:55 | 00,000,000 | ---D | C] -- C:\Program Files\Myopoly5
[2009/12/27 13:47:51 | 00,286,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe
[2009/12/27 13:47:47 | 00,073,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE
[2009/04/03 22:04:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/03/28 17:25:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/09/11 05:49:23 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.Shell32.dll
[2008/09/11 04:30:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/09/11 04:30:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/09/11 04:30:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/09/11 04:30:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/11 18:25:16 | 07,864,320 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\ntuser.dat
[2010/01/11 18:24:30 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ronnie & Fiona\Desktop\OTL.exe
[2010/01/11 18:23:50 | 00,003,284 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCS{162DB990-B115-4A02-869E-6F631B98FCA0}
[2010/01/11 18:23:44 | 00,000,015 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{162DB990-B115-4A02-869E-6F631B98FCA0}
[2010/01/11 18:22:06 | 00,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/11 18:16:26 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2010/01/11 18:16:23 | 00,062,925 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/11 18:16:03 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/11 18:15:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/11 18:15:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/11 18:15:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/11 18:15:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/11 18:14:59 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/11 18:13:18 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/01/11 18:12:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/11 18:12:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/11 18:12:43 | 10,721,56672 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/11 12:26:02 | 33,868,832 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/01/11 12:26:02 | 00,344,972 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/01/11 12:26:02 | 00,220,448 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/01/11 12:26:02 | 00,019,628 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/01/11 12:25:31 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Ronnie & Fiona\ntuser.ini
[2010/01/11 10:57:29 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Oguda.bin
[2010/01/11 10:54:15 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/08 11:32:55 | 00,073,216 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/02 15:04:21 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Tcozijohapuhido.dat
[2010/01/01 10:46:27 | 00,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/01 01:35:55 | 00,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/31 00:57:24 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2009/12/31 00:48:54 | 00,294,976 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\changed files page 2.JPG
[2009/12/31 00:48:28 | 00,321,440 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\changed files page 1.jpg
[2009/12/30 23:36:19 | 00,000,871 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/27 13:47:51 | 00,286,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe
[2009/12/27 13:47:47 | 00,073,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE
[2009/12/24 07:44:48 | 00,011,197 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\xmasmenu09.docx
[2009/12/21 20:25:59 | 00,001,919 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/12/21 12:15:09 | 00,000,474 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\Shortcut to Caleuandar 2010 Shortlist.lnk
[2009/12/20 17:55:10 | 06,644,848 | ---- | M] () -- C:\Documents and Settings\Ronnie & Fiona\My Documents\IMG_1516.JPG
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/02 09:37:09 | 10,721,56672 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/01 10:46:27 | 00,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/01 01:35:55 | 00,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/31 05:03:36 | 00,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/12/31 00:48:53 | 00,294,976 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\changed files page 2.JPG
[2009/12/31 00:48:27 | 00,321,440 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\changed files page 1.jpg
[2009/12/30 23:50:37 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/30 23:50:35 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2009/12/30 23:50:32 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2009/12/30 23:50:30 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2009/12/30 23:50:27 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2009/12/30 23:36:19 | 00,000,871 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/12/28 08:40:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Oguda.bin
[2009/12/28 08:40:05 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Tcozijohapuhido.dat
[2009/12/24 07:44:48 | 00,011,197 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\xmasmenu09.docx
[2009/12/21 20:25:59 | 00,001,919 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/12/21 15:09:47 | 06,644,848 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\My Documents\IMG_1516.JPG
[2009/12/17 21:30:18 | 00,000,474 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Desktop\Shortcut to Caleuandar 2010 Shortlist.lnk
[2009/11/23 18:39:03 | 00,000,000 | ---- | C] () -- C:\WINDOWS\frontend.INI
[2009/11/23 18:17:40 | 00,073,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\SENTINEL.SYS
[2009/11/23 18:17:40 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\SNTI386.DLL
[2009/10/24 17:36:49 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/06/21 19:53:32 | 00,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/03/04 21:31:54 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Application Data\$_hpcst$.hpc
[2009/02/25 00:26:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Net-It Now! SE.INI
[2009/02/25 00:25:36 | 00,000,038 | ---- | C] () -- C:\WINDOWS\Approach.ini
[2009/02/25 00:04:09 | 00,000,723 | ---- | C] () -- C:\WINDOWS\lotus.ini
[2009/02/25 00:04:09 | 00,000,081 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2009/02/25 00:04:08 | 00,012,991 | ---- | C] () -- C:\WINDOWS\123R5.INI
[2009/02/25 00:04:07 | 00,001,187 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/25 00:04:07 | 00,000,478 | ---- | C] () -- C:\WINDOWS\LODBF04.INI
[2009/02/24 23:46:16 | 01,294,336 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2A6.dll
[2009/02/24 23:46:16 | 01,228,800 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M5.dll
[2009/02/24 23:46:16 | 01,105,920 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P6.dll
[2009/02/24 23:46:15 | 01,261,568 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M6.dll
[2009/02/24 23:46:15 | 01,052,672 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P5.dll
[2009/02/24 23:45:50 | 00,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2009/02/24 23:45:45 | 01,093,632 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2PX.dll
[2009/02/24 23:45:45 | 00,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL
[2009/02/24 23:45:45 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL
[2009/02/24 23:45:45 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\EnrouteStitch.dll
[2009/02/24 23:45:45 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2.dll
[2009/02/24 23:45:45 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL
[2009/01/29 20:17:25 | 00,000,487 | ---- | C] () -- C:\WINDOWS\my.ini
[2009/01/25 18:37:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\RAWImage.INI
[2009/01/04 23:05:07 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2008/11/30 23:21:27 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2008/11/29 12:18:36 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/11/24 20:41:58 | 00,012,800 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Application Data\Settings.cfg
[2008/10/14 15:09:12 | 00,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen_x86.sys
[2008/09/11 08:38:10 | 00,073,216 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/11 05:52:00 | 00,000,049 | ---- | C] () -- C:\WINDOWS\comsummer.ini
[2008/09/11 05:49:23 | 00,331,776 | ---- | C] () -- C:\WINDOWS\System32\ScrollBarLib.dll
[2008/09/11 05:47:12 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\fusioncache.dat
[2008/09/11 04:36:54 | 00,003,072 | ---- | C] () -- C:\WINDOWS\System32\34CoInstaller.dll
[2006/11/01 20:59:22 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/01 20:49:32 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2006/11/01 20:48:30 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2006/11/01 20:48:30 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2006/11/01 20:48:30 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2006/11/01 20:48:30 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2006/11/01 09:11:50 | 00,000,098 | ---- | C] () -- C:\WINDOWS\alaunch.ini
[2006/07/21 16:40:08 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/04/28 00:47:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/04/28 00:47:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/04/28 00:47:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/04/28 00:47:00 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/04/28 00:47:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/04/28 00:47:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/04/28 00:47:00 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/04/12 21:08:36 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\InstallCheck.dll
[2006/04/10 05:19:32 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/03/09 00:19:28 | 01,421,824 | ---- | C] () -- C:\WINDOWS\System32\UIVCL.dll
[2006/03/09 00:11:30 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\APISlice.dll
[2005/11/10 18:27:42 | 00,003,218 | ---- | C] () -- C:\WINDOWS\System32\drivers\WINIO.sys
[2005/10/25 08:25:28 | 00,008,073 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/08/03 00:19:16 | 00,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2005/03/02 18:09:30 | 00,169,984 | ---- | C] () -- C:\WINDOWS\ikutijihanoti.dll
[2004/12/17 02:14:44 | 00,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/08/10 20:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/10 20:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2002/03/17 00:00:00 | 00,007,420 | ---- | C] () -- C:\WINDOWS\UA000011.DLL
[2001/12/27 00:12:30 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 07:46:38 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/31 00:33:56 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 06:04:36 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1999/03/10 01:23:00 | 00,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1998/03/18 01:23:00 | 00,096,256 | ---- | C] () -- C:\WINDOWS\System32\nsqlc32.dll
[1998/01/13 01:23:00 | 00,047,104 | ---- | C] () -- C:\WINDOWS\System32\lotrn13.dll
[1997/11/14 01:23:00 | 00,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1997/05/13 01:23:00 | 00,000,153 | ---- | C] () -- C:\WINDOWS\acroread.ini
[1994/07/25 01:23:00 | 00,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
[1994/04/07 01:23:00 | 00,000,462 | ---- | C] () -- C:\WINDOWS\lodbf13.ini

========== Files - Unicode (All) ==========
[2009/10/20 21:12:28 | 00,000,040 | ---- | M] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧⁮牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
[2009/10/20 21:12:28 | 00,000,040 | ---- | C] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧⁮牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
< End of report >

OTL Extras logfile created on: 11/01/2010 18:26:20 - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\Ronnie & Fiona\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 268.00 Mb Available Physical Memory | 26.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 60.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 113.27 Gb Total Space | 63.51 Gb Free Space | 56.07% Space Free | Partition Type: NTFS
Drive D: | 113.73 Gb Total Space | 26.52 Gb Free Space | 23.31% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACE-ACER
Current User Name: Ronnie & Fiona
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1999078760-3644901915-825374499-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Acer Zone\Picture Slide DVD\Component\CLSLDVD.exe" = C:\Program Files\Acer Zone\Picture Slide DVD\Component\CLSLDVD.exe:*:Enabled:Cyberlink Picture Slide DVD workprocess -- (Cyberlink)
"C:\Program Files\Acer Zone\Plug and Record\Component\ARAWP.exe" = C:\Program Files\Acer Zone\Plug and Record\Component\ARAWP.exe:*:Enabled:Cyberlink Plug and Record ARA workprocess -- (Cyberlink)
"C:\Program Files\Acer Zone\Plug and Record\Component\DVAX2Process.exe" = C:\Program Files\Acer Zone\Plug and Record\Component\DVAX2Process.exe:*:Enabled:Cyberlink Plug and Record AVAX workprocess -- ()
"C:\Program Files\SecondLife\SLVoice.exe" = C:\Program Files\SecondLife\SLVoice.exe:*:Disabled:SLVoice -- File not found
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- ()
"C:\xampp\apache\bin\apache.exe" = C:\xampp\apache\bin\apache.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03E4915C-C563-4A37-9622-A5F975EFFCB9}" = RPS Diagnostic Utility
"{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
"{0B0F82AB-5B9A-4B9F-96EF-74E1FD85F01F}" = Virgin Broadband PCguard
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1B79FE5E-3100-4998-97A2-9CB717BFF5DE}" = RPS PerfectDiskStub
"{295D8CF2-661D-45B2-AD03-EBDF8E7368A9}" = RPS RpsCore
"{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}" = PerfectDisk 2008
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{41581EF5-45A7-11DA-9D78-000129760D75}" = Picture Slide DVD 1.0
"{4A3634D9-9C3E-4E84-9520-681D70CB9232}_is1" = FMS-Scenery: Flying site of MFC Linz 1.0
"{4AD13F68-CADA-4C6B-9759-C33753F89908}" = Acer eDataSecurity Management
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = RAW Image Task 1.1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6EE21298-DEA5-4141-B8C8-E58737216134}" = RPS SafeConnect
"{7057702F-6D71-4F30-8000-9E72BC771887}" = Acer ePerformance Management
"{70C592EC-AE9B-4734-928B-676E824FB41E}" = MFC RunTime files
"{760B29F2-8663-419B-A025-5A55066E130B}" = Ulead Photo Express 6

"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{8213D6EA-F48B-4040-A088-6259751DEB0B}" = RPS ParentalControl
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B3E5A90-1F6E-4FAF-B84F-C306C8A80809}" = AeroFly Professional Deluxe
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9D2DC83B-E717-4402-ACC6-F824899FEAD6}" = ATI Catalyst Control Center
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5D4E41C-2583-46FE-9B99-62496F85C5F3}" = RPS CRT
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B06B842F-2450-494F-BBDE-217CDC151A37}" = NTI Backup NOW! 4.5
"{BB34B49B-7C29-4140-9E58-659DFFB48534}" = RPS Burn
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3D813D6-D849-4324-B8BB-A61C349DEEBB}" = ADRE SXP
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D27E6ABB-AF22-4618-838E-B4A3A1B02F98}" = comsummer-1024x768
"{D488D3D4-3302-4EB3-BC2C-814428DAEB15}" = RPS Firewall
"{D755C7A3-C03E-4460-8C00-AC6E55505FB5}" = LightScribe 1.4.74.1
"{D76AC37C-40AE-49EB-B867-1C405C9485C1}" = RPS Ksdk
"{D7D2F494-89E3-42ED-8A2B-75BDD9B464CB}" = D-Link Wireless N DWA-140
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1BECAB5-C251-4019-88BC-FBD3668E526C}" = RPS PopupBlocker
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6EFFB76-4A07-11DA-9D78-000129760D75}" = Plug and Record 1.0
"{F8718F95-21A1-44B9-97EC-679C93020BAE}" = Colin McRae Rally 04
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.4
"Any Video Converter_is1" = Any Video Converter 2.6.7
"ATI Display Driver" = ATI Display Driver
"AwayMode160" = Microsoft Away Mode
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"B991B020-2968-11D8-AF23-444553540000_is1" = FreeMind
"BitTornado" = BitTornado 0.3.18
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"CSCLIB" = Canon Camera Support Core Library
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"DPP" = Canon Utilities Digital Photo Professional 3.6
"EOS Utility" = Canon Utilities EOS Utility
"FMS" = FMS
"Free Disk Analyzer" = Free Disk Analyzer
"Google Updater" = Google Updater
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{4AD13F68-CADA-4C6B-9759-C33753F89908}" = Acer eDataSecurity Management 2.0.3079
"InstallShield_{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = Canon RAW Image Task for ZoomBrowser EX
"JSDK2.0" = Java Servlet Development Kit 2.0
"MainConcept (MCE) MPEG Encoder_is1" = MainConcept (MCE) MPEG Encoder
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MGI_PRISM_V3_0" = MGI PhotoSuite III SE (Remove Only)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MyCamera" = Canon Utilities MyCamera
"NVIDIA Drivers" = NVIDIA Drivers
"OcaHistoryUpd" = OCA Client history tool install
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Style Editor" = Canon Utilities Picture Style Editor
"RadialpointClientGateway_is1" = Virgin Broadband advisor 1.5.24
"Rainbow Sentinel Driver" = Sentinel System Driver
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Shockwave" = Shockwave
"SmartSuite V99.0" = Lotus SmartSuite Release 9.5
"Spb Backup" = Spb Backup
"Spb Backup_is1" = Spb Backup 2.0
"Spb Mobile Shell" = Spb Mobile Shell
"ST6UNST #1" = Myopoly5
"WFTK" = Canon Utilities WFT-E1/E2/E3/E4 Utility
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"WORDHOMESTUDENTR" = Microsoft Office Word Home and Student 2007
"xampp" = XAMPP 1.7.1
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1999078760-3644901915-825374499-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"FileZilla Client" = FileZilla Client 3.2.8.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 09/01/2010 15:56:38 | Computer Name = ACE-ACER | Source = COSIDS_TB | ID = 4097
Description =

Error - 11/01/2010 06:54:23 | Computer Name = ACE-ACER | Source = COSIDS_TB | ID = 4097
Description =

Error - 11/01/2010 06:54:23 | Computer Name = ACE-ACER | Source = COSIDS_TB | ID = 4097
Description =

Error - 11/01/2010 07:06:09 | Computer Name = ACE-ACER | Source = COSIDS_TB | ID = 4097
Description =

Error - 11/01/2010 07:06:09 | Computer Name = ACE-ACER | Source = COSIDS_TB | ID = 4097
Description =

Error - 11/01/2010 07:22:06 | Computer Name = ACE-ACER | Source = Google Update | ID = 20
Description =

Error - 11/01/2010 08:22:11 | Computer Name = ACE-ACER | Source = Google Update | ID = 20
Description =

Error - 11/01/2010 14:13:01 | Computer Name = ACE-ACER | Source = COSIDS_TB | ID = 4097
Description =

Error - 11/01/2010 14:13:01 | Computer Name = ACE-ACER | Source = COSIDS_TB | ID = 4097
Description =

Error - 11/01/2010 14:22:06 | Computer Name = ACE-ACER | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 09/01/2010 10:50:02 | Computer Name = ACE-ACER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 09/01/2010 10:50:02 | Computer Name = ACE-ACER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 09/01/2010 11:20:47 | Computer Name = ACE-ACER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 60 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 09/01/2010 11:21:02 | Computer Name = ACE-ACER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

Error - 09/01/2010 11:39:39 | Computer Name = ACE-ACER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
StarOpen

Error - 09/01/2010 15:58:25 | Computer Name = ACE-ACER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
StarOpen

Error - 11/01/2010 06:55:26 | Computer Name = ACE-ACER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
StarOpen

Error - 11/01/2010 06:56:05 | Computer Name = ACE-ACER | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/01/2010 07:07:00 | Computer Name = ACE-ACER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
StarOpen

Error - 11/01/2010 14:13:55 | Computer Name = ACE-ACER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
StarOpen

< End of report >

#4 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 11 January 2010 - 01:53 PM

Hello again,

Sorry for making two posts, but every time I connect the affected computer it appears to download some other nasty, so I've been keeping it offline, and just connected for long enough to download the OTL tool, then reconnected to post the logs.

Other than that there are no symptoms to speak of - it seems to perform as normal and hasn't been crashy. I just keep detecting trojans. There was one detected by my anti-virus when I switched the machine on just now to go and do the scan you asked for, even though it hasn't been online!

The machine has basically been in quarantine since I posted on 3rd Jan, and since the 4th I've not downloaded any other tools (until OTL). Luckily we have this old PC we're able to use in the meantime (although its a bit s....l....o...w....!)

Thanks very much for helping,
Ronnie.

PS should probably add that my first indication of something wrong was similar to this topic:
http://www.bleepingcomputer.com/forums/topic280792.html
so I first followed the advice on there down to the RootRepeal scan - which I didn't like the look of - & posted and was advised to start a new topic here.

This post has been edited by rocketronnie: 11 January 2010 - 02:03 PM

#5 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 11 January 2010 - 04:44 PM

Hi,

the OTL does show active malware, so we are going to try to remove it with ComboFix:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#6 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 12 January 2010 - 03:32 PM

hi myrti,

just ran combofix, but had internet connection off when I started it (seemed like the right way for it to be with every anti-virus & spyware turned off, but I forgot about the console download bit). I wasn't able to activate the connection for comboxfix when it wanted it, so it continued without the console (log posted here). Do I need to run it again with the internet on this time or is this one good? AV is showing outdated as the machine hasn't been connected to the internet for long enough to update itself.

ComboFix 10-01-12.02 - Ronnie & Fiona 12/01/2010 20:07:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.601 [GMT 0:00]
Running from: c:\documents and settings\Ronnie
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{E256FA32-883B-4F96-B91C-BF8C3B5F2A5E}
c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{E256FA32-883B-4F96-B91C-BF8C3B5F2A5E}\chrome.manifest
c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{E256FA32-883B-4F96-B91C-BF8C3B5F2A5E}\chrome\content\_cfg.js
c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{E256FA32-883B-4F96-B91C-BF8C3B5F2A5E}\chrome\content\overlay.xul
c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{E256FA32-883B-4F96-B91C-BF8C3B5F2A5E}\install.rdf
c:\windows\ikutijihanoti.dll
c:\windows\kb913800.exe
c:\windows\system32\Install.bat
c:\windows\unins000.dat
c:\windows\unins000.exe
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-09 19:57 . 2010-01-09 19:57 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}
2010-01-04 08:59 . 2010-01-04 08:59 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}
2010-01-01 10:47 . 2010-01-01 10:47 52224 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 10:47 . 2010-01-01 10:47 117760 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com
2010-01-01 10:45 . 2010-01-01 10:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 08:55 . 2010-01-01 08:55 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
2010-01-01 01:36 . 2010-01-01 01:36 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 05:03 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-30 23:49 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-30 23:47 . 2009-12-30 23:47 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-30 23:47 . 2009-12-30 23:47 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-30 23:47 . 2009-12-30 23:47 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-30 23:47 . 2009-12-30 23:47 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-30 23:47 . 2009-12-30 23:47 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-30 23:47 . 2009-12-30 23:47 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-30 23:43 . 2009-12-30 23:44 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-30 23:43 . 2009-12-30 23:43 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-30 23:43 . 2009-12-30 23:43 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-30 23:43 . 2009-12-30 23:43 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-30 23:43 . 2009-12-30 23:43 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-30 23:42 . 2009-12-30 23:43 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-30 23:42 . 2009-12-30 23:42 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-30 23:36 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-30 23:36 . 2009-12-30 23:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 23:34 . 2009-12-30 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-30 23:34 . 2009-12-30 23:34 -------- d-----w- c:\program files\Lavasoft
2009-12-28 08:40 . 2010-01-12 19:59 0 ----a-w- c:\windows\Oguda.bin
2009-12-28 08:40 . 2010-01-02 15:04 120 ----a-w- c:\windows\Tcozijohapuhido.dat
2009-12-28 08:40 . 2009-12-28 08:40 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}
2009-12-28 08:38 . 2004-08-03 22:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 22:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-27 13:49 . 2010-01-04 13:32 -------- d-----w- c:\program files\Myopoly5
2009-12-27 13:47 . 2009-12-27 13:47 286720 ------w- c:\windows\Setup1.exe
2009-12-27 13:47 . 2009-12-27 13:47 73216 ----a-w- c:\windows\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 20:03 . 2009-10-20 21:28 348740 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-12 20:03 . 2009-10-20 21:28 33868832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-12 20:03 . 2009-10-20 21:28 220448 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-12 20:03 . 2009-10-20 21:28 20228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-12 11:55 . 2009-03-28 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-12 00:19 . 2009-01-15 22:14 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\FileZilla
2010-01-01 00:33 . 2009-01-15 22:14 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-31 17:56 . 2009-09-30 07:20 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\ZoomBrowser EX
2009-12-31 17:56 . 2009-09-16 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-12-30 11:07 . 2009-12-30 11:07 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-28 08:36 . 2009-12-28 08:36 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-21 20:25 . 2009-03-28 17:24 -------- d-----w- c:\program files\Google
2009-12-08 19:09 . 2009-10-24 17:36 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-23 18:21 . 2009-11-23 18:14 -------- d-----w- c:\program files\cosids
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-28 7573504]
"nwiz"="nwiz.exe" [2006-04-28 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-28 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-08-01 346112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-140"="c:\program files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 1388544]
"Net-It Launcher"="c:\windows\system32\NILaunch.exe" [1998-02-05 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-9-11 45056]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Spb Backup Sync.lnk - c:\program files\Spb Backup\SpbBackupSync.exe [2009-3-4 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer Zone\\Picture Slide DVD\\Component\\CLSLDVD.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\ARAWP.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\DVAX2Process.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/12/2009 23:49 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [09/12/2008 23:10 24636]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 15:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 17:28 4937752]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [16/05/2006 10:04 660992]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 17:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 17:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 17:28 27376]
S0 jnvac;jnvac;c:\windows\system32\drivers\ixqdjr.sys --> c:\windows\system32\drivers\ixqdjr.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21/06/2009 19:53 721904]
S2 COSIDS_TB;COSIDS_TB;c:\progra~1\COSIDS\BIN\TbMux32.exe [23/11/2009 18:20 165376]
S2 gupdate1c9afca31f46688;Google Update Service (gupdate1c9afca31f46688);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2009 17:25 133104]
S3 lac97inf;lac97inf;\??\c:\docume~1\RONNIE~1\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\RONNIE~1\LOCALS~1\Temp\lac97inf.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 15:58 910600]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 12:10 170736]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [03/01/2009 20:57 476416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 17:24]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
FF - ProfilePath - c:\documents and settings\Ronnie & Fiona\Application Data\Mozilla\Firefox\Profiles\ui2ykfs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {4EABB6BA-314C-49F1-BB8F-737E0A202A09} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}\
FF - HiddenExtension: XULRunner: {5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
FF - HiddenExtension: XULRunner: {2D5A99E6-D256-442E-89D4-075B5C0E9314} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}
FF - HiddenExtension: XULRunner: {2293AE61-7DD8-4B82-99A5-038E4BE10F5F} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Vdesudajuga - c:\windows\ikutijihanoti.dll
AddRemove-MainConcept (MCE) MPEG Encoder_is1 - c:\windows\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 20:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-12 20:16:07
ComboFix-quarantined-files.txt 2010-01-12 20:16

Pre-Run: 68,150,784,000 bytes free
Post-Run: 68,155,539,456 bytes free

- - End Of File - - 0E32E1796D13862718D0C4629DEF5AC9

This post has been edited by rocketronnie: 12 January 2010 - 03:37 PM

#7 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 12 January 2010 - 04:16 PM

I did run it again, but it doesn't look like it found anything else:

ComboFix 10-01-12.02 - Ronnie & Fiona 12/01/2010 20:54:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.518 [GMT 0:00]
Running from: c:\documents and settings\Ronnie
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-09 19:57 . 2010-01-09 19:57 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}
2010-01-04 08:59 . 2010-01-04 08:59 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}
2010-01-01 10:47 . 2010-01-01 10:47 52224 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 10:47 . 2010-01-01 10:47 117760 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com
2010-01-01 10:45 . 2010-01-01 10:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 08:55 . 2010-01-01 08:55 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
2010-01-01 01:36 . 2010-01-01 01:36 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 05:03 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-30 23:49 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-30 23:47 . 2009-12-30 23:47 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-30 23:47 . 2009-12-30 23:47 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-30 23:47 . 2009-12-30 23:47 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-30 23:47 . 2009-12-30 23:47 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-30 23:47 . 2009-12-30 23:47 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-30 23:47 . 2009-12-30 23:47 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-30 23:43 . 2009-12-30 23:44 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-30 23:43 . 2009-12-30 23:43 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-30 23:43 . 2009-12-30 23:43 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-30 23:43 . 2009-12-30 23:43 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-30 23:43 . 2009-12-30 23:43 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-30 23:42 . 2009-12-30 23:43 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-30 23:42 . 2009-12-30 23:42 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-30 23:36 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-30 23:36 . 2009-12-30 23:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 23:34 . 2009-12-30 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-30 23:34 . 2009-12-30 23:34 -------- d-----w- c:\program files\Lavasoft
2009-12-28 08:40 . 2010-01-12 19:59 0 ----a-w- c:\windows\Oguda.bin
2009-12-28 08:40 . 2010-01-02 15:04 120 ----a-w- c:\windows\Tcozijohapuhido.dat
2009-12-28 08:40 . 2009-12-28 08:40 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}
2009-12-28 08:38 . 2004-08-03 22:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 22:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-27 13:49 . 2010-01-04 13:32 -------- d-----w- c:\program files\Myopoly5
2009-12-27 13:47 . 2009-12-27 13:47 286720 ------w- c:\windows\Setup1.exe
2009-12-27 13:47 . 2009-12-27 13:47 73216 ----a-w- c:\windows\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 20:48 . 2009-10-20 21:28 350468 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-12 20:48 . 2009-10-20 21:28 220448 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-12 20:48 . 2009-10-20 21:28 20828 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-12 20:48 . 2009-10-20 21:28 33868832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-12 11:55 . 2009-03-28 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-12 00:19 . 2009-01-15 22:14 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\FileZilla
2010-01-01 00:33 . 2009-01-15 22:14 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-31 17:56 . 2009-09-30 07:20 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\ZoomBrowser EX
2009-12-31 17:56 . 2009-09-16 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-12-30 11:07 . 2009-12-30 11:07 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-28 08:36 . 2009-12-28 08:36 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-21 20:25 . 2009-03-28 17:24 -------- d-----w- c:\program files\Google
2009-12-08 19:09 . 2009-10-24 17:36 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-23 18:21 . 2009-11-23 18:14 -------- d-----w- c:\program files\cosids
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-28 7573504]
"nwiz"="nwiz.exe" [2006-04-28 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-28 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-08-01 346112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-140"="c:\program files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 1388544]
"Net-It Launcher"="c:\windows\system32\NILaunch.exe" [1998-02-05 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-9-11 45056]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Spb Backup Sync.lnk - c:\program files\Spb Backup\SpbBackupSync.exe [2009-3-4 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer Zone\\Picture Slide DVD\\Component\\CLSLDVD.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\ARAWP.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\DVAX2Process.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/12/2009 23:49 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [09/12/2008 23:10 24636]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 15:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 17:28 4937752]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [16/05/2006 10:04 660992]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 17:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 17:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 17:28 27376]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [03/01/2009 20:57 476416]
S0 jnvac;jnvac;c:\windows\system32\drivers\ixqdjr.sys --> c:\windows\system32\drivers\ixqdjr.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21/06/2009 19:53 721904]
S2 COSIDS_TB;COSIDS_TB;c:\progra~1\COSIDS\BIN\TbMux32.exe [23/11/2009 18:20 165376]
S2 gupdate1c9afca31f46688;Google Update Service (gupdate1c9afca31f46688);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2009 17:25 133104]
S3 lac97inf;lac97inf;\??\c:\docume~1\RONNIE~1\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\RONNIE~1\LOCALS~1\Temp\lac97inf.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 15:58 910600]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 12:10 170736]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 17:24]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
FF - ProfilePath - c:\documents and settings\Ronnie & Fiona\Application Data\Mozilla\Firefox\Profiles\ui2ykfs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {4EABB6BA-314C-49F1-BB8F-737E0A202A09} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}\
FF - HiddenExtension: XULRunner: {5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
FF - HiddenExtension: XULRunner: {2D5A99E6-D256-442E-89D4-075B5C0E9314} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}
FF - HiddenExtension: XULRunner: {2293AE61-7DD8-4B82-99A5-038E4BE10F5F} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-12 21:01:05
ComboFix-quarantined-files.txt 2010-01-12 21:01
ComboFix2.txt 2010-01-12 20:16

Pre-Run: 68,156,153,856 bytes free
Post-Run: 68,111,208,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 1A2253DECCDC52645EDD59335A734610

#8 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 12 January 2010 - 04:24 PM

Hi,
I would like to run ComboFix again, so please install the recovery console. You can use the following instructions for an offline installation:

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named.

---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#9 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 12 January 2010 - 06:02 PM

ok - the recovery console is installed. latest log pasted below (AV has had a chance to update itself since the first one). Strange that the firewall says disabled - I didn't turn it off (as your instructions didn't mention firewalls) and its showing active on its control panel. Perhaps by the time Combofix has started its scan, the firewall hasn't loaded (during the reboot cycle that Combofix starts).

ComboFix 10-01-12.02 - Ronnie & Fiona 12/01/2010 22:36:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.597 [GMT 0:00]
Running from: c:\documents and settings\Ronnie
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-09 19:57 . 2010-01-09 19:57 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}
2010-01-04 08:59 . 2010-01-04 08:59 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}
2010-01-01 10:47 . 2010-01-01 10:47 52224 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 10:47 . 2010-01-01 10:47 117760 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com
2010-01-01 10:45 . 2010-01-01 10:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 08:55 . 2010-01-01 08:55 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
2010-01-01 01:36 . 2010-01-01 01:36 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 05:03 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-30 23:49 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-30 23:47 . 2009-12-30 23:47 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-30 23:47 . 2009-12-30 23:47 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-30 23:47 . 2009-12-30 23:47 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-30 23:47 . 2009-12-30 23:47 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-30 23:47 . 2009-12-30 23:47 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-30 23:47 . 2009-12-30 23:47 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-30 23:43 . 2009-12-30 23:44 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-30 23:43 . 2009-12-30 23:43 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-30 23:43 . 2009-12-30 23:43 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-30 23:43 . 2009-12-30 23:43 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-30 23:43 . 2009-12-30 23:43 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-30 23:42 . 2009-12-30 23:43 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-30 23:42 . 2009-12-30 23:42 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-30 23:36 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-30 23:36 . 2009-12-30 23:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 23:34 . 2009-12-30 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-30 23:34 . 2009-12-30 23:34 -------- d-----w- c:\program files\Lavasoft
2009-12-28 08:40 . 2010-01-12 19:59 0 ----a-w- c:\windows\Oguda.bin
2009-12-28 08:40 . 2010-01-02 15:04 120 ----a-w- c:\windows\Tcozijohapuhido.dat
2009-12-28 08:40 . 2009-12-28 08:40 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}
2009-12-28 08:38 . 2004-08-03 22:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 22:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-27 13:49 . 2010-01-04 13:32 -------- d-----w- c:\program files\Myopoly5
2009-12-27 13:47 . 2009-12-27 13:47 286720 ------w- c:\windows\Setup1.exe
2009-12-27 13:47 . 2009-12-27 13:47 73216 ----a-w- c:\windows\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 22:33 . 2009-10-20 21:28 220448 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-12 22:33 . 2009-10-20 21:28 21452 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-12 22:33 . 2009-10-20 21:28 352724 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-12 22:33 . 2009-10-20 21:28 33868832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-12 11:55 . 2009-03-28 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-12 00:19 . 2009-01-15 22:14 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\FileZilla
2010-01-01 00:33 . 2009-01-15 22:14 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-31 17:56 . 2009-09-30 07:20 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\ZoomBrowser EX
2009-12-31 17:56 . 2009-09-16 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-12-30 11:07 . 2009-12-30 11:07 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-28 08:36 . 2009-12-28 08:36 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-21 20:25 . 2009-03-28 17:24 -------- d-----w- c:\program files\Google
2009-12-08 19:09 . 2009-10-24 17:36 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-23 18:21 . 2009-11-23 18:14 -------- d-----w- c:\program files\cosids
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-28 7573504]
"nwiz"="nwiz.exe" [2006-04-28 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-28 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-08-01 346112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-140"="c:\program files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 1388544]
"Net-It Launcher"="c:\windows\system32\NILaunch.exe" [1998-02-05 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-9-11 45056]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Spb Backup Sync.lnk - c:\program files\Spb Backup\SpbBackupSync.exe [2009-3-4 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer Zone\\Picture Slide DVD\\Component\\CLSLDVD.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\ARAWP.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\DVAX2Process.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/12/2009 23:49 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [09/12/2008 23:10 24636]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 15:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 17:28 4937752]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [16/05/2006 10:04 660992]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 17:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 17:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 17:28 27376]
S0 jnvac;jnvac;c:\windows\system32\drivers\ixqdjr.sys --> c:\windows\system32\drivers\ixqdjr.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21/06/2009 19:53 721904]
S2 COSIDS_TB;COSIDS_TB;c:\progra~1\COSIDS\BIN\TbMux32.exe [23/11/2009 18:20 165376]
S2 gupdate1c9afca31f46688;Google Update Service (gupdate1c9afca31f46688);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2009 17:25 133104]
S3 lac97inf;lac97inf;\??\c:\docume~1\RONNIE~1\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\RONNIE~1\LOCALS~1\Temp\lac97inf.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 15:58 910600]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 12:10 170736]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [03/01/2009 20:57 476416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 17:24]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
FF - ProfilePath - c:\documents and settings\Ronnie & Fiona\Application Data\Mozilla\Firefox\Profiles\ui2ykfs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {4EABB6BA-314C-49F1-BB8F-737E0A202A09} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09}\
FF - HiddenExtension: XULRunner: {5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}
FF - HiddenExtension: XULRunner: {2D5A99E6-D256-442E-89D4-075B5C0E9314} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314}
FF - HiddenExtension: XULRunner: {2293AE61-7DD8-4B82-99A5-038E4BE10F5F} - c:\documents and settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-12 22:44:37
ComboFix-quarantined-files.txt 2010-01-12 22:44
ComboFix2.txt 2010-01-12 20:16

Pre-Run: 68,169,719,808 bytes free
Post-Run: 68,124,704,768 bytes free

- - End Of File - - 3BA0560DB8A3A787798DA167FD891BE7

#10 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 12 January 2010 - 06:32 PM

Hi,

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Afterwards:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
c:\windows\Oguda.bin
c:\windows\Tcozijohapuhido.dat

Driver::
jnvac
lac97inf

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#11 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 12 January 2010 - 07:29 PM

Hi myrti,
Thanks so much for all this help - feels like progress (seeing files that Rootrepeal didn't like being identified & got rid of). looks like Firefox took a pasting from malware...should I be going back to IE ?
Log files from these ones:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 23:58 on 12/01/2010 (Ronnie & Fiona)
Firefox version 3.5.6 (en-GB)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{4EABB6BA-314C-49F1-BB8F-737E0A202A09} -> Success!
Deleting C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{4EABB6BA-314C-49F1-BB8F-737E0A202A09} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1} -> Success!
Deleting C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2D5A99E6-D256-442E-89D4-075B5C0E9314} -> Success!
Deleting C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{2D5A99E6-D256-442E-89D4-075B5C0E9314} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F} -> Success!
Deleting C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{2293AE61-7DD8-4B82-99A5-038E4BE10F5F} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:52 10/02/2009]

C:\Documents and Settings\Ronnie & Fiona\Application Data\Mozilla\Firefox\Profiles\ui2ykfs4.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [13:40 03/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:46 05/09/2009]

-=E.O.F=-

ComboFix 10-01-12.02 - Ronnie & Fiona 13/01/2010 0:05.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.602 [GMT 0:00]
Running from: c:\documents and settings\Ronnie
Command switches used :: c:\documents and settings\Ronnie & Fiona\Desktop\CFScript.txt.txt
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

FILE ::
"c:\windows\Oguda.bin"
"c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat"
"c:\windows\Tcozijohapuhido.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Oguda.bin
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
c:\windows\Tcozijohapuhido.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LAC97INF
-------\Service_jnvac
-------\Service_lac97inf

((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com
2010-01-01 10:45 . 2010-01-01 10:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 01:36 . 2010-01-01 01:36 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 01:35 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:35 . 2010-01-01 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 05:03 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-30 23:49 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-30 23:36 . 2009-12-30 23:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 23:34 . 2009-12-30 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-30 23:34 . 2009-12-30 23:34 -------- d-----w- c:\program files\Lavasoft
2009-12-28 08:38 . 2004-08-03 22:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 22:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2009-12-28 08:38 . 2004-08-03 23:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-27 13:49 . 2010-01-04 13:32 -------- d-----w- c:\program files\Myopoly5
2009-12-27 13:47 . 2009-12-27 13:47 286720 ------w- c:\windows\Setup1.exe
2009-12-27 13:47 . 2009-12-27 13:47 73216 ----a-w- c:\windows\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 00:15 . 2009-10-20 21:28 227360 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-13 00:12 . 2009-10-20 21:28 355364 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-13 00:12 . 2009-10-20 21:28 33868832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-13 00:12 . 2009-10-20 21:28 22268 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-12 22:50 . 2009-01-15 22:14 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\FileZilla
2010-01-12 11:55 . 2009-03-28 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-01 10:47 . 2010-01-01 10:47 52224 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 10:47 . 2010-01-01 10:47 117760 ----a-w- c:\documents and settings\Ronnie & Fiona\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 00:33 . 2009-01-15 22:14 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-31 17:56 . 2009-09-30 07:20 -------- d-----w- c:\documents and settings\Ronnie & Fiona\Application Data\ZoomBrowser EX
2009-12-31 17:56 . 2009-09-16 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-12-30 23:47 . 2009-12-30 23:47 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-30 23:47 . 2009-12-30 23:47 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-30 23:47 . 2009-12-30 23:47 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-30 23:47 . 2009-12-30 23:47 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-30 23:47 . 2009-12-30 23:47 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-30 23:47 . 2009-12-30 23:47 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-30 23:44 . 2009-12-30 23:43 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-30 23:43 . 2009-12-30 23:43 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-30 23:43 . 2009-12-30 23:43 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-30 23:43 . 2009-12-30 23:43 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-30 23:43 . 2009-12-30 23:43 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-30 23:43 . 2009-12-30 23:42 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-30 23:42 . 2009-12-30 23:42 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-30 11:07 . 2009-12-30 11:07 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-21 20:25 . 2009-03-28 17:24 -------- d-----w- c:\program files\Google
2009-12-08 19:09 . 2009-10-24 17:36 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-12-07 14:10 . 2009-12-30 23:36 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-23 18:21 . 2009-11-23 18:14 -------- d-----w- c:\program files\cosids
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-28 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-28 7573504]
"nwiz"="nwiz.exe" [2006-04-28 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-28 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-08-01 346112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-140"="c:\program files\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 1388544]
"Net-It Launcher"="c:\windows\system32\NILaunch.exe" [1998-02-05 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-9-11 45056]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Spb Backup Sync.lnk - c:\program files\Spb Backup\SpbBackupSync.exe [2009-3-4 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer Zone\\Picture Slide DVD\\Component\\CLSLDVD.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\ARAWP.exe"=
"c:\\Program Files\\Acer Zone\\Plug and Record\\Component\\DVAX2Process.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/12/2009 23:49 64288]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21/06/2009 19:53 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [09/12/2008 23:10 24636]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 15:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 17:28 4937752]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [16/05/2006 10:04 660992]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 17:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 17:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 17:28 27376]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [03/01/2009 20:57 476416]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S2 COSIDS_TB;COSIDS_TB;c:\progra~1\COSIDS\BIN\TbMux32.exe [23/11/2009 18:20 165376]
S2 gupdate1c9afca31f46688;Google Update Service (gupdate1c9afca31f46688);c:\program files\Google\Update\GoogleUpdate.exe [28/03/2009 17:25 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 15:58 910600]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 12:10 170736]
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:43]

2010-01-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-28 17:24]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
FF - ProfilePath - c:\documents and settings\Ronnie & Fiona\Application Data\Mozilla\Firefox\Profiles\ui2ykfs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 00:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x871661F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7579fc3
\Driver\ACPI -> ACPI.sys @ 0xf72d3cb8
\Driver\atapi -> 0x871661f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(720)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband\PCguard\Fws.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\eHome\ehRec.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\xampp\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\spnsrvnt.exe
c:\progra~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\JAVA\JRE15~1.0_0\bin\java.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\ARPWRMSG.EXE
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2010-01-13 00:21:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 00:21
ComboFix2.txt 2010-01-12 20:16

Pre-Run: 68,142,112,768 bytes free
Post-Run: 68,011,851,776 bytes free

- - End Of File - - F6A0F40EDFA78E66F94C14FF814C5CDE

#12 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 12 January 2010 - 08:46 PM

Hi,

there seems to be some more malware left. I would like you to run the following scan for a replacement file:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2

Double-click the SystemLook and copy/paste the following into the box
```
 :filefind
atapi.sys
```
Hit the Look button. Let it finish the scan
A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

There is some malware that exclusively targets Firefox, this is true. It will install a hidden add-on to redirect your browser searches in Firefox. However there are many many more ways to get infected using Internet Explorer (especially if you use an older version) than there are ways to get infected with Firefox.
The important thing is not if a browser can get infected but how many infections will be able to install through the browser onto your system. And in this aspect Firefox is safer than Internet Explorer.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#13 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 13 January 2010 - 01:00 PM

Hi Myrti,

Here's the systemlook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:54 on 13/01/2010 by Ronnie & Fiona (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [20:14 12/01/2010] [20:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys --a--- 96512 bytes [05:12 08/12/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 95360 bytes [20:00 10/08/2004] [20:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Interestingly I've not had any more trojans being caught by my AV in the last few days (even though the machine has been connected quite a bit for downloads & posts). Last quarantine was a trojan on 11th Jan @ 18:20 hrs (before first Combofix run).

Ronnie.

This post has been edited by rocketronnie: 13 January 2010 - 01:03 PM

#14 myrti

bleepin' _temp_

Group: Malware Response Instructor
Posts: 26,080
Joined: 25-January 08
Gender:Female
Location:At home

Posted 13 January 2010 - 02:09 PM

Hi,

are you getting redirects in your browser?

Could you please run a scan with mbr?

Go to Start > Run and type: cmd.exe
press Ok.
At the command prompt type: mbr.exe -t >"C:\mbr.log"
press Enter.
A "DOS" box will open and quickly disappear. That is normal.
A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
Copy and paste the results of the mbr.log in your next reply.

regards myrti

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

#15 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 13 January 2010 - 02:30 PM

Hi mryti,

Not aware of any redirects (I take it these would be pages opening visibly that I've not asked for?). Haven't seen that sort of behaviour at any time.

Looks like the previous log that mentioned MBR rootkit was right?:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x871671F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x871671f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !