Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser links are being redirected


  • This topic is locked This topic is locked
7 replies to this topic

#1 frank1234

frank1234

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 25 November 2008 - 12:31 AM

all search engine results are being redirected to monstermarketplace. Have tried using SuperAntiSpyware, Malwarebyte's, Spybot, TrendMicro Officescan, installed windows sp3. The problem will not go away.

Logfile of random's system information tool 1.04 (written by random/random)
Run by 98957 at 2008-11-24 21:02:16
Microsoft Windows XP Professional Service Pack 3
System drive C: has 9 GB (25%) free of 36 GB
Total RAM: 1015 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02, on 2008-11-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\tmasea\tmasca.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\tmasea\tmasea.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\98957\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\98957.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://enet.grubb-ellis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gbe
O17 - HKLM\Software\..\Telephony: DomainName = gbe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gbe
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gbe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Antispyware Client Agent - Trend Micro, Inc. - C:\Program Files\Trend Micro\tmasea\tmasca.exe
O23 - Service: Antispyware Engine Agent - Trend Micro, Inc. - C:\Program Files\Trend Micro\tmasea\tmasea.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 6073 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Discovery User Input"=C:\Discovery\User Input\userin32.exe [2008-02-29 229376]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-03-28 413696]
"OfficeScanNT Monitor"=C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [2007-05-07 702072]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2008-04-23 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
C:\WINDOWS\system32\irprops.cpl [2008-04-13 380416]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Discovery User Input]
C:\Discovery\User Input\userin32.exe [2008-02-29 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe [2003-07-10 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [2003-09-30 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe [2003-07-10 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
C:\WINDOWS\system32\ICO.EXE [2003-11-20 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-03-28 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2002-11-08 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe [2002-10-16 1622016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
C:\IBMTools\Updater\ucstartup.exe [2003-03-17 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2008-05-19 25214]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-08-28 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-07-10 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-07-21 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Support.com\Bin\tgcmd.exe"="C:\Program Files\Support.com\Bin\tgcmd.exe:*:Enabled:Support.com Scheduler and Command Dispatcher"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"

======List of files/folders created in the last 1 months======

2008-11-24 21:02:16 ----D---- C:\rsit
2008-11-24 19:33:13 ----D---- C:\WINDOWS\LastGood
2008-11-24 19:29:53 ----D---- C:\Program Files\EsetOnlineScanner
2008-11-24 18:29:30 ----SHD---- C:\RECYCLER
2008-11-24 18:25:39 ----D---- C:\WINDOWS\temp
2008-11-24 18:25:36 ----A---- C:\ComboFix.txt
2008-11-24 18:22:26 ----RASHD---- C:\cmdcons
2008-11-24 18:21:10 ----A---- C:\WINDOWS\zip.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\VFIND.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\SWSC.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\SWREG.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\sed.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\grep.exe
2008-11-24 18:21:10 ----A---- C:\WINDOWS\fdsv.exe
2008-11-24 18:21:06 ----D---- C:\ComboFix
2008-11-24 16:45:10 ----D---- C:\WINDOWS\Profiles
2008-11-24 16:45:06 ----D---- C:\Documents and Settings\98957\Application Data\InterTrust
2008-11-24 15:16:38 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-24 15:16:38 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-24 14:03:30 ----D---- C:\WINDOWS\Prefetch
2008-11-24 13:57:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-24 13:57:32 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-24 13:57:25 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-11-24 13:57:16 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-11-24 13:57:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-11-24 13:57:01 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-24 13:56:55 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-11-24 13:56:48 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-11-24 13:56:41 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-11-24 13:56:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-11-24 13:56:27 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-11-24 13:56:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-11-24 13:56:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-11-24 13:56:06 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-11-24 13:56:00 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-11-24 13:55:53 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-11-24 13:55:46 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-11-24 13:55:40 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-11-24 13:46:12 ----D---- C:\WINDOWS\system32\scripting
2008-11-24 13:46:10 ----D---- C:\WINDOWS\l2schemas
2008-11-24 13:46:09 ----D---- C:\WINDOWS\system32\en
2008-11-24 13:46:09 ----D---- C:\WINDOWS\system32\bits
2008-11-21 21:24:50 ----A---- C:\HJTInstall.exe
2008-11-21 20:50:12 ----D---- C:\Program Files\QuickTime
2008-11-21 20:37:45 ----D---- C:\Email
2008-11-21 20:27:38 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-21 20:27:38 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-21 20:27:38 ----A---- C:\WINDOWS\system32\java.exe
2008-11-21 20:25:51 ----D---- C:\Documents and Settings\98957\Application Data\Sun
2008-11-21 20:01:35 ----A---- C:\Boot.bak
2008-11-21 19:59:20 ----D---- C:\WINDOWS\ERDNT
2008-11-21 19:59:20 ----D---- C:\Qoobox
2008-11-21 19:09:42 ----D---- C:\!KillBox
2008-11-21 18:56:17 ----A---- C:\VundoFix.txt
2008-11-21 18:22:41 ----D---- C:\WINDOWS\ERUNT
2008-11-21 18:17:48 ----D---- C:\SDFix
2008-11-21 17:43:14 ----D---- C:\HijackThis
2008-11-21 17:12:40 ----D---- C:\WINDOWS\pss
2008-11-21 13:10:26 ----D---- C:\Documents and Settings\98957\Application Data\Malwarebytes
2008-11-21 13:10:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-21 13:10:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-18 12:58:40 ----DC---- C:\WINDOWS\$NtUninstallWdf01005$
2008-11-18 12:57:23 ----D---- C:\Documents and Settings\All Users\Application Data\Logitech
2008-11-18 12:57:21 ----D---- C:\Program Files\Logitech
2008-11-18 12:57:18 ----D---- C:\Program Files\Common Files\Logitech
2008-11-18 12:56:58 ----D---- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-11-18 12:17:38 ----D---- C:\Documents and Settings\98957\Application Data\SUPERAntiSpyware.com
2008-11-18 11:22:04 ----D---- C:\Config.Msi
2008-11-18 11:16:39 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-17 15:39:18 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-11-13 13:33:08 ----D---- C:\Program Files\QuickTime(2)
2008-11-13 13:15:36 ----D---- C:\Documents and Settings\98957\Application Data\Apple Computer
2008-11-13 10:27:50 ----D---- C:\Documents and Settings\98957\Application Data\Macromedia
2008-11-12 13:02:39 ----D---- C:\Documents and Settings\98957\Application Data\AdobeUM
2008-11-12 12:48:12 ----D---- C:\1097
2008-11-12 12:47:26 ----D---- C:\Program Files\ARGUS
2008-11-12 12:47:26 ----A---- C:\WINDOWS\system32\rexmlt.dll
2008-11-12 12:47:26 ----A---- C:\WINDOWS\system32\MSXML2A.DLL
2008-11-12 12:47:24 ----RA---- C:\WINDOWS\system32\GSWDLL32.DLL
2008-11-12 12:47:24 ----RA---- C:\WINDOWS\system32\GSWAG32.DLL
2008-11-12 12:47:24 ----RA---- C:\WINDOWS\system32\GSW32.EXE
2008-11-12 12:47:24 ----A---- C:\WINDOWS\system32\hh.exe
2008-11-12 12:47:24 ----A---- C:\WINDOWS\system32\fpimage.dll
2008-11-12 12:47:24 ----A---- C:\WINDOWS\system32\FAIBL13.DLL
2008-11-12 12:47:24 ----A---- C:\WINDOWS\system32\ARUnZip.DLL
2008-11-12 12:47:24 ----A---- C:\WINDOWS\system32\ARBIN.dll
2008-11-12 12:46:48 ----D---- C:\Documents and Settings\98957\Application Data\InstallShield
2008-11-12 12:38:05 ----A---- C:\WINDOWS\system32\MM_CTRL.TXT
2008-11-12 12:38:05 ----A---- C:\WINDOWS\system32\IMGFB6MU.DLL
2008-11-12 12:38:05 ----A---- C:\WINDOWS\system32\IMGFB6MN.DLL
2008-11-12 12:38:05 ----A---- C:\WINDOWS\system32\IMG32MMB.DLL
2008-11-12 12:38:05 ----A---- C:\WINDOWS\system32\IMG32MM.DLL
2008-11-12 12:38:02 ----A---- C:\WINDOWS\system32\IMGFX6MU.DLL
2008-11-12 12:38:01 ----A---- C:\WINDOWS\system32\IMGFX6MN.DLL
2008-11-12 12:37:58 ----A---- C:\WINDOWS\system32\nmdcxp32.dll
2008-11-12 12:37:58 ----A---- C:\WINDOWS\system32\nmdcsv32.dll
2008-11-12 12:37:58 ----A---- C:\WINDOWS\system32\nmdcms32.dll
2008-11-12 12:37:58 ----A---- C:\WINDOWS\system32\nmdcext.dll
2008-11-12 12:37:58 ----A---- C:\WINDOWS\system32\nmdcab32.dll
2008-11-12 12:37:47 ----D---- C:\Program Files\Nortel
2008-11-12 12:37:47 ----D---- C:\CLEANUP
2008-11-12 11:22:41 ----D---- C:\Documents and Settings\98957\Application Data\Sonic
2008-11-12 11:16:45 ----D---- C:\Documents and Settings\98957\Application Data\Adobe
2008-11-12 11:15:54 ----ASH---- C:\Documents and Settings\98957\Application Data\desktop.ini
2008-11-12 11:15:53 ----SD---- C:\Documents and Settings\98957\Application Data\Microsoft
2008-11-12 11:15:53 ----D---- C:\Documents and Settings\98957\Application Data\Symantec
2008-11-12 11:15:53 ----D---- C:\Documents and Settings\98957\Application Data\Identities
2008-11-12 11:11:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956803_0$
2008-11-12 11:11:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-11-12 11:10:59 ----HDC---- C:\WINDOWS\$NtUninstallKB957095_0$
2008-11-12 11:10:10 ----HDC---- C:\WINDOWS\$NtUninstallKB954211_0$
2008-11-12 11:08:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956841_0$
2008-11-12 11:08:26 ----D---- C:\Program Files\MSXML 6.0
2008-11-12 11:08:15 ----HDC---- C:\WINDOWS\$NtUninstallKB957097_0$
2008-11-12 11:08:06 ----HDC---- C:\WINDOWS\$NtUninstallKB958644_0$
2008-11-12 11:07:53 ----HDC---- C:\WINDOWS\$NtUninstallKB955069_0$

======List of files/folders modified in the last 1 months======

2008-11-24 19:33:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-24 19:33:16 ----AD---- C:\WINDOWS\system32
2008-11-24 19:33:13 ----AD---- C:\WINDOWS
2008-11-24 19:29:53 ----RD---- C:\Program Files
2008-11-24 18:39:05 ----SHD---- C:\WINDOWS\Installer
2008-11-24 18:39:02 ----D---- C:\WINDOWS\system32\drivers
2008-11-24 18:39:00 ----D---- C:\Program Files\Trend Micro
2008-11-24 18:34:39 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-24 18:33:52 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-24 18:24:46 ----N---- C:\WINDOWS\system.ini
2008-11-24 18:24:06 ----D---- C:\WINDOWS\AppPatch
2008-11-24 18:24:06 ----D---- C:\Program Files\Common Files
2008-11-24 18:22:31 ----RASH---- C:\BOOT.INI
2008-11-24 16:49:23 ----A---- C:\WINDOWS\hpbafd.ini
2008-11-24 16:45:06 ----D---- C:\Program Files\Common Files\Adobe
2008-11-24 14:12:38 ----A---- C:\WINDOWS\OEWABLog.txt
2008-11-24 14:06:44 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-24 14:03:06 ----D---- C:\WINDOWS\system32\Setup
2008-11-24 14:03:06 ----D---- C:\Program Files\NetMeeting
2008-11-24 14:03:05 ----RSD---- C:\WINDOWS\Fonts
2008-11-24 14:03:05 ----D---- C:\WINDOWS\system32\wbem
2008-11-24 14:02:59 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-11-24 14:02:43 ----D---- C:\WINDOWS\security
2008-11-24 13:57:40 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-24 13:57:37 ----HD---- C:\WINDOWS\inf
2008-11-24 13:55:48 ----D---- C:\Program Files\Messenger
2008-11-24 13:47:46 ----A---- C:\WINDOWS\setuplog.txt
2008-11-24 13:46:51 ----D---- C:\WINDOWS\WinSxS
2008-11-24 13:46:32 ----D---- C:\WINDOWS\system32\inetsrv
2008-11-24 13:46:32 ----D---- C:\WINDOWS\network diagnostic
2008-11-24 13:46:32 ----D---- C:\WINDOWS\ime
2008-11-24 13:46:31 ----D---- C:\WINDOWS\Help
2008-11-24 13:46:13 ----D---- C:\WINDOWS\system32\usmt
2008-11-24 13:46:13 ----D---- C:\WINDOWS\system32\en-US
2008-11-24 13:46:09 ----D---- C:\WINDOWS\peernet
2008-11-24 13:46:08 ----D---- C:\Program Files\Movie Maker
2008-11-24 13:42:37 ----D---- C:\WINDOWS\system32\Restore
2008-11-24 13:42:37 ----D---- C:\WINDOWS\system32\npp
2008-11-24 13:42:37 ----D---- C:\WINDOWS\mui
2008-11-24 13:42:35 ----D---- C:\WINDOWS\msagent
2008-11-24 13:42:33 ----D---- C:\WINDOWS\srchasst
2008-11-24 13:42:30 ----D---- C:\WINDOWS\system32\Com
2008-11-24 13:42:27 ----D---- C:\Program Files\Windows Media Player
2008-11-24 13:42:26 ----D---- C:\Program Files\Windows NT
2008-11-24 13:42:26 ----D---- C:\Program Files\Outlook Express
2008-11-24 13:42:23 ----D---- C:\Program Files\Common Files\System
2008-11-24 13:42:07 ----AD---- C:\WINDOWS\system32\oobe
2008-11-24 13:42:05 ----D---- C:\WINDOWS\system
2008-11-24 13:39:00 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-24 13:38:49 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-11-24 13:35:26 ----D---- C:\WINDOWS\EHome
2008-11-24 13:04:02 ----D---- C:\WINDOWS\SoftwareDistribution
2008-11-21 22:20:25 ----A---- C:\WINDOWS\cfgall.ini
2008-11-21 22:19:16 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-21 22:19:12 ----D---- C:\Documents and Settings
2008-11-21 22:12:18 ----A---- C:\WINDOWS\win.ini
2008-11-21 21:51:24 ----D---- C:\Program Files\Google
2008-11-21 21:43:21 ----SHD---- C:\System Volume Information
2008-11-21 21:07:05 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-21 20:51:51 ----D---- C:\Program Files\SUPERAntiSpyware
2008-11-21 20:51:20 ----D---- C:\WINDOWS\system32\config
2008-11-21 20:50:53 ----D---- C:\WINDOWS\Registration
2008-11-21 20:50:32 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-21 20:50:26 ----D---- C:\Program Files\Apple Software Update
2008-11-21 20:49:02 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-11-21 20:27:13 ----D---- C:\Program Files\Java
2008-11-18 13:01:23 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-18 12:59:37 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-18 11:53:25 ----D---- C:\WINDOWS\system32\LogFiles
2008-11-18 11:24:29 ----SHD---- C:\WINDOWS\CSC
2008-11-13 13:33:07 ----D---- C:\Program Files\Common Files\Apple
2008-11-13 13:29:53 ----SD---- C:\WINDOWS\Tasks
2008-11-12 12:46:07 ----D---- C:\Program Files\Metropolis
2008-11-12 12:33:32 ----A---- C:\WINDOWS\ODBC.INI
2008-11-12 11:11:14 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 11:10:42 ----D---- C:\Program Files\Internet Explorer
2008-11-12 11:03:36 ----RSD---- C:\WINDOWS\assembly
2008-11-12 10:59:19 ----D---- C:\Program Files\Microsoft.NET
2008-11-12 10:54:19 ----D---- C:\Program Files\Adobe
2008-11-12 10:51:58 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-03 16:10:26 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 pelmouse;Mouse Suite Driver; C:\WINDOWS\System32\DRIVERS\pelmouse.sys [2003-01-10 16384]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2007-07-25 77712]
R2 PMEM;PMEM; \??\C:\WINDOWS\system32\drivers\PMEMNT.SYS []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys []
R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys []
R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys []
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-07-22 120062]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-07-22 96858]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-08-22 98752]
R3 CdProbe;CdProbe; \??\C:\WINDOWS\system32\DRIVERS\CDProbe.SYS []
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-07-22 91419]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-11-25 537152]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 pelps2m;PS/2 Mouse Filter Driver; C:\WINDOWS\System32\DRIVERS\pelps2m.sys [2003-01-20 18048]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Antispyware Client Agent;Antispyware Client Agent; C:\Program Files\Trend Micro\tmasea\tmasca.exe [2007-04-30 307200]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 CentennialClientAgent;CentennialClientAgent; C:\Centenn.ial\Audit\CAgent32.exe [2008-02-29 856064]
R2 CentennialIPTransferAgent;CentennialIPTransferAgent; C:\Centenn.ial\Audit\xferwan.exe [2008-02-29 303104]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 ntrtscan;OfficeScanNT RealTime Scan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2007-05-07 771704]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 tmlisten;OfficeScan NT Listener; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2007-08-21 804208]
R3 Antispyware Engine Agent;Antispyware Engine Agent; C:\Program Files\Trend Micro\tmasea\tmasea.exe [2007-04-30 421888]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-05-14 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-07 138168]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-03-30 504104]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 TmProxy;OfficeScan NT Proxy Service; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [2007-04-27 575064]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.04 2008-11-24 21:02:25

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\SETUP.EXE"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\SETUP.EXE"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\SETUP.EXE"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access IBM Cleanup Utility-->MsiExec.exe /I{CF44C7A5-5705-41E4-BE84-A9A42977AB05}
Access IBM Message Center-->MsiExec.exe /X{710C0BB2-FE39-484E-BB23-C9B96835A14A}
Access IBM Tools-->C:\Program Files\IBM\Access IBM\IBMUINST.EXE
Access IBM-->MsiExec.exe /X{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Acrobat 7.1.0 Standard-->msiexec /I {AC76BA86-1033-0000-BA7E-000000000002}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ARGUS 2007-->"C:\Program Files\InstallShield Installation Information\{2D87211A-CCAB-486E-A9C5-AFE5C0B3DB69}\setup.exe" -runfromtemp -l0x0009 RemoveARGUS -removeonly
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
ESET Online Scanner-->C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Google Earth-->MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IBM 32-bit SDK for Java 2, v1.4.1-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6C72E14A-C1F3-45E5-8810-83CE3C19ED63} /l1033
IBM Access Support - Local Content Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E34AB5C-B893-4EE9-82F3-F195978D009D}\Setup.exe" -l0x9
IBM Access Support-->wscript "C:\Program Files\Support.com\bin\uninstall.vbs" -uninstall -release1
IBM Update Connector-->MsiExec.exe /X{31C2FBAC-67CF-4093-8F36-15A146613747}
Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes-->MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Metropolis-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Metropolis\ST5UNST.LOG"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mouse Suite-->Pmuninst.exe MouseSuite98
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nortel CallPilot Desktop Messaging-->MsiExec.exe /X{1EB719BF-360C-464B-8E49-4641ECF9CFD9}
PC-Doctor for Windows-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\SETUP.EXE"
ProCalc 17 for Microsoft Excel 1997-2003-->MsiExec.exe /I{F75F3F15-3601-41FB-A446-A71132C3CBC8}
QuickTime-->MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Safari-->MsiExec.exe /I{F0E8F94D-6E68-4B35-92DF-3AA6DC6A6768}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Support.com Software-->wscript "C:\Program Files\Support.com\bin\admins.vbs"
ThinkCentre Wallpaper-->MsiExec.exe /I{80380166-A872-4B78-B98A-33447A032BDF}
Trend Micro Anti-Spyware Client-->MsiExec.exe /X{512CBBA8-7B26-4DE3-BACF-0DB0B3BF3664}
Trend Micro OfficeScan Client-->"C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
WinAIR Forms 2.0-->C:\PROGRA~1\WINAIR~1\UNWISE.EXE C:\PROGRA~1\WINAIR~1\INSTALL.LOG
Windows Installer Clean Up-->MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O4 - HKLM\..\Run: [tgcmd] rem "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [UpdateManager] rem "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O4 - HKLM\..\Run: [UC_Start] rem C:\IBMTools\Updater\ucstartup.exe
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Web Technologies\iebtm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: Trend Micro OfficeScan Antivirus
AV: Trend Micro OfficeScan Antivirus
AV: Trend Micro OfficeScan Antivirus

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 PM

Posted 01 December 2008 - 11:03 PM

Hello, frank1234
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 frank1234

frank1234
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 02 December 2008 - 08:32 PM

Here's the OTViewIT log:

OTViewIt logfile created on: 2008-12-02 16:12:08 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\98957\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

1014.98 Mb Total Physical Memory | 534.72 Mb Available Physical Memory | 52.68% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 87.27% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.97 Gb Total Space | 8.57 Gb Free Space | 24.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS
Drive H: | 298.09 Gb Total Space | 133.96 Gb Free Space | 44.94% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive K: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS
Drive S: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS
Drive U: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS

Computer Name: NPB98957WXP
Current User Name: 98957
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2007-04-30 17:06:06 | 00,307,200 | ---- | M] (Trend Micro, Inc.) -- C:\Program Files\Trend Micro\tmasea\tmasca.exe
[2008-02-18 10:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008-02-29 09:04:34 | 00,856,064 | ---- | M] (Centennial Software Limited ) -- C:\CENTENN.IAL\AUDIT\cagent32.exe
[2008-02-29 09:04:36 | 00,303,104 | ---- | M] (Centennial Software Limited ) -- C:\CENTENN.IAL\AUDIT\xferwan.exe
[2003-06-19 22:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[2007-05-07 23:45:22 | 00,771,704 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
[2008-04-13 16:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2002-09-20 15:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
[2007-08-21 16:47:10 | 00,804,208 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
[2007-04-23 19:14:42 | 00,415,352 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
[2007-04-30 17:05:48 | 00,421,888 | ---- | M] (Trend Micro, Inc.) -- C:\Program Files\Trend Micro\tmasea\tmasea.exe
[2007-05-07 23:43:06 | 00,702,072 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
[2008-12-02 00:51:34 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\98957\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007-05-14 08:41:14 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
[2007-04-30 17:06:06 | 00,307,200 | ---- | M] (Trend Micro, Inc.) -- C:\Program Files\Trend Micro\tmasea\tmasca.exe -- (Antispyware Client Agent [Auto | Running])
[2007-04-30 17:05:48 | 00,421,888 | ---- | M] (Trend Micro, Inc.) -- C:\Program Files\Trend Micro\tmasea\tmasea.exe -- (Antispyware Engine Agent [On_Demand | Running])
[2008-02-18 10:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2007-10-24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008-02-29 09:04:34 | 00,856,064 | ---- | M] (Centennial Software Limited ) -- C:\CENTENN.IAL\AUDIT\cagent32.exe -- (CentennialClientAgent [Auto | Running])
[2008-02-29 09:04:36 | 00,303,104 | ---- | M] (Centennial Software Limited ) -- C:\CENTENN.IAL\AUDIT\xferwan.exe -- (CentennialIPTransferAgent [Auto | Running])
[2007-10-24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007-06-07 14:21:25 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2008-03-30 09:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2003-06-19 22:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2007-05-07 23:45:22 | 00,771,704 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe -- (ntrtscan [Auto | Running])
[2003-07-28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2002-09-20 15:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Auto | Running])
[2007-08-21 16:47:10 | 00,804,208 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe -- (tmlisten [Auto | Running])
[2007-04-27 19:35:28 | 00,575,064 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -- (TmProxy [On_Demand | Stopped])
[2006-10-18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2001-08-17 11:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Stopped])
[2002-08-22 16:57:02 | 00,098,752 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
[2001-08-17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Disabled | Stopped])
[2008-04-13 10:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Disabled | Stopped])
[2001-08-17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Disabled | Stopped])
[2001-08-17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Disabled | Stopped])
[2008-11-26 09:35:41 | 00,009,248 | ---- | M] (Centennial Software Limited ) -- C:\WINDOWS\system32\drivers\CDProbe.SYS -- (CdProbe [On_Demand | Running])
[2001-08-17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Disabled | Stopped])
[2001-08-17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
[2003-03-04 11:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2008-01-29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2003-07-22 11:49:28 | 00,091,419 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2008-04-13 10:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2001-08-17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Disabled | Stopped])
[2004-08-03 21:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])
[2003-01-10 12:55:32 | 00,016,384 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS -- (pelmouse [System | Running])
[2003-01-20 21:28:18 | 00,018,048 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\drivers\PELPS2M.SYS -- (pelps2m [On_Demand | Stopped])
[2001-09-13 06:58:02 | 00,007,012 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\PMEMNT.SYS -- (PMEM [Auto | Running])
[2001-08-18 01:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2004-12-08 02:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2001-08-17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Disabled | Stopped])
[2001-08-17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Disabled | Stopped])
[2001-08-17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Disabled | Stopped])
[2008-07-21 07:01:27 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
[2006-02-16 15:51:08 | 00,004,096 | R--- | M] (SuperAdBlocker, Inc.) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[2008-07-21 07:01:27 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[2007-11-13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008-04-13 10:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp [Disabled | Stopped])
[2002-11-25 12:37:40 | 00,537,152 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2001-08-17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Disabled | Stopped])
[2001-08-17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])
[2001-08-17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2001-08-17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2001-08-17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2007-12-24 16:37:00 | 00,138,384 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
[2008-08-16 02:00:52 | 00,205,328 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\tmxpflt.sys -- (TmFilter [Auto | Running])
[2008-08-16 02:00:46 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\tmpreflt.sys -- (TmPreFilter [Auto | Running])
[2007-07-25 21:09:38 | 00,077,712 | ---- | M] (Trend Micro Incorporated.) -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi [System | Running])
[2001-08-17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Disabled | Stopped])
[2008-04-13 10:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
[2008-08-16 01:53:50 | 01,195,448 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\vsapint.sys -- (VSApiNt [Auto | Running])
[2003-07-22 11:50:32 | 00,120,062 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running])
[2003-07-22 11:50:26 | 00,096,858 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://enet.grubb-ellis.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-3160790269-541405252-1063738771-233999\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://enet.grubb-ellis.com/

[HKEY_USERS\S-1-5-21-3160790269-541405252-1063738771-233999\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3160790269-541405252-1063738771-233999\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{AE7CD045-E861-484f-8273-0445EE161910} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-21-3160790269-541405252-1063738771-233999\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Discovery User Input"=C:\Discovery\User Input\userin32.exe (Centennial Software Limited )
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow (Trend Micro Inc.)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\Software\policies\microsoft\internet explorer\Infodelivery\Restrictions]
"nosplash"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoCDBurning"=0
"NoDriveTypeAutoRun"=227
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-3160790269-541405252-1063738771-233999\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0

[HKEY_USERS\S-1-5-21-3160790269-541405252-1063738771-233999\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008-06-10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003-07-14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search && Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008-04-13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008-04-13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008-06-10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003-07-14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008-04-13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008-06-10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003-07-14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008-04-13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1031nnn.com: * in Local intranet
grubb-ellis.com: * in Local intranet

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
grubb-ellis.com: * in Local intranet
microsoft.com\office: http in My Computer
nbrwebsna.gbe: * in Local intranet
pittwebsna.gbe: * in Local intranet
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
grubb-ellis.com: * in Local intranet
microsoft.com\office: http in My Computer
nbrwebsna.gbe: * in Local intranet
pittwebsna.gbe: * in Local intranet
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-3160790269-541405252-1063738771-233999\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1031nnn.com: * in Local intranet
grubb-ellis.com: * in Local intranet

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{166B1BCA-3F9C-11CF-8075-444553540000}: http://fpdownload.macromedia.com/pub/shock...director/sw.cab -- Shockwave ActiveX Control
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}: http://www.eset.eu/OnlineScanner.cab -- OnlineScanner Control
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}: http://java.sun.com/products/plugin/1.4.1/...all-141-win.cab -- Java Plug-in 1.4.1 <applet> redirector
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwa...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{46F04BBB-6FFC-4101-9E47-8769C08F5205} (Servers: | Description: Intel® PRO/100 VE Network Connection)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL -- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007-05-08 09:17:15 | 00,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2008-12-02 16:10:47 | 00,811,008 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\gmer.exe
[2008-12-02 16:10:13 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\98957\Desktop\OTViewIt.exe
[2008-12-02 16:02:52 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\98957\Local Settings\Application Data\fusioncache.dat
[2008-12-02 16:02:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Local Settings\Application Data\ApplicationHistory
[2008-11-29 00:51:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2008-11-24 21:02:16 | 00,000,000 | ---D | C] -- C:\rsit
[2008-11-24 21:01:24 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\RSIT.exe
[2008-11-24 20:18:36 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\98957\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008-11-24 19:29:53 | 00,000,000 | ---D | C] -- C:\Program Files\EsetOnlineScanner
[2008-11-24 18:29:30 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2008-11-24 18:25:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2008-11-24 18:22:26 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2008-11-24 18:21:10 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2008-11-24 18:21:10 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2008-11-24 18:21:10 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2008-11-24 18:21:10 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2008-11-24 18:21:10 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2008-11-24 18:21:10 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2008-11-24 18:21:10 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008-11-24 18:21:10 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2008-11-24 18:21:10 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2008-11-24 18:21:06 | 00,000,000 | ---D | C] -- C:\ComboFix
[2008-11-24 18:19:48 | 03,052,195 | R--- | C] () -- C:\Documents and Settings\98957\Desktop\ComboFix.exe
[2008-11-24 16:45:12 | 00,000,893 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat Reader 5.0.lnk
[2008-11-24 16:45:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\Profiles
[2008-11-24 16:45:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\InterTrust
[2008-11-24 15:16:44 | 00,000,944 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\Spybot - Search & Destroy.lnk
[2008-11-24 15:16:38 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008-11-24 15:16:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008-11-24 15:15:29 | 15,083,520 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\98957\My Documents\spybotsd160.exe
[2008-11-24 15:04:56 | 00,347,578 | ---- | C] () -- C:\Documents and Settings\98957\My Documents\ie export.reg
[2008-11-24 14:03:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2008-11-24 13:46:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2008-11-24 13:46:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2008-11-24 13:46:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2008-11-24 13:46:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2008-11-21 22:24:50 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008-11-21 22:24:50 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008-11-21 22:24:47 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008-11-21 21:24:58 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\HijackThis.lnk
[2008-11-21 21:24:50 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2008-11-21 20:54:38 | 00,060,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys
[2008-11-21 20:50:12 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2008-11-21 20:43:02 | 00,024,440 | ---- | C] () -- C:\Outlook.NK2
[2008-11-21 20:37:45 | 00,000,000 | ---D | C] -- C:\Email
[2008-11-21 20:25:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Sun
[2008-11-21 20:01:35 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2008-11-21 20:01:31 | 00,260,272 | ---- | C] () -- C:\cmldr
[2008-11-21 19:59:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008-11-21 19:59:20 | 00,000,000 | ---D | C] -- C:\Qoobox
[2008-11-21 19:09:42 | 00,000,000 | ---D | C] -- C:\!KillBox
[2008-11-21 18:29:22 | 10,643,57888 | -HS- | C] () -- C:\hiberfil.sys
[2008-11-21 18:22:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2008-11-21 18:17:48 | 00,000,000 | ---D | C] -- C:\SDFix
[2008-11-21 17:43:14 | 00,000,000 | ---D | C] -- C:\HijackThis
[2008-11-21 17:12:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2008-11-21 13:10:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Malwarebytes
[2008-11-21 13:10:20 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008-11-21 13:10:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008-11-18 12:59:08 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
[2008-11-18 12:58:55 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
[2008-11-18 12:58:49 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2008-11-18 12:57:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Logitech
[2008-11-18 12:57:21 | 00,000,000 | ---D | C] -- C:\Program Files\Logitech
[2008-11-18 12:57:18 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Logitech
[2008-11-18 12:56:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\LogiShrd
[2008-11-18 12:18:42 | 00,000,791 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2008-11-18 12:17:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\SUPERAntiSpyware.com
[2008-11-18 11:22:04 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2008-11-13 17:26:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\My Documents\My eBooks
[2008-11-13 13:47:43 | 00,048,600 | ---- | C] () -- C:\Documents and Settings\98957\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008-11-13 13:33:08 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime(2)
[2008-11-13 13:29:53 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008-11-13 13:15:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Apple Computer
[2008-11-13 10:27:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Macromedia
[2008-11-13 09:33:33 | 40,024,5760 | ---- | C] () -- C:\backup.pst
[2008-11-12 13:02:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\AdobeUM
[2008-11-12 12:57:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\My Documents\Email
[2008-11-12 12:53:36 | 00,002,521 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\Microsoft Office Outlook 2003.lnk
[2008-11-12 12:48:16 | 00,001,582 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\ProCalc.lnk
[2008-11-12 12:48:12 | 00,000,000 | ---D | C] -- C:\1097
[2008-11-12 12:47:26 | 00,762,992 | ---- | C] (FarPoint Technologies) -- C:\WINDOWS\System32\fpFlp30.ocx
[2008-11-12 12:47:26 | 00,688,128 | ---- | C] (Realm Business Solutions) -- C:\WINDOWS\System32\arTask.ocx
[2008-11-12 12:47:26 | 00,032,768 | ---- | C] (Realm Business Solutions, Inc.) -- C:\WINDOWS\System32\rexmlt.dll
[2008-11-12 12:47:26 | 00,021,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSXML2A.DLL
[2008-11-12 12:47:26 | 00,000,000 | ---D | C] -- C:\Program Files\ARGUS
[2008-11-12 12:47:25 | 01,328,824 | ---- | C] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\SPR32X60.ocx
[2008-11-12 12:47:25 | 00,726,128 | ---- | C] (FarPoint Technologies) -- C:\WINDOWS\System32\Flp32a30.ocx
[2008-11-12 12:47:25 | 00,647,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Mscomct2.ocx
[2008-11-12 12:47:25 | 00,260,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSFLXGRD.OCX
[2008-11-12 12:47:25 | 00,212,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\RICHTX32.OCX
[2008-11-12 12:47:24 | 02,609,152 | ---- | C] (Realm Business Solutions, Inc.) -- C:\WINDOWS\System32\ARBIN.dll
[2008-11-12 12:47:24 | 01,410,704 | ---- | C] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\FPSPR70.ocx
[2008-11-12 12:47:24 | 00,729,161 | ---- | C] (FarPoint Technologies, Inc.) -- C:\WINDOWS\System32\fpimage.dll
[2008-11-12 12:47:24 | 00,622,592 | R--- | C] (Ringdale Ltd) -- C:\WINDOWS\System32\GRAPHS32.OCX
[2008-11-12 12:47:24 | 00,442,368 | ---- | C] (Realm Business Solutions, Inc.) -- C:\WINDOWS\System32\FAIBL13.DLL
[2008-11-12 12:47:24 | 00,434,176 | R--- | C] (Ringdale Ltd) -- C:\WINDOWS\System32\GSW32.EXE
[2008-11-12 12:47:24 | 00,253,952 | R--- | C] (Ringdale Ltd) -- C:\WINDOWS\System32\GSWAG32.DLL
[2008-11-12 12:47:24 | 00,225,280 | ---- | C] () -- C:\WINDOWS\System32\CompareFilesX.ocx
[2008-11-12 12:47:24 | 00,165,528 | ---- | C] () -- C:\WINDOWS\System32\Install8.chm
[2008-11-12 12:47:24 | 00,163,840 | R--- | C] (Bits Per Second Ltd) -- C:\WINDOWS\System32\GSWDLL32.DLL
[2008-11-12 12:47:24 | 00,136,959 | ---- | C] () -- C:\WINDOWS\System32\Install5.chm
[2008-11-12 12:47:24 | 00,108,907 | ---- | C] () -- C:\WINDOWS\System32\Install4.chm
[2008-11-12 12:47:24 | 00,107,827 | ---- | C] () -- C:\WINDOWS\System32\install6.chm
[2008-11-12 12:47:24 | 00,105,321 | ---- | C] () -- C:\WINDOWS\System32\Install2.chm
[2008-11-12 12:47:24 | 00,105,321 | ---- | C] () -- C:\WINDOWS\System32\install.chm
[2008-11-12 12:47:24 | 00,098,744 | ---- | C] () -- C:\WINDOWS\System32\Install3.chm
[2008-11-12 12:47:24 | 00,098,304 | ---- | C] (Info-ZIP) -- C:\WINDOWS\System32\ARUnZip.DLL
[2008-11-12 12:47:24 | 00,026,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hh.exe
[2008-11-12 12:46:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\InstallShield
[2008-11-12 12:44:16 | 00,000,556 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\Shortcut to Metropol.lnk
[2008-11-12 12:38:05 | 00,072,192 | ---- | C] () -- C:\WINDOWS\System32\IMG32MMB.DLL
[2008-11-12 12:38:05 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\IMG32MM.DLL
[2008-11-12 12:38:05 | 00,006,144 | ---- | C] () -- C:\WINDOWS\System32\IMGFB6MU.DLL
[2008-11-12 12:38:02 | 00,006,144 | ---- | C] () -- C:\WINDOWS\System32\IMGFX6MU.DLL
[2008-11-12 12:37:58 | 00,954,368 | ---- | C] (Nortel) -- C:\WINDOWS\System32\nmdcab32.dll
[2008-11-12 12:37:58 | 00,917,504 | ---- | C] (Nortel) -- C:\WINDOWS\System32\nmdcsv32.dll
[2008-11-12 12:37:58 | 00,901,120 | ---- | C] (Nortel) -- C:\WINDOWS\System32\nmdcms32.dll
[2008-11-12 12:37:58 | 00,864,256 | ---- | C] (Nortel) -- C:\WINDOWS\System32\nmdcext.dll
[2008-11-12 12:37:58 | 00,794,624 | ---- | C] (Nortel) -- C:\WINDOWS\System32\nmdcxp32.dll
[2008-11-12 12:37:58 | 00,001,226 | ---- | C] () -- C:\WINDOWS\System32\mapisvc.inf
[2008-11-12 12:37:47 | 00,000,000 | ---D | C] -- C:\Program Files\Nortel
[2008-11-12 12:37:47 | 00,000,000 | ---D | C] -- C:\CLEANUP
[2008-11-12 12:35:00 | 00,000,554 | ---- | C] () -- C:\Documents and Settings\98957\Desktop\Shortcut to Winmetro.lnk
[2008-11-12 11:22:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Sonic
[2008-11-12 11:16:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Local Settings\Application Data\Apple Computer
[2008-11-12 11:16:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Local Settings\Application Data\Adobe
[2008-11-12 11:16:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Adobe
[2008-11-12 11:15:54 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\98957\Application Data\desktop.ini
[2008-11-12 11:15:53 | 04,264,146 | -H-- | C] () -- C:\Documents and Settings\98957\Local Settings\Application Data\IconCache.db
[2008-11-12 11:15:53 | 00,000,084 | -HS- | C] () -- C:\Documents and Settings\98957\Start Menu\Programs\Startup\desktop.ini
[2008-11-12 11:15:53 | 00,000,076 | -HS- | C] () -- C:\Documents and Settings\98957\My Documents\desktop.ini
[2008-11-12 11:15:53 | 00,000,000 | --SD | C] -- C:\Documents and Settings\98957\Application Data\Microsoft
[2008-11-12 11:15:53 | 00,000,000 | R--D | C] -- C:\Documents and Settings\98957\My Documents\My Pictures
[2008-11-12 11:15:53 | 00,000,000 | R--D | C] -- C:\Documents and Settings\98957\My Documents\My Music
[2008-11-12 11:15:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Local Settings\Application Data\Microsoft
[2008-11-12 11:15:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Symantec
[2008-11-12 11:15:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\98957\Application Data\Identities
[2008-11-12 11:08:26 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2008-11-12 09:39:42 | 00,333,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2008-11-12 09:39:08 | 01,846,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2008-11-12 09:32:33 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008-11-12 09:32:32 | 02,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008-11-12 09:32:32 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008-11-12 09:32:31 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008-11-12 09:27:06 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008-11-12 09:26:27 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008-11-12 09:18:50 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2008-11-12 09:18:50 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2008-12-02 16:11:15 | 40,024,5760 | ---- | M] () -- C:\backup.pst
[2008-12-02 16:02:52 | 00,000,128 | ---- | M] () -- C:\Documents and Settings\98957\Local Settings\Application Data\fusioncache.dat
[2008-12-02 00:51:34 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\98957\Desktop\OTViewIt.exe
[2008-12-01 22:45:13 | 00,013,181 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2008-11-29 14:17:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008-11-26 09:40:28 | 00,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008-11-26 09:35:41 | 00,009,248 | ---- | M] (Centennial Software Limited ) -- C:\WINDOWS\System32\drivers\CDProbe.SYS
[2008-11-26 09:35:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008-11-26 09:35:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008-11-26 09:35:05 | 10,643,57888 | -HS- | M] () -- C:\hiberfil.sys
[2008-11-26 09:34:21 | 04,264,146 | -H-- | M] () -- C:\Documents and Settings\98957\Local Settings\Application Data\IconCache.db
[2008-11-26 03:01:05 | 00,001,829 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008-11-24 20:18:36 | 00,003,584 | ---- | M] () -- C:\Documents and Settings\98957\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008-11-24 20:08:50 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\98957\Desktop\RSIT.exe
[2008-11-24 18:24:46 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008-11-24 18:22:31 | 00,000,281 | RHS- | M] () -- C:\BOOT.INI
[2008-11-24 18:20:50 | 03,052,195 | R--- | M] () -- C:\Documents and Settings\98957\Desktop\ComboFix.exe
[2008-11-24 16:46:05 | 00,000,893 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat Reader 5.0.lnk
[2008-11-24 16:14:01 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\98957\Desktop\Microsoft Office Outlook 2003.lnk
[2008-11-24 15:16:44 | 00,000,944 | ---- | M] () -- C:\Documents and Settings\98957\Desktop\Spybot - Search & Destroy.lnk
[2008-11-24 15:15:29 | 15,083,520 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\98957\My Documents\spybotsd160.exe
[2008-11-24 15:04:56 | 00,347,578 | ---- | M] () -- C:\Documents and Settings\98957\My Documents\ie export.reg
[2008-11-24 14:06:45 | 00,473,770 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008-11-24 14:06:45 | 00,089,032 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008-11-24 14:06:44 | 00,572,688 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008-11-24 14:03:09 | 00,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008-11-24 13:39:53 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2008-11-21 22:24:50 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008-11-21 22:12:18 | 00,000,613 | ---- | M] () -- C:\WINDOWS\win.ini
[2008-11-21 22:12:18 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2008-11-21 21:24:58 | 00,001,745 | ---- | M] () -- C:\Documents and Settings\98957\Desktop\HijackThis.lnk
[2008-11-21 20:11:15 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008-11-21 19:28:26 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2008-11-21 18:26:23 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2008-11-18 12:59:08 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
[2008-11-18 12:58:55 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
[2008-11-18 12:58:49 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2008-11-18 12:38:35 | 00,024,440 | ---- | M] () -- C:\Outlook.NK2
[2008-11-13 13:47:43 | 00,048,600 | ---- | M] () -- C:\Documents and Settings\98957\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008-11-12 12:48:16 | 00,001,582 | ---- | M] () -- C:\Documents and Settings\98957\Desktop\ProCalc.lnk
[2008-11-12 12:44:16 | 00,000,556 | ---- | M] () -- C:\Documents and Settings\98957\Desktop\Shortcut to Metropol.lnk
[2008-11-12 12:37:59 | 00,001,226 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2008-11-12 12:35:00 | 00,000,554 | ---- | M] () -- C:\Documents and Settings\98957\Desktop\Shortcut to Winmetro.lnk
[2008-11-12 12:33:32 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2008-11-12 11:16:22 | 00,000,076 | -HS- | M] () -- C:\Documents and Settings\98957\My Documents\desktop.ini
[2008-11-12 09:24:32 | 00,000,848 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2008-11-03 16:10:26 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

_______________________________________________________________________________________________________________________________
Here's the Extra log:

OTViewIt Extras logfile created on: 2008-12-02 16:12:08 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\98957\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

1014.98 Mb Total Physical Memory | 534.72 Mb Available Physical Memory | 52.68% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 87.27% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.97 Gb Total Space | 8.57 Gb Free Space | 24.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS
Drive H: | 298.09 Gb Total Space | 133.96 Gb Free Space | 44.94% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive K: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS
Drive S: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS
Drive U: | 683.50 Gb Total Space | 145.92 Gb Free Space | 21.35% Space Free | Partition Type: NTFS

Computer Name: NPB98957WXP
Current User Name: 98957
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008-04-13 16:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008-04-13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008-03-30 09:36:34 | 20,638,504 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008-04-13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer
[2008-04-13 16:12:15 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008-04-13 16:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2002-10-16 00:59:54 | 01,622,016 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Support.com\Bin\tgcmd.exe:*:Enabled:Support.com Scheduler and Command Dispatcher
[2008-04-13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003-07-11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003-07-11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003-07-11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2000-04-19 17:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005-04-25 12:29:55 | 08,071,360 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007-03-20 20:36:30 | 00,335,872 | ---- | M] (EzTools Software) C:\WINDOWS\system32\wowctl2.dll (x-mem1:{C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} (HKLM) [EzTools Wow2 Memory Map Asyncronous Pluggable Protocol Class])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003-07-14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}"=Sonic Update Manager
"{121634B0-2F4A-11D3-ADA3-00C04F52DD53}"=Windows Installer Clean Up
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}"=QuickTime
"{1E34AB5C-B893-4EE9-82F3-F195978D009D}"=IBM Access Support - Local Content Pack
"{1EB719BF-360C-464B-8E49-4641ECF9CFD9}"=Nortel CallPilot Desktop Messaging
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}"=PC-Doctor for Windows
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{2D87211A-CCAB-486E-A9C5-AFE5C0B3DB69}"=ARGUS 2007
"{31C2FBAC-67CF-4093-8F36-15A146613747}"=IBM Update Connector
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}"=Google Earth
"{44734179-8A79-4DEE-BB08-73037F065543}"=Apple Mobile Device Support
"{512CBBA8-7B26-4DE3-BACF-0DB0B3BF3664}"=Trend Micro Anti-Spyware Client
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}"=iTunes
"{6C72E14A-C1F3-45E5-8810-83CE3C19ED63}"=IBM 32-bit SDK for Java 2, v1.4.1
"{6CE96A14-61E2-48CC-837E-22710A953ADE}"=IBM Themes
"{710C0BB2-FE39-484E-BB23-C9B96835A14A}"=Access IBM Message Center
"{80380166-A872-4B78-B98A-33447A032BDF}"=ThinkCentre Wallpaper
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Extreme Graphics 2 Driver
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}"=Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{90120409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}"=InterVideo WinDVD
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}"=Sonic RecordNow!
"{AC76BA86-1033-0000-BA7E-000000000002}"=Adobe Acrobat 7.0 Standard
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}"=Access IBM
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}"=Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}"=SUPERAntiSpyware Free Edition
"{CF44C7A5-5705-41E4-BE84-A9A42977AB05}"=Access IBM Cleanup Utility
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}"=Google Toolbar for Internet Explorer
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"{F0E8F94D-6E68-4B35-92DF-3AA6DC6A6768}"=Safari
"{F75F3F15-3601-41FB-A446-A71132C3CBC8}"=ProCalc 17 for Microsoft Excel 1997-2003
"Access IBM Tools"=Access IBM Tools
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"Adobe Acrobat 7.0 Standard"=Adobe Acrobat 7.1.0 Standard
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Shockwave Player"=Adobe Shockwave Player
"Adobe SVG Viewer"=Adobe SVG Viewer 3.0
"EsetOnlineScanner"=ESET Online Scanner
"HijackThis"=HijackThis 2.0.2
"IBM Access Support"=IBM Access Support
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{6C72E14A-C1F3-45E5-8810-83CE3C19ED63}"=IBM 32-bit SDK for Java 2, v1.4.1
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"MouseSuite98"=Mouse Suite
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"OfficeScanNT"=Trend Micro OfficeScan Client
"PROSet"=Intel® PRO Network Adapters and Drivers
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"ST5UNST #1"=Metropolis
"Support.com"=Support.com Software
"WinAIR Forms 2.0"=WinAIR Forms 2.0
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2008-11-24 22:23:41 | Computer Name = NPB98957WXP | Source = Application | ID = 0
Description =

Error - 2008-11-24 22:23:51 | Computer Name = NPB98957WXP | Source = Application | ID = 0
Description =

Error - 2008-11-24 22:24:01 | Computer Name = NPB98957WXP | Source = Application | ID = 0
Description =

Error - 2008-11-24 22:24:11 | Computer Name = NPB98957WXP | Source = Application | ID = 0
Description =

Error - 2008-11-24 22:24:21 | Computer Name = NPB98957WXP | Source = Application | ID = 0
Description =

Error - 2008-11-24 22:24:31 | Computer Name = NPB98957WXP | Source = Application | ID = 0
Description =

Error - 2008-11-30 13:35:18 | Computer Name = NPB98957WXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 2008-11-30 21:35:18 | Computer Name = NPB98957WXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 2008-12-01 05:35:18 | Computer Name = NPB98957WXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 2008-12-02 20:02:27 | Computer Name = NPB98957WXP | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application actsage.exe, version 10.1.199.0, stamp 471ec2fe,
faulting module kernel32.dll, version 5.1.2600.5512, stamp 4802a12c, debug? 0,
fault address 0x00012aeb.

[ System Events ]
Error - 2008-11-26 13:34:01 | Computer Name = NPB98957WXP | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.2 for the Network Card with network
address 000D60D9C97E has been denied by the DHCP server 192.168.17.11 (The DHCP
Server sent a DHCPNACK message).

Error - 2008-11-30 13:35:12 | Computer Name = NPB98957WXP | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.17.85 on
the Network Card with network address 000D60D9C97E.

Error - 2008-11-30 13:36:19 | Computer Name = NPB98957WXP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 2008-11-30 13:51:22 | Computer Name = NPB98957WXP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 2008-11-30 14:21:22 | Computer Name = NPB98957WXP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

Error - 2008-11-30 15:21:22 | Computer Name = NPB98957WXP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 2008-11-30 17:21:22 | Computer Name = NPB98957WXP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 239 minutes. NtpClient has no source of accurate
time.

Error - 2008-11-30 20:42:14 | Computer Name = NPB98957WXP | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain GBE due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 2008-11-30 21:21:22 | Computer Name = NPB98957WXP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 479 minutes. NtpClient has no source of accurate
time.

Error - 2008-12-01 05:21:23 | Computer Name = NPB98957WXP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 959 minutes. NtpClient has no source of accurate
time.


< End of report >
______________________________________________________________________________________________________________
Here's the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-02 16:34:26
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwQueryKey + 35A 80578D6E 5 Bytes JMP EEECE46A \??\C:\Program Files\Common Files\System\lkige_rkwwky32.dll
.text C:\Program Files\Common Files\System\lkige_rkwwky32.dll section is writeable [0xEEED9000, 0x4126, 0xE0000020]
.text C:\Program Files\Common Files\System\lkige_rkwwky32.dll unknown last code section [0xEEED9000, 0x4126, 0xE0000020]
? C:\Program Files\Common Files\System\lkige_rkwwky32.dll The process cannot access the file because it is being used by another process.
PAGE ntoskrnl.exe!SeFreePrivileges + 119E 80578D6E 5 Bytes JMP EEECE46A \??\C:\Program Files\Common Files\System\lkige_rkwwky32.dll

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[3044] Explorer.EXE 0101A55F 5 Bytes JMP 00090000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- Services - GMER 1.0.14 ----

Service C:\Program Files\Common Files\System\lkige_rkwwky32.dll (*** hidden *** ) [SYSTEM] lkige_rkwwky <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\lkige_rkwwky
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkige_rkwwky@ImagePath \??\C:\Program Files\Common Files\System\lkige_rkwwky32.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkige_rkwwky@DisplayName lkige_rkwwky
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkige_rkwwky@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkige_rkwwky@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkige_rkwwky@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\lkige_rkwwky
Reg HKLM\SYSTEM\ControlSet002\Services\lkige_rkwwky@ImagePath \??\C:\Program Files\Common Files\System\lkige_rkwwky32.dll
Reg HKLM\SYSTEM\ControlSet002\Services\lkige_rkwwky@DisplayName lkige_rkwwky
Reg HKLM\SYSTEM\ControlSet002\Services\lkige_rkwwky@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\lkige_rkwwky@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\lkige_rkwwky@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\lkige_rkwwky
Reg HKLM\SYSTEM\ControlSet003\Services\lkige_rkwwky@ImagePath \??\C:\Program Files\Common Files\System\lkige_rkwwky32.dll
Reg HKLM\SYSTEM\ControlSet003\Services\lkige_rkwwky@DisplayName lkige_rkwwky
Reg HKLM\SYSTEM\ControlSet003\Services\lkige_rkwwky@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\lkige_rkwwky@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\lkige_rkwwky@ErrorControl 0

---- Files - GMER 1.0.14 ----

File C:\Program Files\Common Files\System\lkige_rkwwky32.dll 18432 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----


Thanks.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 PM

Posted 02 December 2008 - 09:34 PM

Hello, frank1234
We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Please download The Avenger2 by SwanDog46.
  • Unzip avenger.exe to your desktop.
  • Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    drivers to delete:
    lkige_rkwwky
    files to delete:
    C:\Program Files\Common Files\System\lkige_rkwwky32.dll
  • Now start The Avenger2 by double clicking avenger.exe on your desktop.
  • Read the prompt that appears, and press OK.
  • Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  • Press the "Execute" button.
  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • Avenger's Log
  • GMER's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 frank1234

frank1234
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 04 December 2008 - 03:43 PM

Here is the Avenger Log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "lkige_rkwwky" found!
DisplayName: lkige_rkwwky
ImagePath: \??\C:\Program Files\Common Files\System\lkige_rkwwky32.dll
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "lkige_rkwwky" deleted successfully.
File "C:\Program Files\Common Files\System\lkige_rkwwky32.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

___________________________________________________
Here is the GMER Log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-04 12:21:17
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

? yshyhry.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----
_______________________________________________________
Bill, it looks like the problem is gone. I am able to use google and yahoo now. Thank you very much! :thumbsup:

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 PM

Posted 04 December 2008 - 05:36 PM

Hello, frank1234
Oh you're nowhere near clean yet.

Your System is Infected with a Backdoor!!
Backdoors cause severe damage to windows' internals, and allow an attacker complete control over the infected system. Because this state allows the attacker to download new malware on demand, log keystrokes, execute programs, and/or view the system's screen, it is recommended to reformat and reinstall the operating system on this machine. Several experts in the security community believe that once a system is infected with one of these types of backdoors, the system itself can never be trusted again.

I ask that you disconnect this system from the internet NOW!. While it is attached to the internet, the attacker can modify the system, and prevent fixes from working as intended.

Another danger of this type of infection is that of Identity Theft. Because such malware can read all of your passwords, bank account numbers, etc. from your keystrokes, I would recomend contacting banking institutions accessed from this machine to ensure your accounts are secure. Most banks will not charge to send you new credit/debit cards, and getting these numbers replaced would be a good idea. It would also be a good idea to change passwords for anything you commonly use online. Online stores, Facebook/Myspace, Email, etc. If it has been on that machine it may have been read by someone else. Don't do it from this machine, as it is now compromised. Do it from another known clean machine. A good place to do this is at your local public library.

I would strongly recomend format and reinstallation of this machine. For more information, you may wish to read one of these excellent articles:Please let me know if you wish to continue to clean this machine or if you wish to format.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 frank1234

frank1234
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 06 December 2008 - 09:31 PM

Hi Billy3,

The computer has been formatted and windows is now re-installed. I was trying to avoid this but you made very good points.

Thanks again for you're help. :thumbsup:

Frank

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 PM

Posted 06 December 2008 - 09:39 PM

Hello, frank1234
You're welcome :thumbsup:

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users