Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 doomalyas

doomalyas

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 27 January 2009 - 02:17 PM

Hello,

I've got some sort of google redirect virus; my computer is running more slowly than usual, google searches take quite a long time and say that they are transferring data from 7.7.7.0, and search results have the correct snippet text and title, but link to commercial sites like antivirus-removal. DDS won't run on my computer (I'm running Windows XP Pro 64 bit), so I'm posting a HijackThis log below. Any help would be much appreciated!

Thanks,
Nicholson

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:08 PM, on 1/27/2009
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155844470109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRYSTAL.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRYSTAL.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CRYSTAL.LOCAL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder 64\ImapiHelper.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8158 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 08 February 2009 - 04:14 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt


How to Restore from the ERUNT Backup
Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo off

    If exist "C:\looking.txt" Del /q /s "C:\looking.txt"
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\looking.txt
    Notepad C:\looking.txt

    Exit

    Del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad will soon open. This is normal please do not panic. Once it's complete copy and paste the contents of notepad in your next reply.

Note: If you closed notepad accidentally, it can also be found at C:\looking.txt

Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

In your next reply please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Looking.txt log
  • Kaspersky's Log
  • Description of Problems you still have

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 doomalyas

doomalyas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 09 February 2009 - 10:42 AM

Hi - thanks for the help!

I'm pasting below the OTView Logs:

OTViewIt logfile created on: 2/9/2009 10:36:58 AM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Service Pack 1 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.37 Mb Total Physical Memory | 218.04 Mb Available Physical Memory | 22.75% Memory free
2.83 Gb Paging File | 2.00 Gb Available in Paging File | 70.62% Paging File free
Paging file location(s): c:\pagefile.sys 2000 2000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 48.83 Gb Total Space | 1.83 Gb Free Space | 3.74% Space Free | Partition Type: NTFS
Drive D: | 100.21 Gb Total Space | 57.94 Gb Free Space | 57.82% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SLICKNIC-A7T4AD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/04/08 14:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSetMgr.exe
[2005/04/08 14:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccEvtMgr.exe
[2005/04/17 11:30:32 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
[2005/04/17 11:30:40 | 01,706,176 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
[2005/08/17 17:39:58 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
[2007/07/27 08:31:11 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[2005/07/15 16:48:33 | 00,479,232 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
[2006/05/16 21:12:59 | 00,075,376 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
[2008/12/18 10:59:28 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
[2009/02/09 10:35:39 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/25 09:13:44 | 00,046,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/04/08 14:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2005/04/08 14:54:50 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
[2005/04/08 14:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008/07/25 09:13:48 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
[2005/04/17 11:30:32 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
File not found -- -- (dmadmin [On_Demand | Stopped])
File not found -- -- (Eventlog [Auto | Running])
[2008/07/29 20:18:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2009/01/21 11:26:52 | 00,137,200 | ---- | M] (Google) -- C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
File not found -- -- (HTTPFilter [On_Demand | Stopped])
[2006/03/29 07:00:00 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\svchost.exe -- (IASJet [On_Demand | Stopped])
[2008/07/29 18:28:38 | 00,859,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2006/01/05 00:29:32 | 00,245,760 | ---- | M] (Alex Feinman) -- C:\Program Files\Alex Feinman\ISO Recorder 64\ImapiHelper.exe -- (Imapi Helper [On_Demand | Stopped])
File not found -- -- (ImapiService [On_Demand | Stopped])
File not found -- -- (MSDTC [On_Demand | Stopped])
[2006/03/29 07:00:00 | 00,419,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netlogon.dll -- (Netlogon [Auto | Running])
[2008/07/29 18:20:34 | 00,119,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
File not found -- -- (NtLmSsp [On_Demand | Stopped])
File not found -- -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
File not found -- -- (PlugPlay [Auto | Running])
File not found -- -- (PolicyAgent [Auto | Running])
File not found -- -- (ProtectedStorage [Auto | Running])
File not found -- -- (RDSessMgr [On_Demand | Stopped])
File not found -- -- (SamSs [Auto | Running])
[2005/04/17 11:30:40 | 01,706,176 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
File not found -- -- (TlntSvr [Disabled | Stopped])
[2006/03/29 07:00:00 | 00,039,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
File not found -- -- (vds [On_Demand | Stopped])
File not found -- -- (VSS [On_Demand | Stopped])
[2006/04/03 19:02:16 | 00,014,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Disabled | Stopped])
File not found -- -- (WmiApSrv [On_Demand | Stopped])

========== Driver Services ==========

File not found -- -- (ACPI [Boot | Running])
File not found -- -- (AFD [System | Running])
File not found -- -- (ALCXWDM [On_Demand | Running])
File not found -- -- (atapi [Boot | Running])
File not found -- -- (audstub [On_Demand | Running])
File not found -- -- (Beep [System | Running])
[2003/06/07 04:12:02 | 00,007,168 | R--- | M] (BIOSTAR Group) -- C:\WINDOWS\system32\Drivers\BIOS64.sys -- (BIOS [System | Running])
File not found -- -- (CdaC15BA [Auto | Running])
File not found -- -- (CdaD10BA [Auto | Running])
File not found -- -- (Cdfs [Disabled | Running])
File not found -- -- (Cdrom [System | Running])
File not found -- -- (crcdisk [Boot | Running])
File not found -- -- (Disk [Boot | Running])
File not found -- -- (dmio [Boot | Running])
File not found -- -- (dmload [Boot | Running])
[2008/09/05 03:00:00 | 00,475,696 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl [System | Running])
[2005/04/21 11:40:38 | 00,010,624 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [System | Stopped])
File not found -- -- (Fastfat [Disabled | Running])
File not found -- -- (Fdc [On_Demand | Running])
File not found -- -- (Fips [System | Running])
File not found -- -- (Flpydisk [On_Demand | Running])
File not found -- -- (FltMgr [Boot | Running])
File not found -- -- (Ftdisk [Boot | Running])
File not found -- -- (Gpc [On_Demand | Running])
File not found -- -- (hidusb [On_Demand | Running])
File not found -- -- (HTTP [On_Demand | Running])
File not found -- -- (i8042prt [System | Running])
File not found -- -- (imapi [System | Running])
File not found -- -- (IpNat [On_Demand | Running])
File not found -- -- (IPSec [System | Running])
File not found -- -- (isapnp [Boot | Running])
File not found -- -- (Kbdclass [System | Running])
File not found -- -- (KSecDD [Boot | Running])
File not found -- -- (ksthunk [On_Demand | Running])
[2006/03/29 07:00:00 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmdd.dll -- (mnmdd [System | Running])
File not found -- -- (Mouclass [System | Running])
File not found -- -- (mouhid [On_Demand | Running])
File not found -- -- (MountMgr [Boot | Running])
File not found -- -- (MRxDAV [On_Demand | Running])
File not found -- -- (MRxSmb [System | Running])
File not found -- -- (Msfs [System | Running])
File not found -- -- (mssmbios [On_Demand | Running])
File not found -- -- (Mup [Boot | Running])
[2008/11/20 04:00:00 | 00,136,752 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\VirusDefs\20090206.007\ENG64.SYS -- (NAVENG [On_Demand | Running])
[2008/11/20 04:00:00 | 01,461,808 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\VirusDefs\20090206.007\EX64.SYS -- (NAVEX15 [On_Demand | Running])
File not found -- -- (NDIS [Boot | Running])
File not found -- -- (NdisTapi [On_Demand | Running])
File not found -- -- (Ndisuio [On_Demand | Running])
File not found -- -- (NdisWan [On_Demand | Running])
File not found -- -- (NDProxy [On_Demand | Running])
File not found -- -- (NetBIOS [System | Running])
File not found -- -- (NetBT [System | Running])
File not found -- -- (Npfs [System | Running])
File not found -- -- (Ntfs [Disabled | Running])
File not found -- -- (Null [System | Running])
File not found -- -- (nv [On_Demand | Running])
File not found -- -- (nvatax64 [Boot | Running])
File not found -- -- (NVENETFD [On_Demand | Running])
File not found -- -- (nvnetbus [On_Demand | Running])
File not found -- -- (nvrdx64 [Boot | Running])
File not found -- -- (Parport [On_Demand | Running])
File not found -- -- (PartMgr [Boot | Running])
File not found -- -- (PCI [Boot | Running])
File not found -- -- (PCIIde [Boot | Running])
File not found -- -- (PptpMiniport [On_Demand | Running])
File not found -- -- (Processor [On_Demand | Running])
File not found -- -- (PSched [On_Demand | Running])
File not found -- -- (Ptilink [On_Demand | Running])
File not found -- -- (PxHlpa64 [Boot | Running])
File not found -- -- (RasAcd [System | Running])
File not found -- -- (Rasl2tp [On_Demand | Running])
File not found -- -- (RasPppoe [On_Demand | Running])
File not found -- -- (Raspti [On_Demand | Running])
File not found -- -- (Rdbss [System | Running])
File not found -- -- (RDPCDD [System | Running])
File not found -- -- (rdpdr [On_Demand | Running])
File not found -- -- (redbook [System | Running])
[2005/02/04 19:07:08 | 00,441,344 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\Savrt64x86.sys -- (SAVRT [System | Running])
[2005/02/04 19:06:26 | 00,056,320 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\Savrtpel64x86.sys -- (SAVRTPEL [System | Running])
File not found -- -- (Secdrv [Auto | Running])
File not found -- -- (serenum [On_Demand | Running])
File not found -- -- (Serial [System | Running])
File not found -- -- (sptd [Boot | Running])
File not found -- -- (sr [Boot | Running])
File not found -- -- (Srv [On_Demand | Running])
File not found -- -- (swenum [On_Demand | Running])
[2005/04/01 19:35:36 | 00,175,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT64x86.SYS -- (SymEvent [On_Demand | Running])
File not found -- -- (sysaudio [On_Demand | Running])
File not found -- -- (Tcpip [System | Running])
File not found -- -- (TermDD [System | Running])
[2009/01/27 12:19:07 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\Drivers\tmcomm.sys -- (tmcomm [Auto | Stopped])
File not found -- -- (Udfs [Disabled | Running])
File not found -- -- (Update [On_Demand | Running])
File not found -- -- (usbehci [On_Demand | Running])
File not found -- -- (usbhub [On_Demand | Running])
File not found -- -- (usbohci [On_Demand | Running])
File not found -- -- (VgaSave [System | Running])
File not found -- -- (VolSnap [Boot | Running])
File not found -- -- (Wanarp [On_Demand | Running])
[2006/03/29 07:00:00 | 00,023,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdmaud.drv -- (wdmaud [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.google.com/ie
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s
"provider"=gogl

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\SysWOW64\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll ()
{AE7CD045-E861-484f-8273-0445EE161910} (HKLM) -- C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} (HKLM) -- C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" (HKLM) -- C:\WINDOWS\SysWOW64\shell32.dll (Microsoft Corporation)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll ()
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe" (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
"updateMgr"="C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1 (Adobe Systems Incorporated)

========== (O4) RunOnce Keys ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (Adobe Systems, Inc.)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktop"=1
"ForceActiveDesktopOn"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"scforceoption"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
Convert link target to Adobe PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert to existing PDF: C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
E&xport to Microsoft Excel: C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE [2006/06/23 11:38:20 | 10,196,752 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.5.0_06\bin\NPJPI150_06.dll [2005/11/10 12:22:12 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %SystemDrive%\Program Files\Messenger\msmsgs.exe [2006/03/29 07:00:00 | 01,681,920 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %SystemDrive%\Program Files\Messenger\msmsgs.exe [2006/03/29 07:00:00 | 01,681,920 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\NPJPI150_06.dll [Sun Java Console] -> [2005/11/10 12:22:12 | 00,069,746 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %SystemDrive%\Program Files\Messenger\msmsgs.exe [Messenger] -> [2006/03/29 07:00:00 | 01,681,920 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}: http://go.microsoft.com/fwlink/?linkid=58813 -- Office Genuine Advantage Validation Tool
{17492023-C23A-453E-A040-C7C580BBF700}: http://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}: http://office.microsoft.com/officeupdate/content/opuc3.cab -- Office Update Installation Engine
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://update.microsoft.com/windowsupdate/...b?1155844470109 -- WUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06

========== (O17) DNS Name Servers ==========

{274189A9-FE8F-469F-A6FD-B7CAA8AD82C6} (Servers: | Description: NVIDIA nForce Networking Controller)

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=Explorer.exe
>[2006/03/29 07:00:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\explorer.exe

"System"=lsass.exe
>File not found --


========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
NavLogon: "DllName" = C:\WINDOWS\SysWOW64\NavLogon.dll -- C:\WINDOWS\SysWOW64\NavLogon.dll (Symantec Corporation)
ScCertProp: "DllName" = wlnotify.dll -- File not found
Schedule: "DllName" = wlnotify.dll -- File not found
SensLogn: "DllName" = WlNotify.dll -- File not found
wlballoon: "DllName" = wlnotify.dll -- File not found

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDBurn"={fbeb8a05-beee-4442-804e-409d6c4515e9} (HKLM) -- C:\WINDOWS\SysWOW64\shell32.dll (Microsoft Corporation)
"PostBootReminder"={7849596a-48ea-486e-8937-a2a3009f31a9} (HKLM) -- C:\WINDOWS\SysWOW64\shell32.dll (Microsoft Corporation)
"SysTray"={35CEC8A3-2BE6-11D2-8773-92E220524153} (HKLM) -- C:\WINDOWS\SysWOW64\stobject.dll (Microsoft Corporation)
"WebCheck"={E6FB5E20-DE35-11CF-9C87-00AA005127ED} (HKLM) -- C:\WINDOWS\SysWOW64\webcheck.dll (Microsoft Corporation)

========== (O22) Shared Task Scheduler ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" (HKLM) = Browseui preloader -- C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" (HKLM) = Component Categories cache daemon -- C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" (HKLM) -- C:\Program Files (x86)\Windows Defender\MpShHook.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2006/08/16 15:17:34 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fce84611-9f24-11db-b73d-00e04ce78963}\Shell\AutoRun\command]
""=F:\Installer.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/02/09 10:35:52 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Administrator\Desktop\erunt-setup.exe
[2009/02/09 10:35:36 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe
[2009/02/05 14:17:09 | 00,011,390 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\v=ap.88&hl=en&x=19300&s=&y=24648&z=16&s=Gali.png
[2009/02/05 10:12:27 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Property TA Session Week 4.doc
[2009/02/04 11:02:19 | 00,118,447 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\JWE on Wine Tasting.pdf
[2009/02/02 13:03:20 | 00,000,000 | ---D | C] -- C:\WALL_E
[2009/02/02 11:34:25 | 08,782,336 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009 0.3.ppt
[2009/02/02 11:19:15 | 00,074,752 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WPrice - Informal Committee Report 090203.doc
[2009/02/02 10:26:15 | 00,075,264 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Committee Report 090203.doc
[2009/01/30 17:43:24 | 00,000,683 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\nypl_20_blu.png
[2009/01/28 14:22:14 | 08,090,112 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009 0.2.ppt
[2009/01/28 14:22:07 | 08,081,408 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009 0.1.ppt
[2009/01/27 13:59:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2009/01/27 13:57:52 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2009/01/27 13:57:16 | 00,368,971 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/01/27 13:56:56 | 00,368,922 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.com
[2009/01/27 13:51:22 | 00,001,788 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/01/27 13:51:22 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2009/01/27 13:51:10 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
[2009/01/27 13:34:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/01/27 13:34:14 | 00,000,726 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/01/27 13:34:11 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/27 13:34:08 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/27 13:34:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/01/27 13:34:04 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/01/27 12:32:13 | 02,737,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2009/01/27 12:19:19 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/01/26 14:26:34 | 00,016,546 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\little HWI.jpg
[2009/01/26 14:01:07 | 08,080,896 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009.ppt
[2009/01/26 13:42:09 | 00,044,544 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\William Nicholson Price II Resume Jan 2008.doc
[2009/01/26 10:53:29 | 00,000,660 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\FreeRIP.lnk
[2009/01/26 10:53:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
[2009/01/26 10:53:27 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\FreeRIP3
[2009/01/26 10:52:44 | 01,892,336 | ---- | C] (MGShareware ) -- C:\Documents and Settings\Administrator\Desktop\freeripmp3.exe
[2009/01/20 10:04:03 | 04,521,953 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\nbt.1514-S2.zip
[2009/01/15 15:05:50 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WNP2 Master Todo list 2009.doc
[2009/01/15 11:15:08 | 00,009,917 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\burce.faa

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2 C:\Documents and Settings\Administrator\My Documents\*.tmp files]
[2009/02/09 10:35:52 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Administrator\Desktop\erunt-setup.exe
[2009/02/09 10:35:39 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe
[2009/02/09 02:00:00 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/02/05 14:17:12 | 00,011,390 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\v=ap.88&hl=en&x=19300&s=&y=24648&z=16&s=Gali.png
[2009/02/05 10:12:28 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Property TA Session Week 4.doc
[2009/02/04 11:02:19 | 00,118,447 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\JWE on Wine Tasting.pdf
[2009/02/03 15:06:37 | 00,010,185 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2009/02/02 15:02:53 | 08,782,336 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009 0.3.ppt
[2009/02/02 14:56:38 | 00,052,224 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/02 11:21:29 | 00,074,752 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WPrice - Informal Committee Report 090203.doc
[2009/02/02 11:17:44 | 00,075,264 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Committee Report 090203.doc
[2009/01/30 17:43:27 | 00,000,683 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\nypl_20_blu.png
[2009/01/29 16:23:19 | 08,090,112 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009 0.2.ppt
[2009/01/28 14:22:09 | 08,081,408 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009 0.1.ppt
[2009/01/27 17:09:14 | 08,080,896 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Committee Meeting Feb 3 2009.ppt
[2009/01/27 14:17:27 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/27 13:58:11 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2009/01/27 13:57:16 | 00,368,971 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/01/27 13:56:58 | 00,368,922 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.com
[2009/01/27 13:51:23 | 00,001,788 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/01/27 13:51:13 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
[2009/01/27 13:45:09 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/27 13:45:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/27 13:34:14 | 00,000,726 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/01/27 12:32:16 | 02,737,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2009/01/27 12:19:07 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/01/26 14:27:19 | 00,016,546 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\little HWI.jpg
[2009/01/26 13:43:40 | 00,044,544 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\William Nicholson Price II Resume Jan 2008.doc
[2009/01/26 10:53:29 | 00,000,660 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\FreeRIP.lnk
[2009/01/26 10:53:05 | 01,892,336 | ---- | M] (MGShareware ) -- C:\Documents and Settings\Administrator\Desktop\freeripmp3.exe
[2009/01/20 10:04:03 | 04,521,953 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\nbt.1514-S2.zip
[2009/01/15 15:05:50 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WNP2 Master Todo list 2009.doc
[2009/01/15 11:15:09 | 00,009,917 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\burce.faa
[2009/01/14 16:11:32 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/14 16:11:28 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
< End of report >



OTViewIt Extras logfile created on: 2/9/2009 10:36:58 AM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Service Pack 1 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.37 Mb Total Physical Memory | 218.04 Mb Available Physical Memory | 22.75% Memory free
2.83 Gb Paging File | 2.00 Gb Available in Paging File | 70.62% Paging File free
Paging file location(s): c:\pagefile.sys 2000 2000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 48.83 Gb Total Space | 1.83 Gb Free Space | 3.74% Space Free | Partition Type: NTFS
Drive D: | 100.21 Gb Total Space | 57.94 Gb Free Space | 57.82% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SLICKNIC-A7T4AD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
File not found -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/03/29 07:00:00 | 01,681,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/07/25 10:35:09 | 00,219,952 | ---- | M] () -- C:\Program Files (x86)\uTorrent\uTorrent.exe:*:Enabled:uTorrent

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/12/13 15:03:34 | 03,159,040 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll (about:{3050F406-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML About Pluggable Protocol])
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (cdl:{3dd53d40-7b8b-11D0-b013-00aa0059ce02} (HKLM) [CDL: Asychronous Pluggable Protocol Handler])
[2006/03/29 07:00:00 | 01,563,136 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvidctl.dll (dvd:{12D51199-0DB5-46FE-A120-47A3D7D937CC} (HKLM) [DVD: Pluggable Protocol])
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (file:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (ftp:{79eac9e3-baf9-11ce-8c82-00aa004ba90b} (HKLM) [ftp: Asychronous Pluggable Protocol Handler])
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (gopher:{79eac9e4-baf9-11ce-8c82-00aa004ba90b} (HKLM) [gopher: Asychronous Pluggable Protocol Handler])
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (http:{79eac9e2-baf9-11ce-8c82-00aa004ba90b} (HKLM) [http: Asychronous Pluggable Protocol Handler])
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL http\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL http\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (https:{79eac9e5-baf9-11ce-8c82-00aa004ba90b} (HKLM) [https: Asychronous Pluggable Protocol Handler])
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL https\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL https\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2005/05/02 08:27:58 | 00,137,216 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\itss.dll (its:{9D148291-B9C8-11D0-A4CC-0000F80149F6} (HKLM) [Microsoft InfoTech Protocols for IE 4.0])
[2008/12/13 15:03:34 | 03,159,040 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll (java script:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (local:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])
[2008/12/13 15:03:34 | 03,159,040 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll (mailto:{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Mailto Pluggable Protocol])
[2008/07/03 12:35:48 | 00,686,592 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll (mhtml:{05300401-BCBC-11d0-85E3-00C04FD85AB4} (HKLM) [MHTML Asychronous Pluggable Protocol Handler])
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll (mk:{79eac9e6-baf9-11ce-8c82-00aa004ba90b} (HKLM) [mk: Asychronous Pluggable Protocol Handler])
msdaipp: [HKLM - No CLSID value]
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2005/05/02 08:27:58 | 00,137,216 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\itss.dll (ms-its:{9D148291-B9C8-11D0-A4CC-0000F80149F6} (HKLM) [Microsoft InfoTech Protocols for IE 4.0])
[2005/06/03 02:36:20 | 07,252,672 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])
[2005/04/25 15:29:55 | 08,071,360 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])
[2008/12/13 15:03:34 | 03,159,040 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll (res:{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Resource Pluggable Protocol])
[2008/12/13 15:03:34 | 03,159,040 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll (sysimage:{76E67A63-06E9-11D2-A840-006008059382} (HKLM) [Microsoft HTML Resource Pluggable Protocol])
[2006/03/29 07:00:00 | 01,563,136 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvidctl.dll (tv:{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} (HKLM) [TV: Pluggable Protocol])
[2008/12/13 15:03:34 | 03,159,040 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll (vbscript:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])
[2006/03/29 07:00:00 | 00,074,240 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\wiascr.dll (wia:{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} (HKLM) [WiaProtocol Class])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll Class Install Handler:{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} (HKLM) [AP Class Install Handler filter]
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll deflate:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll gzip:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]
[2008/10/17 10:40:12 | 00,697,856 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll lzdhtml:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]
[2007/11/08 00:51:22 | 08,383,488 | ---- | M] (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll text/webviewhtml:{733AC4CB-F1A4-11d0-B951-00A0C90312E1} (HKLM) [WebView MIME Filter]
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=Google Gmail Notifier
"{062BFFA1-0CCC-400B-B840-F162328D8C00}"=winLAME prerelease4
"{14B1F286-30B6-11D3-BEB3-00C04F688130}"=VBA (2720)
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{501451DE-5808-4599-B544-8BD0915B6B24}_is1"=FreeRIP v3.091
"{5320A701-E068-40FD-A7FB-413FAEAD02D5}"=Oligo Explorer 1.2
"{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}"=GetDataBack for NTFS
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}"=Adobe Illustrator CS
"{9D525FC5-5683-4B1A-96CB-3EB9F8A5DED1}"=WETLAB
"{AC76BA86-1033-0000-7760-100000000002}"=Adobe Acrobat 7.0 Professional
"{B8616FE6-C69E-4FBA-8349-893F5B073C89}"=S-PLUS 8.0
"{B8C2D98B-B94F-4D10-A8CA-5D3FDF606CA1}"=DJBCP DVD RIP PACK
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}"=Adobe Photoshop CS
"{FB08F381-6533-4108-B7DD-039E11FBC27E}"=Realtek AC'97 Audio
"{FE4BD9BD-4A26-4F39-B12C-19336204B102}"=EndNote X Volume License Edition
"Adobe Acrobat 7.0 Professional - V"=Adobe Acrobat 7.0.9 Professional
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe SVG Viewer"=Adobe SVG Viewer 3.0
"ALZip_is1"=ALZip
"Atomic Clock Sync"=Atomic Clock Sync
"ATRClient"=Advanced Time Reports (remove only)
"AudioCrusher_is1"=AudioCrusher
"AviSynth"=AviSynth 2.5
"CD Recovery Toolbox Free_is1"=CD Recovery Toolbox Free 1.1
"Data Explorer ™"=Data Explorer ™ 4.0.0.0
"Diagram Designer"=Diagram Designer
"DVDFab HD Decrypter_is1"=DVDFab HD Decrypter 3.1.1.6
"GraphPad Prism_is1"=GraphPad Prism 4
"Handbrake"=Handbrake 0.9.2
"HijackThis"=HijackThis 2.0.2
"IrfanView"=IrfanView (remove only)
"ISI ResearchSoft - Export Helper"=ISI ResearchSoft - Export Helper
"KaleidaGraph 4.0 Demo"=KaleidaGraph 4.0 Demo
"LiveUpdate"=LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.5)"=Mozilla Firefox (3.0.5)
"NeroMultiInstaller!UninstallKey"=Nero Suite
"PE Builder_is1"=PE Builder 3.1.10a
"PyMOL"=PyMOL
"ST6UNST #1"=ProjectTecan
"VIDA_is1"=VIDA 2.1.2
"Winamp"=Winamp (remove only)
"winscp3_is1"=WinSCP 3.7.4

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent"=µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/8/2009 5:03:13 PM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/8/2009 6:46:17 PM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/8/2009 8:16:21 PM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/8/2009 10:02:24 PM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/8/2009 11:50:26 PM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/9/2009 1:23:30 AM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/9/2009 3:13:34 AM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/9/2009 4:50:37 AM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/9/2009 6:44:41 AM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/9/2009 8:39:45 AM | Computer Name = SLICKNIC-A7T4AD | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

[ System Events ]
Error - 1/8/2009 7:19:13 AM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/8/2009 11:19:50 AM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/8/2009 3:20:22 PM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/8/2009 7:21:04 PM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/8/2009 11:21:40 PM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/9/2009 3:22:17 AM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/9/2009 7:22:51 AM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/9/2009 11:23:28 AM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/9/2009 3:24:04 PM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 1/9/2009 7:24:41 PM | Computer Name = SLICKNIC-A7T4AD | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain CRYSTAL due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.


< End of report >

#4 doomalyas

doomalyas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 09 February 2009 - 10:45 AM

Peek Log:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.i420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
vidc.iv50 REG_SZ ir50_32.dll
vidc.iyuv REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.yvyu REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32\Terminal Server

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 09 February 2009 - 01:07 PM

Hello.

I need to leave soon so I didn't analyze the logs yet. I will, once I come back home though.

In the meantime please describe to me any problems you still have with your computer so we can deal with it afterwards. Do you still have the redirects with Google?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 doomalyas

doomalyas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 09 February 2009 - 01:17 PM

I'm doing a Kaspersky Scan, but it's still ongoing - I'll post the results once it's done.

I have odd results - I'm not always redirected, but sometimes I am. Basically, I'd say that:

1) Google searches always take longer than they used to, sometimes much longer.
2) Frequently, I notice that the status is "waiting for 7.7.7.0" for some period of time when I do a google search.
3) Sometimes (not super-frequently, but sometimes) I get mislabeled Google results - i.e., the page titles and blurbs are the correct pages for the results I want, but the link is wrong. They're to commercial sites (like mainstreetdotcom or livedealsdotcom or security-antivirusdotcom) when it happens. Frequently I still have the 7770 wait, but the results are correct - my guess is that, basically, the program is screwing with me so I'll keep using google searches and click blindly because it usually works.

Thanks again for your help,
Doomalyas

#7 doomalyas

doomalyas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 09 February 2009 - 02:55 PM

I'm attaching the html-ized Kaspersky report.

Thanks,
N

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 09 February 2009 - 04:04 PM

Hello.

The OTViewIT and Kaspersky log looks fine.

Regarding the Google problem, do the following:

Navigate and delete the following file:

c:\windows\system32\wdmaud.sys<- This file.

DO NOT delete the wdmaud.sys in the driver folder:
c:\windows\system32\drivers\wdmaud.sys

As an example to delete a file:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


Reboot your computer afterwards.

Tell me how it goes and see if you still have the Google redirect problem.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 doomalyas

doomalyas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 10 February 2009 - 11:41 AM

Great - it's working now.

I ended up deleting wdmaud.drv in system32 (there was no wdmaud.sys) and wdmaud.sys in sysWOW64 - not sure if I needed to get rid of both of them, but killing the second certainly fixed the problem.

Thanks for your help!

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 10 February 2009 - 04:45 PM

Your welcome :step5:

Let's cleanup then.



Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :)

Uninstall GMER
We will now remove GMER.
  • Go to Start ---> Run ----> In the Open Field type in: C:\WINDOWS\gmer_uninstall.cmd
  • Now Click Ok
  • This shall uninstall GMER and everything related to it.
Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
You may delete the tool after use.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 12 February 2009 - 05:20 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users