Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect Malware


  • Please log in to reply
7 replies to this topic

#1 JSeiler

JSeiler

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 14 January 2009 - 07:45 PM

Hello, I am trying to get rid of Malware on a co-worker's computer and I believe she still has some on it. I've ran Malwarebytes' program, Spybot S&D, Combofix, SDfix. Everytime I goto search for something on Google, the search goes through fine, but when I click on the link, it redirects me to a random search engine. I've run the above programs multiple times and most of them did pick up malware on the initial run, but nothing after that.

Here's my logs:


Malware Bytes:

Malwarebytes' Anti-Malware 1.32
Database version: 1653
Windows 5.1.2600 Service Pack 3

1/14/2009 7:27:34 PM
mbam-log-2009-01-14 (19-27-34).txt

Scan type: Quick Scan
Objects scanned: 64516
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SDFix

SDFix: Version 1.240
Run by Administrator on Wed 01/14/2009 at 06:50 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

AUTOEXEC.NT Restored from backups

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\TDSSOSVD.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 18:57:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\v_qi]
"ImagePath"="\??\C:\Program Files\Common Files\System\v_qi32.dll"
"DisplayName"="v_qi"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\v_qi]
"ImagePath"="\??\C:\Program Files\Common Files\System\v_qi32.dll"
"DisplayName"="v_qi"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\v_qi]
"ImagePath"="\??\C:\Program Files\Common Files\System\v_qi32.dll"
"DisplayName"="v_qi"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 26 Jul 2005 51,712 ..SHR --- "C:\Program Files\Team6 game studios\Setup.exe"
Sun 23 Nov 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 21 Aug 2004 70,144 ..SHR --- "C:\Program Files\Team6 game studios\ATV mudracer\Setup.exe"
Sun 14 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 25 Sep 2006 0 A..H. --- "C:\Documents and Settings\miguel\Local Settings\Temp\PFTD7.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 10 Jul 2008 8,804,312 ...H. --- "C:\Documents and Settings\miguel\Application Data\mjusbsp\ar00000\upgrade.exe"
Thu 12 Jun 2008 7,363,896 A..H. --- "C:\Documents and Settings\miguel\Application Data\mjusbsp\in00000\setup.exe"
Thu 12 Jun 2008 827,000 A..H. --- "C:\Documents and Settings\miguel\Application Data\mjusbsp\Upgrade\install1.exe"
Thu 12 Jun 2008 7,363,896 A..H. --- "C:\Documents and Settings\miguel\Application Data\mjusbsp\Upgrade\setup1.exe"
Tue 13 Apr 1999 759,296 A..H. --- "C:\Program Files\Glidden\Color@Home\Program\Xtras\Tms_mp.dll"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\danny\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\danny\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\danny\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 10 Nov 2007 8 A..H. --- "C:\Documents and Settings\danny\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Fri 26 Dec 2008 8 A..H. --- "C:\Documents and Settings\jonathan\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 26 Dec 2008 8 A..H. --- "C:\Documents and Settings\jonathan\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 26 Dec 2008 8 A..H. --- "C:\Documents and Settings\jonathan\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Fri 26 Dec 2008 8 A..H. --- "C:\Documents and Settings\jonathan\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\miguel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\miguel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\miguel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 23 Apr 2007 8 A..H. --- "C:\Documents and Settings\miguel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!




Combo Fix

ComboFix 09-01-13.04 - susana 2009-01-14 19:30:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.100 [GMT -5:00]
Running from: c:\documents and settings\susana\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-14 18:49 . 2009-01-14 18:49 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-01-14 18:48 . 2009-01-14 18:48 <DIR> d-------- c:\windows\ERUNT
2009-01-14 18:48 . 2001-08-18 12:00 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2009-01-14 18:45 . 2009-01-14 18:59 <DIR> d-------- C:\SDFix
2009-01-14 18:04 . 2004-04-01 23:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-14 18:04 . 2004-04-01 23:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-14 18:04 . 2004-04-01 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-14 18:04 . 2009-01-14 18:04 <DIR> d-------- c:\documents and settings\Administrator
2009-01-14 12:25 . 2009-01-14 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-14 12:25 . 2009-01-14 13:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-14 12:08 . 2009-01-14 12:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 12:08 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-14 12:08 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-13 18:43 . 2009-01-13 18:43 <DIR> d-------- c:\documents and settings\susana\Application Data\Malwarebytes
2009-01-13 18:43 . 2009-01-13 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 18:31 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2009-01-13 18:31 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DLLCACHE\kbdhid.sys
2009-01-04 22:35 . 2008-09-16 18:09 30,080 --a------ c:\windows\SYSTEM32\DRIVERS\RKHit.sys
2009-01-04 22:35 . 2009-01-04 22:35 42 --a------ c:\windows\SYSTEM32\AK083E209605E394C.lie
2009-01-04 18:25 . 2009-01-04 18:25 <DIR> d-------- c:\program files\Norton Support
2009-01-04 17:42 . 2009-01-04 18:11 <DIR> d-------- c:\program files\Norton PC Checkup
2009-01-04 17:38 . 2009-01-04 20:15 <DIR> d-------- c:\windows\LMI209.tmp
2009-01-04 16:34 . 2009-01-04 16:34 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-01-04 16:34 . 2009-01-04 16:34 <DIR> d-------- c:\windows\SYSTEM32\en
2009-01-04 16:34 . 2009-01-04 16:34 <DIR> d-------- c:\windows\l2schemas
2009-01-03 09:59 . 2008-04-13 19:12 712,704 --------- c:\windows\SYSTEM32\windowscodecs.dll
2009-01-03 09:59 . 2008-04-13 19:12 346,112 --------- c:\windows\SYSTEM32\windowscodecsext.dll
2009-01-03 09:59 . 2008-04-13 19:12 276,992 --------- c:\windows\SYSTEM32\wmphoto.dll
2009-01-03 09:59 . 2008-04-13 19:12 69,120 --------- c:\windows\SYSTEM32\wlanapi.dll
2009-01-03 09:58 . 2008-04-13 19:12 412,160 --------- c:\windows\SYSTEM32\photometadatahandler.dll
2009-01-03 09:58 . 2008-04-13 19:12 291,328 --------- c:\windows\SYSTEM32\qagentrt.dll
2009-01-03 09:58 . 2008-04-13 19:12 290,304 --------- c:\windows\SYSTEM32\rhttpaa.dll
2009-01-03 09:58 . 2008-04-13 19:12 150,528 --------- c:\windows\SYSTEM32\qagent.dll
2009-01-03 09:58 . 2008-04-13 19:12 144,384 --------- c:\windows\SYSTEM32\onex.dll
2009-01-03 09:58 . 2008-04-13 19:12 76,800 --------- c:\windows\SYSTEM32\qutil.dll
2009-01-03 09:58 . 2008-04-13 19:12 62,464 --------- c:\windows\SYSTEM32\qcliprov.dll
2009-01-03 09:58 . 2008-04-13 19:12 61,952 --------- c:\windows\SYSTEM32\rasqec.dll
2009-01-03 09:58 . 2008-04-13 19:12 53,248 --------- c:\windows\SYSTEM32\tsgqec.dll
2009-01-03 09:58 . 2008-04-13 19:12 50,688 --------- c:\windows\SYSTEM32\tspkg.dll
2009-01-03 09:58 . 2008-04-13 19:12 32,768 --------- c:\windows\SYSTEM32\setupn.exe
2009-01-03 09:58 . 2008-04-13 13:40 10,240 --------- c:\windows\SYSTEM32\DRIVERS\sffp_mmc.sys
2009-01-03 09:56 . 2008-04-13 19:11 233,472 --------- c:\windows\SYSTEM32\azroles.dll
2009-01-03 09:56 . 2008-04-13 19:11 136,192 --------- c:\windows\SYSTEM32\aaclient.dll
2009-01-03 09:56 . 2008-04-13 19:11 12,800 --------- c:\windows\SYSTEM32\credssp.dll
2009-01-03 09:56 . 2008-04-13 19:11 7,168 --------- c:\windows\SYSTEM32\bitsprx4.dll
2009-01-02 19:45 . 2009-01-02 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings
2009-01-02 19:43 . 2009-01-07 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-01-02 19:34 . 2009-01-07 22:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-01 18:12 . 2009-01-08 20:37 <DIR> d-------- c:\documents and settings\miguel\Application Data\LimeWire
2009-01-01 18:07 . 2009-01-01 18:07 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-01-01 18:07 . 2009-01-01 18:07 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-01-01 17:52 . 2009-01-01 17:53 <DIR> d-------- c:\program files\LimeWire
2008-12-26 16:25 . 2008-12-26 16:25 0 --a------ c:\documents and settings\jonathan\iphist.dat
2008-12-26 15:36 . 2008-12-26 15:36 0 --a------ c:\documents and settings\susana\iphist.dat
2008-12-26 15:30 . 2007-11-04 11:15 74,608 --a------ c:\windows\TrueInstall.exe
2008-12-22 19:23 . 2008-12-22 19:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\RoboForm
2008-12-22 19:06 . 2008-12-22 19:06 <DIR> d--hs---- c:\documents and settings\miguel\PrivacIE
2008-12-22 18:42 . 2008-04-13 19:11 81,920 --a------ c:\windows\SYSTEM32\ieencode.dll
2008-12-20 16:39 . 2008-12-20 16:39 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 00:00 --------- d-----w c:\program files\SpiralFrog
2009-01-09 03:56 --------- d-----w c:\program files\TrueSwitchComcast
2009-01-09 03:55 --------- d-----w c:\documents and settings\miguel\Application Data\MSN6
2009-01-08 03:26 --------- d-----w c:\program files\Symantec
2009-01-08 03:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-04 00:32 --------- d-----w c:\documents and settings\susana\Application Data\MSN6
2009-01-03 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 00:57 0 ----a-w c:\documents and settings\miguel\iphist.dat
2009-01-01 23:07 --------- d-----w c:\program files\Java
2008-12-26 21:19 --------- d-----w c:\documents and settings\jonathan\Application Data\GTek
2008-12-26 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-12-20 21:32 --------- d-----w c:\program files\Microsoft AntiSpyware
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-28 20:01 0 ----a-w c:\documents and settings\danny\iphist.dat
2006-10-20 02:00 194,376 ----a-w c:\documents and settings\miguel\Application Data\shb.dat
2003-08-27 18:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-01 77824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-01 151597]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]

c:\documents and settings\miguel\Start Menu\Programs\Startup\
TrueAssistant.lnk - c:\program files\TrueSwitchComcast\TrueWizard.exe [2007-09-28 1028096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - v_qi
.
Contents of the 'Scheduled Tasks' folder

2004-04-07 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://results.searchscout.com/content/429/16145-12/content16145-6.html?b=21355&m=Mzc2OTEyMzE2&t=1000154486&d=1000154486&k=valueline%2ecom&c=16145&s=wave2_1
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 19:33:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\v_qi]
"ImagePath"="\??\c:\program files\Common Files\System\v_qi32.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-01-14 19:35:17
ComboFix-quarantined-files.txt 2009-01-15 00:35:11
ComboFix2.txt 2009-01-15 00:12:01

Pre-Run: 101,977,817,088 bytes free
Post-Run: 101,961,867,264 bytes free

162 --- E O F --- 2009-01-14 08:02:19






HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:44 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\SpiralFrog\Spiralfrog.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\susana\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://results.searchscout.com/content/429...5&s=wave2_1 (obfuscated)
R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176500674640
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://previews0.coolclips.com/03/tf05143/...ch_vc003472.jpg

--
End of file - 8395 bytes

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:20 PM

Posted 28 January 2009 - 12:52 AM

Hello JSeiler and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please download OTViewIt to your desktop.
  • Close all windows and double click OTViewIt
  • Place a tick in the Scan all Users box
  • In the File Age drop down box select 90 days
  • Click Run Scan and let the program run uninterrupted
  • On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.
Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 JSeiler

JSeiler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 29 January 2009 - 05:32 PM

OTViewIT.txt


OTViewIt logfile created on: 1/29/2009 5:07:46 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\susana\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

253.98 Mb Total Physical Memory | 83.46 Mb Available Physical Memory | 32.86% Memory free
624.99 Mb Paging File | 380.61 Mb Available in Paging File | 60.90% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 94.96 Gb Free Space | 85.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DANJOHN
Current User Name: susana
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 90 Days

========== Processes ==========

[2003/02/17 18:00:44 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\SYSTEM32\LEXBCES.EXE
[2003/02/17 18:00:44 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\SYSTEM32\LEXPPS.EXE
[2003/04/07 01:07:38 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\hkcmd.exe
[2003/09/03 21:12:44 | 00,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
[2003/08/06 02:04:00 | 00,114,741 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
[2003/02/13 02:01:00 | 00,155,648 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[2003/08/26 20:47:34 | 00,204,800 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\Media Experience\PCMService.exe
[2004/04/01 23:47:26 | 00,151,597 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2003/10/06 11:05:40 | 00,053,248 | ---- | M] (TODO: <Company name>) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[2003/10/06 11:05:40 | 00,118,784 | ---- | M] (MUSICMATCH, Inc.) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[2006/02/19 02:41:10 | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[2008/01/29 17:38:31 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[2008/03/12 13:05:36 | 00,163,128 | ---- | M] (SpiralFrog) -- C:\Program Files\SpiralFrog\Spiralfrog.exe
[2008/06/12 02:38:00 | 00,034,672 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[2009/01/01 18:07:12 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2006/02/19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2006/02/19 05:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
[2004/04/21 11:16:02 | 01,434,848 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
[2006/09/02 18:36:33 | 00,198,336 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
[2009/01/01 18:07:12 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2008/01/29 17:38:31 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\wscntfy.exe
[2008/10/15 02:06:26 | 00,633,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\wuauclt.exe
[2009/01/29 17:07:01 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\susana\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2004/04/21 11:16:02 | 01,434,848 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS [Auto | Running])
[2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2006/09/02 18:36:33 | 00,198,336 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
File not found -- -- (CLTNetCnService [Auto | Stopped])
[2007/03/07 14:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
[2009/01/01 18:07:12 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2003/02/17 18:00:44 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\SYSTEM32\LEXBCES.EXE -- (LexBceS [Auto | Running])
[2006/09/02 18:36:33 | 02,528,960 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate [On_Demand | Stopped])
File not found -- -- (LiveUpdate Notice Ex [Auto | Stopped])
[2008/01/29 17:38:31 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service [Auto | Running])
[2003/03/03 14:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc [On_Demand | Stopped])
[2006/03/03 21:03:10 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe -- (Pml Driver HPZ12 [Unknown | Stopped])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2002/04/01 15:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\aeaudio.sys -- (aeaudio [On_Demand | Running])
[2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\ALIIDE.SYS -- (AliIde [Disabled | Stopped])
[2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
[2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\ASC.SYS -- (asc [Disabled | Stopped])
[2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\ASC3550.SYS -- (asc3550 [Disabled | Stopped])
[2003/08/28 19:58:40 | 00,004,272 | ---- | M] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys -- (bvrp_pci [On_Demand | Stopped])
[2003/10/22 19:15:02 | 00,067,024 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
[2003/10/22 19:15:02 | 00,024,698 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
[2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\CMDIDE.SYS -- (CmdIde [Disabled | Stopped])
[2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\DAC2W2K.SYS -- (dac2w2k [Disabled | Stopped])
[2003/07/31 04:21:00 | 00,084,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\DRIVERS\drvmcdb.sys -- (drvmcdb [Boot | Running])
[2003/06/20 03:56:00 | 00,040,448 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm [Auto | Running])
[2006/10/05 15:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct [On_Demand | Stopped])
[2007/02/25 11:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv [Auto | Running])
[2003/03/04 13:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
[2001/08/17 13:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC [On_Demand | Stopped])
[2006/04/12 05:04:39 | 00,049,664 | R--- | M] (HP) -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2006/04/12 05:04:39 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2006/04/12 05:04:39 | 00,021,568 | R--- | M] (HP) -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2004/08/04 00:29:36 | 00,161,020 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x [On_Demand | Stopped])
[2004/08/04 00:29:37 | 00,012,415 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0 [On_Demand | Stopped])
[2004/08/04 00:29:37 | 00,012,127 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1 [On_Demand | Stopped])
[2004/08/04 00:29:37 | 00,011,775 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2 [On_Demand | Stopped])
[2004/08/04 00:29:47 | 00,012,063 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3 [On_Demand | Stopped])
[2004/08/04 00:29:49 | 00,019,455 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4 [On_Demand | Stopped])
[2004/08/04 00:29:41 | 00,029,311 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0 [On_Demand | Stopped])
[2004/08/04 00:29:42 | 00,019,551 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1 [On_Demand | Stopped])
[2004/08/04 00:29:43 | 00,033,599 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3 [On_Demand | Stopped])
[2004/08/04 00:29:45 | 00,023,615 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4 [On_Demand | Stopped])
[2003/04/15 11:39:46 | 00,090,907 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
[2003/11/20 23:13:40 | 01,232,741 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Running])
[2003/11/20 23:14:28 | 00,646,825 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Running])
[2003/11/20 23:12:56 | 00,059,717 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Running])
[2008/04/13 13:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys -- (kbdhid [System | Running])
[2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2003/11/20 23:12:42 | 00,037,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Running])
[2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\MRAID35X.SYS -- (mraid35x [Disabled | Stopped])
[2006/05/24 22:15:06 | 00,028,256 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
[2004/08/04 00:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
[2002/11/08 14:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci [System | Running])
[2002/08/29 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink [On_Demand | Running])
[2003/07/30 03:02:00 | 00,017,168 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\DRIVERS\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\QL1080.SYS -- (ql1080 [Disabled | Stopped])
[2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\QL12160.SYS -- (ql12160 [Disabled | Stopped])
[2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\QL1280.SYS -- (ql1280 [Disabled | Stopped])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
[2003/05/06 10:14:34 | 00,580,992 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\smwdm.sys -- (smwdm [On_Demand | Running])
[2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\SPARROW.SYS -- (Sparrow [Disabled | Stopped])
[2003/07/14 12:28:40 | 00,005,621 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5 [System | Running])
[2003/07/14 12:28:22 | 00,023,219 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln [System | Running])
[2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMC810.SYS -- (symc810 [Disabled | Stopped])
[2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMC8XX.SYS -- (symc8xx [Disabled | Stopped])
[2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\SYSTEM32\DRIVERS\SYM_HI.SYS -- (sym_hi [Disabled | Stopped])
[2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\SYSTEM32\DRIVERS\SYM_U3.SYS -- (sym_u3 [Disabled | Stopped])
[2003/08/06 02:04:00 | 00,025,685 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
[2003/08/06 02:04:00 | 00,034,837 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
[2003/08/06 02:04:00 | 00,004,117 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
[2003/08/06 02:04:00 | 00,002,233 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
[2003/08/06 02:04:00 | 00,083,284 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
[2003/08/06 02:04:00 | 00,014,229 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
[2003/08/06 02:04:00 | 00,006,357 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
[2003/08/06 02:04:00 | 00,098,068 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
[2003/08/06 02:04:00 | 00,100,373 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
[2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\ULTRA.SYS -- (ultra [Disabled | Stopped])
[2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2004/06/09 18:42:38 | 00,015,429 | R--- | M] ( ) -- C:\WINDOWS\SYSTEM32\DRIVERS\Sacm2A.sys -- (USBCM [On_Demand | Stopped])
[2003/01/10 18:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Running])
[2007/04/16 12:28:02 | 00,194,362 | ---- | M] (Jungo) -- C:\WINDOWS\SYSTEM32\DRIVERS\windrvr6.sys -- (WinDriver6 [On_Demand | Running])
[2003/04/15 11:40:54 | 00,113,504 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running])
[2003/04/15 11:40:46 | 00,078,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://my.netzero.net/s/search?r=minisearch

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\SYSTEM32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.dell4me.com/myway
"First Home Page"=http://www.dell4me.com/myway
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.dell4me.com/myway
"First Home Page"=http://www.dell4me.com/myway
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com/

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Internet Explorer\SearchURL]
""=http://my.netzero.net/s/search?r=minisearch

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\SYSTEM32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{5CA3D70E-1895-11CF-8E15-001234567890} (HKLM) -- C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Development Company, L.P.)
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (TODO: <Company name>)
"MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" (CyberLink Corp.)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"SpiralFrog"=C:\Program Files\SpiralFrog\Spiralfrog.exe (SpiralFrog)
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r (Sonic Solutions)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" (Symantec Corporation)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)

========== (O4) Startup Folders ==========

[2006/02/19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2007/09/28 03:08:04 | 01,028,096 | ---- | M] () -- C:\Documents and Settings\miguel\Start Menu\Programs\Startup\TrueAssistant.lnk = C:\Program Files\TrueSwitchComcast\TrueWizard.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\Software\policies\microsoft\internet explorer\Infodelivery\Restrictions]
"NoSplash"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"CDRAutoRun"=0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
Display All Images with Full Quality: C:\Program Files\NetZero\qsacc\appres.dll File not found
Display Image with Full Quality: C:\Program Files\NetZero\qsacc\appres.dll File not found
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE File not found

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\Internet Explorer\MenuExt\]
Display All Images with Full Quality: C:\Program Files\NetZero\qsacc\appres.dll File not found
Display Image with Full Quality: C:\Program Files\NetZero\qsacc\appres.dll File not found
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search && Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer
aol.com\objects: * is out of zone range (0)
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer
aol.com\objects: * is out of zone range (0)
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}: http://www.eset.eu/buxus/docs/OnlineScanner.cab -- OnlineScanner Control
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://update.microsoft.com/microsoftupdat...b?1176500674640 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...ows-i586-jc.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{AFCE137D-83D1-4F8D-A2C0-36A86012AD54} (Servers: | Description: Scientific-Atlanta WebSTAR 2000 series Cable Modem)
{ED5418FB-C4C7-4A9F-B0AD-B07CE42F71AD} (Servers: | Description: Intel® PRO/100 VE Network Connection)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\SYSTEM32\igfxsrvc.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Files/Folders - Created Within 90 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/01/29 17:07:01 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\susana\Desktop\OTViewIt.exe
[2009/01/15 12:53:33 | 00,000,000 | ---D | C] -- C:\Program Files\EsetOnlineScanner
[2009/01/15 11:36:35 | 00,001,708 | -H-- | C] () -- C:\Documents and Settings\susana\My Documents\Default.rdp
[2009/01/14 19:05:05 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/01/14 19:05:01 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/01/14 19:04:59 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/01/14 19:03:23 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/01/14 19:03:23 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/01/14 19:03:23 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/01/14 19:03:23 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/01/14 19:03:23 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/01/14 19:03:23 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/01/14 19:03:23 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/01/14 19:03:23 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/01/14 19:03:23 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/01/14 19:03:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/01/14 19:03:19 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/01/14 19:02:40 | 03,039,899 | R--- | C] () -- C:\Documents and Settings\susana\Desktop\ComboFix.exe
[2009/01/14 18:55:04 | 26,639,1552 | -HS- | C] () -- C:\hiberfil.sys
[2009/01/14 18:49:32 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/01/14 18:48:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/01/14 18:48:01 | 00,001,688 | ---- | C] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/01/14 18:45:35 | 00,000,000 | ---D | C] -- C:\SDFix
[2009/01/14 18:43:05 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\susana\Desktop\HiJackThis.exe
[2009/01/14 18:42:44 | 01,529,241 | ---- | C] () -- C:\Documents and Settings\susana\Desktop\SDFix.exe
[2009/01/14 12:27:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/01/14 12:25:40 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\susana\Desktop\Spybot - Search & Destroy.lnk
[2009/01/14 12:25:35 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/01/14 12:25:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/01/14 12:24:41 | 15,083,520 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\susana\Desktop\spybotsd160.exe
[2009/01/14 12:08:08 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/14 12:08:08 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/01/14 12:08:05 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/14 12:08:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/01/14 12:07:22 | 02,697,168 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\susana\Desktop\mbam-setup.exe
[2009/01/13 18:43:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\susana\Application Data\Malwarebytes
[2009/01/13 18:43:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/01/13 18:31:54 | 00,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\kbdhid.sys
[2009/01/13 18:31:54 | 00,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2009/01/04 22:35:44 | 00,030,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\RKHit.sys
[2009/01/04 22:35:30 | 00,000,042 | ---- | C] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2009/01/04 18:25:50 | 00,000,000 | ---D | C] -- C:\Program Files\Norton Support
[2009/01/04 17:42:19 | 00,000,000 | ---D | C] -- C:\Program Files\Norton PC Checkup
[2009/01/04 17:38:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\LMI209.tmp
[2009/01/04 17:10:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/01/04 16:34:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/01/04 16:34:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/01/04 16:34:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/01/03 09:59:07 | 00,276,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmphoto.dll
[2009/01/03 09:59:05 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wlanapi.dll
[2009/01/03 09:59:03 | 00,712,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\windowscodecs.dll
[2009/01/03 09:59:03 | 00,346,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\windowscodecsext.dll
[2009/01/03 09:58:51 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsgqec.dll
[2009/01/03 09:58:51 | 00,050,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tspkg.dll
[2009/01/03 09:58:35 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sffp_mmc.sys
[2009/01/03 09:58:34 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\setupn.exe
[2009/01/03 09:58:28 | 00,290,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rhttpaa.dll
[2009/01/03 09:58:26 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rasqec.dll
[2009/01/03 09:58:25 | 00,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qutil.dll
[2009/01/03 09:58:24 | 00,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qcliprov.dll
[2009/01/03 09:58:23 | 00,291,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qagentrt.dll
[2009/01/03 09:58:23 | 00,150,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qagent.dll
[2009/01/03 09:58:21 | 00,412,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\photometadatahandler.dll
[2009/01/03 09:58:13 | 00,144,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\onex.dll
[2009/01/03 09:57:52 | 00,176,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napstat.exe
[2009/01/03 09:57:51 | 00,193,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napmontr.dll
[2009/01/03 09:57:51 | 00,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napipsec.dll
[2009/01/03 09:57:50 | 01,307,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml6.dll
[2009/01/03 09:57:50 | 01,307,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2009/01/03 09:57:50 | 00,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml6r.dll
[2009/01/03 09:57:50 | 00,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2009/01/03 09:57:48 | 00,155,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mssha.dll
[2009/01/03 09:57:48 | 00,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msshavmsg.dll
[2009/01/03 09:57:34 | 00,397,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcex.dll
[2009/01/03 09:57:34 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\microsoft.managementconsole.dll
[2009/01/03 09:57:34 | 00,106,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcfxcommon.dll
[2009/01/03 09:57:34 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcperf.exe
[2009/01/03 09:57:24 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kmsvc.dll
[2009/01/03 09:57:24 | 00,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\l2gpstore.dll
[2009/01/03 09:57:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpash.dll
[2009/01/03 09:57:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnepr.dll
[2009/01/03 09:57:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdiultn.dll
[2009/01/03 09:57:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdbhc.dll
[2009/01/03 09:57:15 | 00,001,261 | ---- | C] () -- C:\WINDOWS\System32\pid.inf
[2009/01/03 09:57:06 | 00,184,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapp3hst.dll
[2009/01/03 09:57:06 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapphost.dll
[2009/01/03 09:57:06 | 00,126,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappcfg.dll
[2009/01/03 09:57:06 | 00,094,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappgnui.dll
[2009/01/03 09:57:06 | 00,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapqec.dll
[2009/01/03 09:57:06 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappprxy.dll
[2009/01/03 09:57:06 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapsvc.dll
[2009/01/03 09:57:06 | 00,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapolqec.dll
[2009/01/03 09:57:03 | 00,650,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3ui.dll
[2009/01/03 09:57:03 | 00,132,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3svc.dll
[2009/01/03 09:57:03 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3cfg.dll
[2009/01/03 09:57:03 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3msm.dll
[2009/01/03 09:57:03 | 00,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3gpclnt.dll
[2009/01/03 09:57:03 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3api.dll
[2009/01/03 09:57:03 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3dlg.dll
[2009/01/03 09:57:01 | 00,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsroam.dll
[2009/01/03 09:57:01 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsntfy.dll
[2009/01/03 09:57:00 | 00,048,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dhcpqec.dll
[2009/01/03 09:56:55 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\credssp.dll
[2009/01/03 09:56:49 | 00,233,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\azroles.dll
[2009/01/03 09:56:49 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx4.dll
[2009/01/03 09:56:36 | 00,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aaclient.dll
[2009/01/02 19:45:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2009/01/02 19:43:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/01/02 19:34:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/01/01 17:52:47 | 00,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2008/12/26 15:30:09 | 00,074,608 | ---- | C] () -- C:\WINDOWS\TrueInstall.exe
[2008/12/22 19:23:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2008/12/22 18:42:51 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2008/12/20 16:39:22 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2008/11/13 03:05:09 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/12 18:30:56 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/11/09 21:19:06 | 00,000,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk
[2008/11/09 21:18:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2008/11/09 21:17:07 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2008/11/09 21:16:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe

========== Files - Modified Within 90 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/01/29 17:07:01 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\susana\Desktop\OTViewIt.exe
[2009/01/29 17:03:17 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/01/29 17:02:29 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/29 17:02:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/01/29 17:02:24 | 26,639,1552 | -HS- | M] () -- C:\hiberfil.sys
[2009/01/15 12:12:01 | 00,001,708 | -H-- | M] () -- C:\Documents and Settings\susana\My Documents\Default.rdp
[2009/01/14 19:33:43 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/01/14 19:05:06 | 00,000,281 | RHS- | M] () -- C:\BOOT.INI
[2009/01/14 19:02:46 | 03,039,899 | R--- | M] () -- C:\Documents and Settings\susana\Desktop\ComboFix.exe
[2009/01/14 18:50:38 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\HOSTS
[2009/01/14 18:49:32 | 00,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/01/14 18:43:06 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\susana\Desktop\HiJackThis.exe
[2009/01/14 18:42:49 | 01,529,241 | ---- | M] () -- C:\Documents and Settings\susana\Desktop\SDFix.exe
[2009/01/14 12:25:40 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\susana\Desktop\Spybot - Search & Destroy.lnk
[2009/01/14 12:24:41 | 15,083,520 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\susana\Desktop\spybotsd160.exe
[2009/01/14 12:08:08 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/01/14 12:07:22 | 02,697,168 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\susana\Desktop\mbam-setup.exe
[2009/01/14 03:02:19 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/01/09 20:35:28 | 20,853,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/01/04 22:35:30 | 00,000,042 | ---- | M] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2009/01/04 18:38:22 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/04 18:38:18 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/04 17:20:24 | 00,441,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/01/04 17:20:24 | 00,381,692 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2009/01/04 17:20:24 | 00,053,436 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2009/01/04 17:10:19 | 00,186,608 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/01/04 16:22:29 | 00,250,048 | RHS- | M] () -- C:\NTLDR
[2009/01/02 20:08:11 | 00,006,583 | ---- | M] () -- C:\WINDOWS\System32\work.ini
[2009/01/02 20:00:37 | 00,000,212 | ---- | M] () -- C:\WINDOWS\System32\hgset.ini
[2008/12/26 15:35:54 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/12/13 01:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2008/12/13 01:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2008/12/11 05:57:09 | 00,333,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\srv.sys
[2008/12/11 05:57:09 | 00,333,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2008/11/30 12:27:18 | 00,000,839 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2008/11/13 03:05:09 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/09 21:19:06 | 00,000,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk
[2008/11/09 21:17:08 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
< End of report >



Extras.txt


OTViewIt Extras logfile created on: 1/29/2009 5:07:46 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\susana\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

253.98 Mb Total Physical Memory | 83.46 Mb Available Physical Memory | 32.86% Memory free
624.99 Mb Paging File | 380.61 Mb Available in Paging File | 60.90% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 94.96 Gb Free Space | 85.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DANJOHN
Current User Name: susana
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 90 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2001/02/12 02:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2001/02/12 02:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2001/02/12 02:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/05 13:55:38 | 00,221,184 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{04410044-9149-45C6-A806-F2BF9CFCE762}"=Microsoft Encarta Encyclopedia Standard 2004
"{05C56753-F144-44BC-BA67-83CC5DBF395C}"=F300
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}"=Sonic Update Manager
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}"=Dell Solution Center
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Sonic DLA
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}"=HPPhotoSmartExpress
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}"=Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}"=Java™ 6 Update 11
"{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}"=Cypress USB Mass Storage Driver Installation
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}"=Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}"=Modem On Hold
"{411C452C-7F92-405E-B9A0-EA6BD3C4A630}"=Mickey Mouse Preschool
"{45B8A76B-57EC-4242-B019-066400CD8428}"=BufferChm
"{45EBDA59-D33B-433A-956E-B2F236468B56}"=MUSICMATCH® Jukebox
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}"=Banctec Service Agreement
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}"=HPProductAssistant
"{54F90B55-BEB3-4F0D-8802-228822FA5921}"=WordPerfect Office 11
"{66910000-8B30-4973-A159-6371345AFFA5}"=WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}"=eSupportQFolder
"{68763C27-235D-4165-A961-FDEA228CE504}"=AiOSoftwareNPI
"{68D60342-7686-45C9-B8EB-40EF843D0460}"=Dell Networking Guide
"{6909F917-5499-482e-9AA1-FAD06A99F231}"=Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}"=HP Photosmart Essential
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}"=CustomerResearchQFolder
"{7148F0A8-6813-11D6-A77B-00B0D0142000}"=Java 2 Runtime Environment, SE v1.4.2
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}"=Readme
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}"=Modem Event Monitor
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}"=ProductContextNPI
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}"=DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}"=Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}"=Jasc Paint Shop Pro 8 Dell Edition
"{8331C3EA-0C91-43AA-A4D4-27221C631139}"=Status
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Extreme Graphics Driver
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}"=Help and Support Customization
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}"=Sonic RecordNow!
"{95738B44-49CF-4C62-A620-320F1007B14A}"=SpiralFrog Download Manager 0.8.25
"{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}"=Roxio Burn Engine
"{996512CF-F35B-48DE-9291-557FA5316967}"=ScannerCopy
"{9B2CFE3B-7F55-4786-A20D-BB244914F6D8}"=EarthLink Setup Files
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}"=Intel® PROSet
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}"=DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}"=HP Software Update
"{BBBCAE4B-B416-4182-A6F2-438180894A81}"=Napster
"{BDAC64EB-F3CF-47EC-AB54-42D3BD3A8633}"=Winnie the Pooh Preschool
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}"=HP Photosmart, Officejet and Deskjet 7.0.A
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}"=SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}"=AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}"=Jasc Paint Shop Photo Album
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}"=LiveUpdate Notice (Symantec Corporation)
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}"=TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}"=MarketResearch
"{E5966E4C-0A93-4F59-A981-BD3173D4799F}"=F300_Help
"{EEDB23C9-50AB-4D25-B327-EE4FCDAE265F}"=Stanley Wild for Sharks
"{F157460F-720E-482f-8625-AD7843891E5F}"=InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}"=Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}"=Fax_CDA
"{FB15E224-67C3-491F-9F5C-F257BC418412}"=Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}"=NewCopy_CDA
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}"=Banctec Service Agreement
"Adobe AIR"=Adobe AIR
"AdobeESD"=Adobe Download Manager 2.0 (Remove Only)
"ATV mudracer"=ATV mudracer 1.0
"Color@Home_II_2.0"=Color@Home
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"ComcastHSI"=Comcast High-Speed Internet Install Wizard
"Dell Digital Jukebox Driver"=Dell Digital Jukebox Driver
"Does It Belong"=Does It Belong
"EasyChange Powered by TrueSwitch"=EasyChange Powered by TrueSwitch
"EsetOnlineScanner"=ESET Online Scanner
"HijackThis"=HijackThis 2.0.2
"HP Imaging Device Functions"=HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools"=HP Solution Center 7.0
"HPExtendedCapabilities"=HP Customer Participation Program 7.0
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Intel® 537EP V9x DF PCI Modem"=Intel® 537EP V9x DF PCI Modem
"LimeWire"=LimeWire 4.18.8
"LiveUpdate"=LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Norton PC Checkup"=Norton PC Checkup
"Pacific Poker"=Pacific Poker
"PROSet"=Intel® PRO Network Adapters and Drivers
"QuickTime"=QuickTime
"RealPlayer 6.0"=RealOne Player
"Shanghai Street Racer"=Shanghai Street Racer 1.0
"Shockwave"=Shockwave
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"StreetPlugin"=Learn2 Player (Uninstall Only)
"Tech Deck BKG"=Tech Deck BKG (remove only)
"U.B. Funkeys"=U.B. Funkeys
"ViewpointMediaPlayer"=Viewpoint Media Player
"WebSTAR DPC2100 Uninstall"=Scientific-Atlanta WebSTAR 2000 series Cable Modem
"Westgate Documentation"=Westgate Documentation
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/12/2008 1:01:36 PM | Computer Name = DANJOHN | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Initialization of the COM subsystem failed.
Error code: 0x8007041D

Error - 12/14/2008 12:41:07 PM | Computer Name = DANJOHN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16735, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/26/2008 4:29:07 PM | Computer Name = DANJOHN | Source = Application Hang | ID = 1002
Description = Hanging application poker.exe, version 2.1.0.16, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/26/2008 4:36:05 PM | Computer Name = DANJOHN | Source = Application Hang | ID = 1002
Description = Hanging application pspa.exe, version 4.0.0.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/2/2009 8:55:58 PM | Computer Name = DANJOHN | Source = Application Error | ID = 1000
Description = Faulting application ccSvcHst.exe, version 106.2.0.21, faulting module
SetEvtHp.dll, version 0.0.0.0, fault address 0x00003008.

Error - 1/2/2009 8:56:34 PM | Computer Name = DANJOHN | Source = Application Error | ID = 1001
Description = Fault bucket 392485481.

Error - 1/3/2009 2:18:27 AM | Computer Name = DANJOHN | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: DANJOHN ExceptionManager.TimeStamp: 1/3/2009
1:18:22 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
DANJOHN\miguel 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The metadata file (the Server Manifest) can't be
downloaded for the application 'SpiralfrogClient'. Either the manifest is unavailable
(check download URL in Updater config file), the downloader failed, or the Manifest
failed validation. TargetSite: NULL HelpLink: NULL Source: NULL 2) Exception Information
*********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2145386481 Message:
Exception from HRESULT: 0x8020000F. TargetSite: Void GetError(Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyError
ByRef) HelpLink: NULL Source: Microsoft.ApplicationBlocks.ApplicationUpdater StackTrace
Information ********************************************* at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyJob.GetError(IBackgroundCopyError&
ppError) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.HandleDownloadErrorCancelJob(IBackgroundCopyJob
copyJob, String& errMessage) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.Microsoft.ApplicationBlocks.ApplicationUpdater.Interfaces.IDownloader.Download(String
sourceFile, String destFile, TimeSpan maxTimeWait) at Microsoft.ApplicationBlocks.ApplicationUpdater.DownloaderManager.IsServerManifestDownloaded()

Error - 1/4/2009 7:44:10 PM | Computer Name = DANJOHN | Source = Application Hang | ID = 1002
Description = Hanging application ccSvcHst.exe, version 108.0.2.4, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2009 12:49:43 PM | Computer Name = DANJOHN | Source = Application Hang | ID = 1002
Description = Hanging application msmsgs.exe, version 4.7.0.3001, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/19/2009 6:15:33 PM | Computer Name = DANJOHN | Source = Userenv | ID = 1512
Description = Windows cannot unload your registry file. The memory used by the registry
has not been freed. This is often caused by services running as a user account,
try configuring the services to run in either the LocalService or NetworkService
account. If this problem persists, contact your administrator. DETAIL - Insufficient
system resources exist to complete the requested service.

[ System Events ]
Error - 1/14/2009 7:13:55 PM | Computer Name = DANJOHN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/14/2009 7:33:07 PM | Computer Name = DANJOHN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/14/2009 7:47:38 PM | Computer Name = DANJOHN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/14/2009 7:47:46 PM | Computer Name = DANJOHN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/14/2009 7:47:47 PM | Computer Name = DANJOHN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/14/2009 7:48:40 PM | Computer Name = DANJOHN | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 1/14/2009 7:48:40 PM | Computer Name = DANJOHN | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 1/14/2009 7:48:40 PM | Computer Name = DANJOHN | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 1/14/2009 7:48:40 PM | Computer Name = DANJOHN | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 1/14/2009 7:48:40 PM | Computer Name = DANJOHN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip


< End of report >



ComboFix.txt


ComboFix 09-01-21.04 - susana 2009-01-29 17:14:34.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.60 [GMT -5:00]
Running from: c:\documents and settings\susana\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\RKHit.sys

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-15 12:53 . 2009-01-15 13:23 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-14 18:49 . 2009-01-14 18:49 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-01-14 18:48 . 2009-01-14 18:48 <DIR> d-------- c:\windows\ERUNT
2009-01-14 18:48 . 2001-08-18 12:00 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2009-01-14 18:45 . 2009-01-14 18:59 <DIR> d-------- C:\SDFix
2009-01-14 18:04 . 2004-04-01 23:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-14 18:04 . 2004-04-01 23:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-14 18:04 . 2004-04-01 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-14 18:04 . 2009-01-14 18:04 <DIR> d-------- c:\documents and settings\Administrator
2009-01-14 12:25 . 2009-01-14 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-14 12:25 . 2009-01-14 13:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-14 12:08 . 2009-01-14 12:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 12:08 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-14 12:08 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-13 18:43 . 2009-01-13 18:43 <DIR> d-------- c:\documents and settings\susana\Application Data\Malwarebytes
2009-01-13 18:43 . 2009-01-13 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 18:31 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2009-01-13 18:31 . 2008-04-13 13:39 14,592 --a------ c:\windows\SYSTEM32\DLLCACHE\kbdhid.sys
2009-01-04 22:35 . 2009-01-04 22:35 42 --a------ c:\windows\SYSTEM32\AK083E209605E394C.lie
2009-01-04 18:25 . 2009-01-04 18:25 <DIR> d-------- c:\program files\Norton Support
2009-01-04 17:42 . 2009-01-04 18:11 <DIR> d-------- c:\program files\Norton PC Checkup
2009-01-04 17:38 . 2009-01-04 20:15 <DIR> d-------- c:\windows\LMI209.tmp
2009-01-04 16:34 . 2009-01-04 16:34 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-01-04 16:34 . 2009-01-04 16:34 <DIR> d-------- c:\windows\SYSTEM32\en
2009-01-04 16:34 . 2009-01-04 16:34 <DIR> d-------- c:\windows\l2schemas
2009-01-03 09:59 . 2008-04-13 19:12 712,704 --------- c:\windows\SYSTEM32\windowscodecs.dll
2009-01-03 09:59 . 2008-04-13 19:12 346,112 --------- c:\windows\SYSTEM32\windowscodecsext.dll
2009-01-03 09:59 . 2008-04-13 19:12 276,992 --------- c:\windows\SYSTEM32\wmphoto.dll
2009-01-03 09:59 . 2008-04-13 19:12 69,120 --------- c:\windows\SYSTEM32\wlanapi.dll
2009-01-03 09:58 . 2008-04-13 19:12 412,160 --------- c:\windows\SYSTEM32\photometadatahandler.dll
2009-01-03 09:58 . 2008-04-13 19:12 291,328 --------- c:\windows\SYSTEM32\qagentrt.dll
2009-01-03 09:58 . 2008-04-13 19:12 290,304 --------- c:\windows\SYSTEM32\rhttpaa.dll
2009-01-03 09:58 . 2008-04-13 19:12 150,528 --------- c:\windows\SYSTEM32\qagent.dll
2009-01-03 09:58 . 2008-04-13 19:12 144,384 --------- c:\windows\SYSTEM32\onex.dll
2009-01-03 09:58 . 2008-04-13 19:12 76,800 --------- c:\windows\SYSTEM32\qutil.dll
2009-01-03 09:58 . 2008-04-13 19:12 62,464 --------- c:\windows\SYSTEM32\qcliprov.dll
2009-01-03 09:58 . 2008-04-13 19:12 61,952 --------- c:\windows\SYSTEM32\rasqec.dll
2009-01-03 09:58 . 2008-04-13 19:12 53,248 --------- c:\windows\SYSTEM32\tsgqec.dll
2009-01-03 09:58 . 2008-04-13 19:12 50,688 --------- c:\windows\SYSTEM32\tspkg.dll
2009-01-03 09:58 . 2008-04-13 19:12 32,768 --------- c:\windows\SYSTEM32\setupn.exe
2009-01-03 09:58 . 2008-04-13 13:40 10,240 --------- c:\windows\SYSTEM32\DRIVERS\sffp_mmc.sys
2009-01-03 09:56 . 2008-04-13 19:11 233,472 --------- c:\windows\SYSTEM32\azroles.dll
2009-01-03 09:56 . 2008-04-13 19:11 136,192 --------- c:\windows\SYSTEM32\aaclient.dll
2009-01-03 09:56 . 2008-04-13 19:11 12,800 --------- c:\windows\SYSTEM32\credssp.dll
2009-01-03 09:56 . 2008-04-13 19:11 7,168 --------- c:\windows\SYSTEM32\bitsprx4.dll
2009-01-02 19:45 . 2009-01-02 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings
2009-01-02 19:43 . 2009-01-07 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-01-02 19:34 . 2009-01-07 22:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-01 18:12 . 2009-01-08 20:37 <DIR> d-------- c:\documents and settings\miguel\Application Data\LimeWire
2009-01-01 18:07 . 2009-01-01 18:07 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-01-01 18:07 . 2009-01-01 18:07 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-01-01 17:52 . 2009-01-01 17:53 <DIR> d-------- c:\program files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 22:03 --------- d-----w c:\program files\SpiralFrog
2009-01-09 03:56 --------- d-----w c:\program files\TrueSwitchComcast
2009-01-09 03:55 --------- d-----w c:\documents and settings\miguel\Application Data\MSN6
2009-01-08 03:26 --------- d-----w c:\program files\Symantec
2009-01-08 03:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-04 00:32 --------- d-----w c:\documents and settings\susana\Application Data\MSN6
2009-01-03 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 00:57 0 ----a-w c:\documents and settings\miguel\iphist.dat
2009-01-01 23:07 --------- d-----w c:\program files\Java
2008-12-26 21:25 0 ----a-w c:\documents and settings\jonathan\iphist.dat
2008-12-26 21:19 --------- d-----w c:\documents and settings\jonathan\Application Data\GTek
2008-12-26 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-12-26 20:36 0 ----a-w c:\documents and settings\susana\iphist.dat
2008-12-23 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\RoboForm
2008-12-20 21:39 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-20 21:32 --------- d-----w c:\program files\Microsoft AntiSpyware
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-09-28 20:01 0 ----a-w c:\documents and settings\danny\iphist.dat
2006-10-20 02:00 194,376 ----a-w c:\documents and settings\miguel\Application Data\shb.dat
2003-08-27 18:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-14_19.11.11.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2007-07-27 19:49:02 196,683 ----a-w c:\windows\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w c:\windows\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w c:\windows\SYSTEM32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w c:\windows\SYSTEM32\lnod32upd.dll
+ 2008-02-11 14:39:26 253,952 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18 237,568 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46 110,592 ----a-w c:\windows\SYSTEM32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04 77,824 ----a-w c:\windows\SYSTEM32\OnlineScannerUninstaller.exe
+ 2004-12-07 15:11:34 258,352 ----a-w c:\windows\SYSTEM32\unicows.dll
+ 2009-01-29 22:18:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-01 77824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-01 151597]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]

c:\documents and settings\miguel\Start Menu\Programs\Startup\
TrueAssistant.lnk - c:\program files\TrueSwitchComcast\TrueWizard.exe [2007-09-28 1028096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - v_qi
.
Contents of the 'Scheduled Tasks' folder

2004-04-07 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://results.searchscout.com/content/429/16145-12/content16145-6.html?b=21355&m=Mzc2OTEyMzE2&t=1000154486&d=1000154486&k=valueline%2ecom&c=16145&s=wave2_1
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 17:26:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\v_qi]
"ImagePath"="\??\c:\program files\Common Files\System\v_qi32.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-723244549-3433649260-1904190958-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-29 17:29:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-29 22:28:59
ComboFix2.txt 2009-01-15 00:35:19
ComboFix3.txt 2009-01-15 00:12:01

Pre-Run: 101,923,995,648 bytes free
Post-Run: 101,849,083,904 bytes free

200 --- E O F --- 2009-01-14 08:02:19

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:20 PM

Posted 30 January 2009 - 05:28 PM

Hi there,

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Your logs show that you have (a) online poker programme(s) installed on your computer. I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the programme, then you can do so by following the below steps:

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs, search for the poker game and remove it.

If you are unsure of anything, please dont hesitate to ask.

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
    • Click into the text area, right-click and chose "select all" (or use ctrl+a)
    • Right-click again and chose "copy" (or ctrl+c)
    • Close Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Thanks Johannes.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 JSeiler

JSeiler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 02 February 2009 - 07:11 PM

Sorry for the delay, here's the Eset Online Scanner log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3813 (20090130)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=49194e9e1f37f846b144189d44cb9f0b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-30 11:47:35
# local_time=2009-01-30 06:47:35 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=197120
# found=0
# scan_time=1615

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:20 PM

Posted 03 February 2009 - 04:52 PM

Hi JSeiler,

how is your pc doing? Just checking, before we continue :thumbsup:.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 JSeiler

JSeiler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 04 February 2009 - 08:21 AM

I installed the user's Norton Anti-virus and it found more malware. After getting rid of it, the redirection stopped.

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:20 PM

Posted 04 February 2009 - 01:56 PM

Hi,

can you tell me what it found?

Please navigate to: Start >> Run... and type Combofix /u and hit Enter. Thanks.

Please download the OTCleanIt by OldTimer.
  • Please double-click on "OTCleanIt.exe"
  • Navigate to the following icon and click it: Posted Image
  • OTCleanIt might ask you to reboot. If it does so, please let it do so.
Note: after reboot, OTCleanIt and your other helper tools downloaded while cleaning your Pc, will be removed. So its oke if it is not there anymore ;) .

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!


-edit- added some contents. Thanks!

Edited by Yourhighness, 04 February 2009 - 01:57 PM.
added contents

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users