Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with IE issues as well as missing Antivirus


  • This topic is locked This topic is locked
19 replies to this topic

#1 ChrisH15

ChrisH15

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 March 2009 - 10:40 AM

Please reference post from other forum for details of my issues: http://www.bleepingcomputer.com/forums/t/212700/ntdll64exe-infection-i-think/

The dds.txt file looks like this, and the Attach.txt file is below.

Any help would be greatly appreciated.

Thanks.

Chris


DDS (Ver_09-03-16.01) - NTFSx86
Run by Chris at 11:21:49.20 on Sat 03/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1483 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://broadband.zoomtown.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: turbotax.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} - hxxp://www.kodakgallery.com/downloads/hmpr/HMPR_WIN_IE_1/axhomepr.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187266400796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187453388343
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://r:\cdviewer\CdViewer.cab
TCP: {9B229D30-45B8-4637-995A-B6E187AA8993} = 216.68.4.10,216.68.5.10
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
AppInit_DLLs: nmqleb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\whfe2mjn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wrestlezone.com/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsharedview.dll

============= SERVICES / DRIVERS ===============

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2007-12-17 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2007-12-17 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2007-12-17 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2007-12-17 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-12-17 32240]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2007-12-17 144696]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-1-16 814728]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2007-12-17 255216]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2007-12-17 108368]
S2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2001-9-12 61440]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-10-1 33752]
S3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32 [2008-9-10 17912]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-9-5 217600]
S3 suscom;Susteen Serial port driver;c:\windows\system32\drivers\suscom.sys [2002-4-16 39680]
S3 XMUNIVERSAL;xmuni.sys driver;c:\windows\system32\drivers\xmuni.sys [2006-12-2 49408]

=============== Created Last 30 ================

2009-03-21 10:58 a-dshr-- C:\cmdcons
2009-03-21 10:57 161,792 a------- c:\windows\SWREG.exe
2009-03-21 10:57 98,816 a------- c:\windows\sed.exe
2009-03-21 00:37 --d----- c:\docume~1\chris\applic~1\VundoFixTool
2009-03-21 00:33 626,688 a------- c:\windows\system32\msvcr80.dll
2009-03-21 00:32 --d----- c:\program files\InterMute
2009-03-21 00:17 --d----- c:\program files\Lavasoft
2009-03-20 23:54 --d----- C:\VundoFix Backups
2009-03-20 23:01 --d-h--- c:\windows\system32\GroupPolicy
2009-03-20 22:58 74,752 a------- c:\windows\system32\drivers\ovfsth.sys
2009-03-20 22:48 40,448 a------- c:\windows\system32\KuzSmall.exe
2009-03-20 22:47 117,228 a------- c:\windows\system32\drivers\44bd9c70.sys
2009-03-20 22:47 124,416 a------- C:\elfd.exe
2009-03-20 22:46 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-03-20 22:46 2 a------- C:\206950031
2009-03-20 22:46 19,968 a------- C:\jvmtiw.exe
2009-03-20 22:46 7,321,032 a------- c:\documents and settings\chris\biDLhwa.exe
2009-03-20 22:46 28,672 a------- c:\documents and settings\chris\DiLhBizX.exe
2009-03-20 22:45 43 a------- c:\windows\system32\ovfsthgphllfveubedcukwkrqyihqxwrqxclgs.dat
2009-03-20 22:44 266 a------- c:\documents and settings\chris\rQzPpWGlncu.bat
2009-03-20 22:44 5,183 a------- c:\windows\system32\ovfsthlmfpdiirhrjnwnpjansumpjpddwtiijd.dat
2009-03-20 22:44 38,400 a------- c:\documents and settings\chris\IDEzhKSW.exe
2009-03-20 22:44 7,321,032 a------- c:\documents and settings\chris\bwDZGd.exe
2009-03-12 21:22 --d----- c:\program files\common files\DirectX
2009-02-24 18:05 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-03-20 23:50 14,336 a------- c:\windows\system32\svchost.exe
2009-03-20 22:46 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-16 19:17 89,784 a------- c:\docume~1\chris\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-07 16:23 6 a------- c:\windows\fonts\wfonts.key
2007-08-17 17:35 87,608 a------- c:\docume~1\chris\applic~1\ezpinst.exe
2007-08-17 17:35 47,360 a------- c:\docume~1\chris\applic~1\pcouffin.sys

============= FINISH: 11:22:06.17 ===============

Attached Files


Edited by ChrisH15, 21 March 2009 - 10:48 AM.


BC AdBot (Login to Remove)

 


#2 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 March 2009 - 10:56 AM

Ok, I have found the problem with IE not showing the pictures (evidently the virus unchecked that entry in the options of IE, so I re-checked it), however, my CA Antivirus Shield Tray Icon is still not down by the clock, and I'm not sure why?

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:27 AM

Posted 21 March 2009 - 11:00 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 March 2009 - 11:31 AM

Ok, I have the logs you requested:

OTLISTIT.TXT

OTListIt logfile created on: 3/21/2009 12:02:36 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.01% Memory free
3.85 Gb Paging File | 3.35 Gb Available in Paging File | 87.06% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.47 Gb Total Space | 15.99 Gb Free Space | 46.40% Space Free | Partition Type: NTFS
Drive D: | 186.30 Gb Total Space | 52.94 Gb Free Space | 28.42% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 931.34 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HANSEN
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/11/30 18:49:06 | 00,397,312 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/01/31 17:08:00 | 00,144,696 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
PRC - [2008/05/19 18:25:49 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2007/04/19 01:26:00 | 00,159,810 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2008/01/16 16:57:26 | 00,814,728 | ---- | M] (ExtendMedia Inc.) -- C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
PRC - [2008/09/08 23:37:20 | 00,255,216 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
PRC - [2000/02/14 17:36:22 | 00,129,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\WFXSVC.EXE
PRC - [2000/02/14 17:36:22 | 00,541,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/02/08 11:40:51 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/12/19 01:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\internet explorer\iexplore.exe
PRC - [2009/01/23 11:39:59 | 00,214,256 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
PRC - [2009/03/21 12:01:38 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/11/30 18:49:06 | 00,397,312 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc [Auto | Running])
SRV - [2008/07/10 22:10:06 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/01/23 11:39:59 | 00,214,256 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP [On_Demand | Running])
SRV - [2008/01/31 17:08:00 | 00,144,696 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe -- (CAISafe [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2001/09/12 08:59:00 | 00,061,440 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe -- (gearsec [Auto | Stopped])
SRV - [2008/08/29 10:00:30 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2009/03/20 23:44:38 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Running])
SRV - [2008/02/19 13:10:24 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found -- -- (NMIndexingService [On_Demand | Stopped])
SRV - [2007/04/19 01:26:00 | 00,159,810 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2008/01/16 16:57:26 | 00,814,728 | ---- | M] (ExtendMedia Inc.) -- C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe -- (OpenCASE Media Agent [Auto | Running])
SRV - [2008/09/08 23:37:20 | 00,255,216 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe -- (VETMSGNT [Auto | Running])
SRV - [2000/02/14 17:36:22 | 00,129,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\WFXSVC.EXE -- (wfxsvc [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2003/03/06 14:48:08 | 00,003,840 | ---- | M] () -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt [System | Running])
DRV - [2006/11/24 14:47:50 | 00,040,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Drivers\ET5Drv.sys -- (ET5Drv [On_Demand | Stopped])
DRV - [2007/09/05 22:12:24 | 00,015,600 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\gdrv.sys -- (gdrv [On_Demand | Stopped])
DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/04/23 06:12:28 | 04,402,176 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2004/08/04 01:41:35 | 00,606,684 | ---- | M] (LT) -- C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys -- (ltmodem5 [On_Demand | Running])
DRV - [2007/08/21 11:49:28 | 00,017,912 | ---- | M] (Windows ® 2000 DDK provider) -- C:\Program Files\Gigabyte\ET5\markfun.w32 -- (MarkFun_NT [On_Demand | Stopped])
DRV - [2000/03/29 17:11:20 | 00,008,096 | ---- | M] (MicroStaff Co.,Ltd.) -- C:\WINDOWS\System32\drivers\MASPINT.SYS -- (MASPINT [Auto | Running])
DRV - [2007/04/19 01:26:00 | 03,988,384 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2007/08/17 17:35:51 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2007/08/16 18:54:44 | 00,009,856 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2003/03/31 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/07 19:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/12/02 04:36:08 | 00,070,912 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp [On_Demand | Stopped])
DRV - [2007/03/01 04:05:38 | 00,090,496 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/09/05 03:16:04 | 00,217,600 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\WINDOWS\system32\DRIVERS\sis163u.sys -- (SIS163u [On_Demand | Stopped])
DRV - [2005/05/02 21:15:50 | 00,036,484 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\SMBios.sys -- (SMBios [On_Demand | Running])
DRV - [2007/08/16 20:24:40 | 00,099,776 | ---- | M] (Acronis) -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman [Boot | Running])
DRV - [2002/04/16 10:17:38 | 00,039,680 | ---- | M] (Susteen Inc.) -- C:\WINDOWS\system32\DRIVERS\suscom.sys -- (suscom [On_Demand | Stopped])
DRV - [2007/09/04 19:03:47 | 00,032,768 | ---- | M] (Acronis) -- C:\WINDOWS\system32\DRIVERS\tifsfilt.sys -- (tifsfilter [Auto | Running])
DRV - [2007/09/04 19:03:47 | 00,392,320 | ---- | M] (Acronis) -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter [Boot | Running])
DRV - [2008/09/08 23:37:21 | 00,026,352 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-filt.sys -- (VET-FILT [System | Running])
DRV - [2008/09/08 23:37:21 | 00,021,104 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-rec.sys -- (VET-REC [System | Running])
DRV - [2008/06/04 14:13:40 | 00,108,368 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\veteboot.sys -- (VETEBOOT [On_Demand | Running])
DRV - [2008/06/04 14:13:40 | 00,880,560 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetefile.sys -- (VETEFILE [System | Running])
DRV - [2008/09/08 23:37:21 | 00,021,488 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetfddnt.sys -- (VETFDDNT [System | Running])
DRV - [2008/09/08 23:37:21 | 00,032,240 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetmonnt.sys -- (VETMONNT [System | Running])
DRV - [2006/12/02 20:58:02 | 00,049,408 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\System32\Drivers\xmuni.sys -- (XMUNIVERSAL [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.default\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.default\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.default\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\s-1-5-18\s-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-19\s-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-20\s-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com/
IE - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\s-1-5-21-2025429265-2052111302-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.wrestlezone.com/"
FF - prefs.js..extensions.enabledItems: {2DADEA15-6355-418E-A06D-E7140FCD19F5}:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/02/08 12:59:52 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/02/08 11:40:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/02/08 11:40:55 | 00,000,000 | ---D | M]

[2009/01/24 20:08:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Extensions
[2009/01/24 20:08:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/07 20:12:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\whfe2mjn.default\extensions
[2009/01/24 20:08:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/20 22:44:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{2DADEA15-6355-418E-A06D-E7140FCD19F5}
[2009/02/08 11:40:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/08 11:40:50 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/02/08 11:40:50 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/12/02 04:04:40 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/12/02 04:04:40 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/12/02 04:04:40 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/12/02 04:04:40 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/12/02 04:04:40 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/02 04:04:40 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/12/02 04:04:40 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.default\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\s-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\s-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\s-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-19_classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\s-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\s-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-20_classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003_classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\s-1-5-21-2025429265-2052111302-839522115-1003\..Trusted Sites: turbotax.com ([]https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} http://www.kodakgallery.com/downloads/hmpr..._1/axhomepr.cab (HomePrintingCtrl Class)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1187266400796 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1187453388343 (MUWebControl Class)
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} http://mediaplayer.walmart.com/installer/install.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe (Virtools WebPlayer Class)
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx (CRLDownloadWrapper Class)
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} file://R:\CDVIEWER\CdViewer.cab (AMI DicomDir TreeView Control 2.1)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{9B229D30-45B8-4637-995A-B6E187AA8993}\\NameServer = 216.68.4.10,216.68.5.10
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (nmqleb.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {A213B520-C6C2-11d0-AF9D-008029E1027E} - C:\Program Files\Symantec\WinFax\WfxSeh32.Dll (Symantec Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/16 07:53:55 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{701ad5c7-f2ed-11dc-92ce-001a4d9415ea}\Shell - "" = AutoRun
O33 - MountPoints2\{701ad5c7-f2ed-11dc-92ce-001a4d9415ea}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{701ad5c7-f2ed-11dc-92ce-001a4d9415ea}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/21 12:01:37 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTListIt2.exe
[2009/03/21 11:50:45 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/03/21 11:20:29 | 00,360,002 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2009/03/21 11:12:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/03/21 10:58:29 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/03/21 10:58:27 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/03/21 10:58:25 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/03/21 10:57:13 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/03/21 10:57:13 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/03/21 10:57:13 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/03/21 10:57:13 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/03/21 10:57:13 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/03/21 10:57:13 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/03/21 10:57:13 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/03/21 10:57:13 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/03/21 10:57:13 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/03/21 10:56:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/03/21 10:56:03 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/03/21 10:55:47 | 02,934,169 | R--- | C] () -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2009/03/21 00:37:31 | 00,000,504 | ---- | C] () -- C:\WINDOWS\tasks\VundoFixTool Scheduled Scan.job
[2009/03/21 00:37:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Application Data\VundoFixTool
[2009/03/21 00:33:10 | 00,626,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll
[2009/03/21 00:32:28 | 00,000,000 | ---D | C] -- C:\Program Files\InterMute
[2009/03/21 00:17:49 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Ad-aware 6.0.lnk
[2009/03/21 00:17:48 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/03/20 23:54:37 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/03/20 23:44:43 | 00,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/03/20 23:27:22 | 00,163,503 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\RRT.zip
[2009/03/20 23:01:01 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/03/20 22:58:14 | 00,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ovfsth.sys
[2009/03/20 22:48:50 | 00,040,448 | ---- | C] (Johnson-Grace Company) -- C:\WINDOWS\System32\KuzSmall.exe
[2009/03/20 22:47:05 | 00,117,228 | ---- | C] () -- C:\WINDOWS\System32\drivers\44bd9c70.sys
[2009/03/20 22:47:04 | 00,124,416 | ---- | C] () -- C:\elfd.exe
[2009/03/20 22:46:59 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/03/20 22:46:59 | 00,000,002 | ---- | C] () -- C:\206950031
[2009/03/20 22:46:57 | 00,019,968 | ---- | C] () -- C:\jvmtiw.exe
[2009/03/20 22:45:54 | 00,000,043 | ---- | C] () -- C:\WINDOWS\System32\ovfsthgphllfveubedcukwkrqyihqxwrqxclgs.dat
[2009/03/20 22:45:40 | 00,045,568 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Top of the Mountain.doc
[2009/03/20 22:45:30 | 00,045,056 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Table Top Bridge.doc
[2009/03/20 22:44:53 | 00,005,183 | ---- | C] () -- C:\WINDOWS\System32\ovfsthlmfpdiirhrjnwnpjansumpjpddwtiijd.dat
[2009/03/20 21:56:04 | 00,000,601 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Dreamcast.lnk
[2009/03/19 17:40:19 | 00,040,448 | -HS- | C] () -- C:\Documents and Settings\Chris\Desktop\Thumbs.db
[2009/03/12 21:22:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DirectX
[2009/02/26 19:59:45 | 00,404,866 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\lukedit.jpg
[2009/02/26 19:54:43 | 00,106,701 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\kyleedit.jpg
[2009/02/26 17:07:15 | 00,154,376 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\keriedit.jpg
[2009/02/26 16:57:14 | 00,340,904 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\bubbaedit.jpg
[2009/02/26 16:56:26 | 00,047,983 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\jacobedit.jpg
[2009/02/26 16:55:31 | 00,321,211 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\joeyeditnew.jpg
[2009/02/26 15:36:17 | 01,071,230 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\scoutfriends.bmp
[2009/02/26 15:04:14 | 00,010,730 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\scoutbridge.gif
[2009/02/24 18:16:49 | 00,015,360 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\KeriWorkingOn.xls
[2009/02/24 18:05:47 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/02/22 23:39:48 | 00,032,768 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Foods to Avoid.doc

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/21 12:05:05 | 00,117,228 | ---- | M] () -- C:\WINDOWS\System32\drivers\44bd9c70.sys
[2009/03/21 12:01:38 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTListIt2.exe
[2009/03/21 11:20:29 | 00,360,002 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2009/03/21 11:10:06 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/21 11:10:02 | 00,013,696 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/21 11:09:53 | 00,001,116 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/21 11:09:47 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/03/21 11:09:37 | 00,088,723 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/03/21 11:09:33 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/21 11:09:27 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/21 11:09:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/21 10:58:29 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/03/21 10:52:24 | 02,934,169 | R--- | M] () -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2009/03/21 00:37:31 | 00,000,504 | ---- | M] () -- C:\WINDOWS\tasks\VundoFixTool Scheduled Scan.job
[2009/03/21 00:17:49 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Ad-aware 6.0.lnk
[2009/03/20 23:56:37 | 00,089,784 | ---- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/20 23:50:34 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\svchost.exe
[2009/03/20 23:50:34 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe
[2009/03/20 23:27:23 | 00,163,503 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\RRT.zip
[2009/03/20 22:58:14 | 00,074,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ovfsth.sys
[2009/03/20 22:57:55 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/03/20 22:57:39 | 00,005,183 | ---- | M] () -- C:\WINDOWS\System32\ovfsthlmfpdiirhrjnwnpjansumpjpddwtiijd.dat
[2009/03/20 22:49:13 | 00,000,043 | ---- | M] () -- C:\WINDOWS\System32\ovfsthgphllfveubedcukwkrqyihqxwrqxclgs.dat
[2009/03/20 22:48:51 | 00,040,448 | ---- | M] (Johnson-Grace Company) -- C:\WINDOWS\System32\KuzSmall.exe
[2009/03/20 22:48:37 | 00,019,968 | ---- | M] () -- C:\jvmtiw.exe
[2009/03/20 22:47:05 | 00,124,416 | ---- | M] () -- C:\elfd.exe
[2009/03/20 22:47:00 | 00,000,002 | ---- | M] () -- C:\206950031
[2009/03/20 22:46:59 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ndis.sys
[2009/03/20 22:46:59 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/03/20 22:45:40 | 00,045,568 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Top of the Mountain.doc
[2009/03/20 22:45:30 | 00,045,056 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Table Top Bridge.doc
[2009/03/20 21:56:04 | 00,000,601 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Dreamcast.lnk
[2009/03/20 09:47:02 | 00,002,481 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Microsoft Excel.lnk
[2009/03/19 21:29:34 | 00,000,670 | ---- | M] () -- C:\WINDOWS\PSTUDIO.INI
[2009/03/19 17:43:36 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Microsoft Word.lnk
[2009/03/19 17:40:20 | 00,040,448 | -HS- | M] () -- C:\Documents and Settings\Chris\Desktop\Thumbs.db
[2009/03/18 19:32:32 | 00,002,527 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ACDSee 6.0.lnk
[2009/03/17 11:21:27 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/03/13 22:47:57 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/03/12 21:45:22 | 00,000,229 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/12 03:08:54 | 00,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/12 03:08:54 | 00,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/12 03:08:54 | 00,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/12 03:07:08 | 00,325,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/12 03:00:52 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/02/26 19:59:45 | 00,404,866 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\lukedit.jpg
[2009/02/26 19:54:43 | 00,106,701 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\kyleedit.jpg
[2009/02/26 17:07:15 | 00,154,376 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\keriedit.jpg
[2009/02/26 17:02:36 | 00,340,904 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\bubbaedit.jpg
[2009/02/26 16:56:26 | 00,047,983 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\jacobedit.jpg
[2009/02/26 16:55:31 | 00,321,211 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\joeyeditnew.jpg
[2009/02/26 16:19:24 | 01,071,230 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\scoutfriends.bmp
[2009/02/26 14:49:53 | 00,010,730 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\scoutbridge.gif
[2009/02/24 18:16:49 | 00,015,360 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\KeriWorkingOn.xls
[2009/02/22 23:56:48 | 00,015,360 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Book1.xls
[2009/02/22 23:53:56 | 00,032,768 | ---- | M] () -- C:\Documents and Settings\Chris\My Documents\outlook.pst
[2009/02/22 23:39:48 | 00,032,768 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Foods to Avoid.doc
[2009/02/20 13:17:31 | 00,000,150 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Walmart MP3 Music Downloads.url
< End of report >

Extras:

OTListIt Extras logfile created on: 3/21/2009 12:02:36 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.01% Memory free
3.85 Gb Paging File | 3.35 Gb Available in Paging File | 87.06% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.47 Gb Total Space | 15.99 Gb Free Space | 46.40% Space Free | Partition Type: NTFS
Drive D: | 186.30 Gb Total Space | 52.94 Gb Free Space | 28.42% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 931.34 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HANSEN
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe (Macromedia, Inc.)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"4899:TCP" = 4899:TCP:*:Enabled:RAdmin
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1214:TCP" = 1214:TCP:*:Enabled:Kazaa Port
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2002/12/10 23:44:30 | 01,253,888 | ---- | M] () -- C:\Filetopia3\Filetopia.exe:*:Enabled:Filetopia
[2002/12/10 13:03:00 | 00,122,880 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Enabled:SAgent4
[2008/01/11 16:58:03 | 10,331,424 | ---- | M] (Intuit, Inc.) -- C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
[2007/10/22 19:56:52 | 03,597,600 | ---- | M] (Intuit, Inc.) -- C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
[2009/03/20 22:12:14 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
[2008/02/19 13:10:26 | 19,897,640 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2001/10/02 17:48:26 | 00,428,032 | ---- | M] (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA) -- C:\Program Files\WS_FTP\WS_FTP95.exe:*:Enabled:WS_FTP 95
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/11/25 15:08:18 | 06,602,752 | ---- | M] () -- C:\Program Files\Encore\Hoyle Card Games 2009\Hoyle Card Games.exe:*:Enabled:Hoyle Card Games
[2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server
[2002/11/13 20:50:20 | 00,061,440 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0100A64F-7650-4580-9717-12F26CFF23CB}" = PrimoPDF
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{0AFC9710-5DD6-4C6A-BA52-91AE992B2C9D}" = Safari
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{109D28C7-FB38-483A-9C91-001CB59E2699}" = EPSON CardMonitor
"{1771FDC8-D846-4B77-996A-C80DAD42C03F}" = OpenCASE Media Agent
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.2
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B906230-3015-41DA-9E8A-6E9033CF25E4}" = FormatFactory
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{4F02C4F5-0FE6-42E0-B440-0E5D3F939790}" = DataPilot USB Driver Pack
"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver
"{55D08777-EFAA-41AD-942A-5A2CD4B580F3}" = MixMeister Pro 4
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5983C895-DDA4-45D9-A8D1-877D5DE7693E}" = EPSON PhotoStarter3.0
"{5AFF9A56-B7EB-486D-912C-FB89C857DFAB}" = Radmin Viewer 3.2
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{80FD852F-5AAC-4129-B931-06AAFFA43138}" = iTunes
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{88B68BA6-1CA9-4EB6-8BB7-892D609567FA}" = TurboTax 2008 wkyiper
"{8A08C9CB-4C84-4FA5-9A4B-6994A93481F6}" = USB Converter Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C5766F2-81D9-4B5A-8AD5-A8BD6361EF0A}" = Hoyle Card Games
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{934E9442-D305-4ACF-AD87-A6C11D677CB9}" = ImageMixer VCD2 for FinePix
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{ABDA9912-5D00-11D4-BAE7-9367CA097955}" = Macromedia Dreamweaver 4
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1914265-0D07-48E0-A937-F20A76D0032D}" = Acronis True Image Home
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B58436F5-EEC6-4005-A1B7-26597CD4B644}" = DataPilot
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.1.18.242
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA}" = Blaze Media Pro
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D680C913-5955-469D-9D88-C1940F7506D6}" = RAW FILE CONVERTER LE
"{DAC0B889-5359-4FDC-893A-2B8EF6B71B6F}" = SIM MAX
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E6DE9A54-8514-446E-9D11-530DC599C355}" = Microsoft SharedView
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}" = Adobe Stock Photos 1.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FD88D501-1F0A-4DA4-A13A-6437411EE0C3}" = ACDSee 6.0 Standard
"1000 Best Fonts" = 1000 Best Fonts
"7-Zip" = 7-Zip 4.57
"ad-aware 6 personal" = Ad-aware 6 Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Illustrator CS2" = Adobe Illustrator CS2
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"AOL Instant Messenger" = AOL Instant Messenger
"ArcSoft Camera Studio" = ArcSoft Camera Studio
"Bejeweled 2 Deluxe 1.1" = Bejeweled 2 Deluxe 1.1
"Belarc Advisor 2.0" = Belarc Advisor 6.1
"Blaze Media Pro" = Blaze Media Pro
"cciss_av" = CA Anti-Virus
"CDex" = CDex extraction audio
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab Platinum_is1" = DVDFab Platinum 4.0.5.5 by Dr.Pc Putte - Team RES
"EA8_is1" = Express Assist 8.0
"EasyTune5" = EasyTune5
"EPSON Printer and Utilities" = EPSON Printer Software
"ffdshow_is1" = ffdshow [rev 2073] [2008-08-11]
"Filetopia Client v3.04d" = Filetopia Client v3.04d
"Google Updater" = Google Updater
"hijackthis" = HijackThis 1.99.1
"Hoyle Card Games" = Hoyle Card Games
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{4F02C4F5-0FE6-42E0-B440-0E5D3F939790}" = DataPilot USB Driver Pack
"InstallShield_{8A08C9CB-4C84-4FA5-9A4B-6994A93481F6}" = USB Converter Driver
"InstallShield_{B58436F5-EEC6-4005-A1B7-26597CD4B644}" = DataPilot
"InterActual Player" = InterActual Player
"LiveAdvisor" = LiveAdvisor (Symantec Corporation)
"LiveUpdate" = LiveUpdate
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MWASPI" = MicroStaff WINASPI
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NeroVision!UninstallKey" = NeroVision Express 3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OfotoPrint@Home" = Ofoto Print@Home ActiveX Control
"PrimoPDF4.1.0.9" = PrimoPDF
"Remote Administrator v2.1" = Remote Administrator v2.1
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Silent Package Run-Time Sample" = EPSON RX500 Reference Guide
"SiS163u" = 802.11 USB Wireless LAN Adapter
"SSC Service Utility_is1" = SSC Service Utility v4.20
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"VETWIN32Vp5" = CA Anti-Virus
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"Virtools3DLifePlayer" = Virtools 3D Life Player
"Walmart MP3 Music Downloads" = Walmart MP3 Music Downloads
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinFax" = Symantec WinFax PRO 10.0
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\s-1-5-21-2025429265-2052111302-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/14/2008 4:07:47 AM | Computer Name = HANSEN | Source = ThreadLib | ID = 0
Description =

Error - 12/14/2008 5:50:04 PM | Computer Name = HANSEN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/14/2008 8:12:12 PM | Computer Name = HANSEN | Source = Application Hang | ID = 1002
Description = Hanging application iPlayer.exe, version 2.2.7.713, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/9/2009 1:14:56 AM | Computer Name = HANSEN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/14/2009 2:41:51 AM | Computer Name = HANSEN | Source = Application Error | ID = 1000
Description = Faulting application acdsee6.exe, version 6.0.0.64, faulting module
acdsee6.exe, version 6.0.0.64, fault address 0x001015c0.

Error - 1/15/2009 8:01:51 PM | Computer Name = HANSEN | Source = Application Hang | ID = 1002
Description = Hanging application DVDDecrypter.exe, version 3.5.4.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/15/2009 8:40:38 PM | Computer Name = HANSEN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/17/2009 8:09:49 PM | Computer Name = HANSEN | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6850.0, faulting module
mstores.dll, version 10.0.6313.0, fault address 0x0003f66f.

Error - 1/17/2009 8:11:27 PM | Computer Name = HANSEN | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6850.0, faulting module
mso.dll, version 10.0.6845.0, fault address 0x00003006.

Error - 1/18/2009 11:22:52 AM | Computer Name = HANSEN | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 3/20/2009 11:51:01 PM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 3/20/2009 11:53:52 PM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 3/21/2009 12:13:56 AM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 3/21/2009 12:42:21 AM | Computer Name = HANSEN | Source = DCOM | ID = 10005
Description = DCOM got error "%2" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 3/21/2009 12:42:21 AM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 3/21/2009 10:56:37 AM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 3/21/2009 10:56:37 AM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7031
Description = The CAISafe service terminated unexpectedly. It has done this 1 time(s).
The following corrective action will be taken in 60000 milliseconds: Restart the
service.

Error - 3/21/2009 10:59:45 AM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7016
Description = The gearsec service has reported an invalid current state 0.

Error - 3/21/2009 11:09:59 AM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 3/21/2009 11:11:35 AM | Computer Name = HANSEN | Source = Service Control Manager | ID = 7016
Description = The gearsec service has reported an invalid current state 0.


< End of report >

GMER.TXT

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-03-21 12:25:56
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\drivers\44bd9c70.sys ZwCreateEvent
SSDT \SystemRoot\System32\drivers\44bd9c70.sys ZwCreateKey
SSDT \SystemRoot\System32\drivers\44bd9c70.sys ZwOpenKey

Code 8A4B14D0 pIofCallDriver

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [B67CCD35] 44bd9c70.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B67CDB87] 44bd9c70.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B67CDB87] 44bd9c70.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B67CDB87] 44bd9c70.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B67CDB87] 44bd9c70.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B67CDB87] 44bd9c70.sys

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\s-1-5-21-2025429265-2052111302-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xBD 0x19 0x08 0x9E ...
Reg \Registry\USER\s-1-5-21-2025429265-2052111302-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x12 0x8D 0xF9 0xC9 ...

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Chris\Favorites\Arrow Of Light Awards - Providing Quality Arrow Of Light Awards To Cub Scouts Everywhere.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\Check My Tag Help Download Center.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\Computers and Internet\isoHunt - the BitTorrent and P2P search engine.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\Country\www.myspace.com-littletexasband.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\Craft Sticks and Woodsies.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\Crossover Cub and Boy Scout Friends Decorations - Kaboose.com.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\eBay Auctions\eBay - Want It Now.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\eBay.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\Entertainment and Leisure\ComingSoon.net - Movie Trailers - Upcoming Movies - Movies Coming Soon - Films - Release Dates - TV - DVDs - Videos - Clips.url:favicon
ADS C:\Documents and Settings\Chris\Favorites\JBL PRO III SPEAKERS W ADJUSTABLE SPEAKER STANDS - eBay (item 230322168756 end time Feb-01-09 180000 PST).url:favicon
ADS C:\Documents and Settings\Chris\Favorites\Keri's Stuff\cub scout stuff\Ice Cream In A Bag.url:favicon
ADS ...

---- EOF - GMER 1.0.12 ----

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:27 AM

Posted 21 March 2009 - 11:45 AM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - AppInit_DLLs: (nmqleb.dll) - File not found
    
    :Files
    C:\WINDOWS\System32\drivers\ovfsth.sys
    C:\WINDOWS\System32\KuzSmall.exe
    C:\WINDOWS\System32\drivers\44bd9c70.sys
    C:\elfd.exe
    C:\206950031
    C:\jvmtiw.exe
    C:\WINDOWS\System32\ovfsthgphllfveubedcukwkrqyihqxwrqxclgs.dat
    C:\WINDOWS\System32\ovfsthlmfpdiirhrjnwnpjansumpjpddwtiijd.dat
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

Also I see you have Combofix already on your computer. Please run Combofix and post that log in your next post as well.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 March 2009 - 12:01 PM

Here is the new log:

========== OTLISTIT ==========
Process explorer.exe killed successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:nmqleb.dll deleted successfully.
========== FILES ==========
C:\WINDOWS\System32\drivers\ovfsth.sys moved successfully.
C:\WINDOWS\System32\KuzSmall.exe moved successfully.
File move failed. C:\WINDOWS\System32\drivers\44bd9c70.sys scheduled to be moved on reboot.
C:\elfd.exe moved successfully.
C:\206950031 moved successfully.
C:\jvmtiw.exe moved successfully.
C:\WINDOWS\System32\ovfsthgphllfveubedcukwkrqyihqxwrqxclgs.dat moved successfully.
C:\WINDOWS\System32\ovfsthlmfpdiirhrjnwnpjansumpjpddwtiijd.dat moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Chris\Local Settings\temp\etilqs_ynLABQf7TbuSNdzgGclM scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris\Local Settings\temp\~DF67E7.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.7.0 log created on 03212009_125629

Files moved on Reboot...
File C:\WINDOWS\System32\drivers\44bd9c70.sys not found!
File C:\Documents and Settings\Chris\Local Settings\temp\etilqs_ynLABQf7TbuSNdzgGclM not found!
C:\Documents and Settings\Chris\Local Settings\temp\~DF67E7.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...


And then the ComboFix log from this morning is as follows:

ComboFix 09-03-19.02 - Chris 2009-03-21 10:59:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Chris\LOCALS~1\Temp\ntdll64.dll
c:\docume~1\Chris\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Chris\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Chris\Application Data\rhcp98j0ea67
c:\documents and settings\Chris\reader_s.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\fccaBspp.dll
c:\windows\system32\Memman.vxd
c:\windows\system32\mswmmafy.dll
c:\windows\system32\nmqleb.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\ovfsthjoeoxllkxedohttfjindotkaopyxortx.dll
c:\windows\system32\ovfsthrkfqhnqryabvoeegmmblmelxyibedhgt.dll
c:\windows\system32\ovfsthvtpqocgupxmnkdtplvaujrlpjndxinsi.dll
c:\windows\system32\ppsBaccf.ini
c:\windows\system32\reader_s.exe
c:\windows\system32\skinboxer43.dll
c:\windows\system32\uajkcbxr.dll
c:\windows\system32\uniq.tll
c:\windows\system32\yfammwsm.ini
c:\windows\Tasks\qoarrnie.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_R_SERVER
-------\Service_r_server


((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-21 00:37 . 2009-03-21 00:37 <DIR> d-------- c:\documents and settings\Chris\Application Data\VundoFixTool
2009-03-21 00:33 . 2005-09-23 07:29 626,688 --a------ c:\windows\system32\msvcr80.dll
2009-03-21 00:32 . 2009-03-21 00:32 <DIR> d-------- c:\program files\InterMute
2009-03-21 00:17 . 2009-03-21 00:17 <DIR> d-------- c:\program files\Lavasoft
2009-03-20 23:54 . 2009-03-20 23:54 <DIR> d-------- C:\VundoFix Backups
2009-03-20 23:01 . 2009-03-20 23:01 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-20 22:58 . 2009-03-20 22:58 74,752 --a------ c:\windows\system32\drivers\ovfsth.sys
2009-03-20 22:48 . 2009-03-20 22:48 40,448 --a------ c:\windows\system32\KuzSmall.exe
2009-03-20 22:47 . 2009-03-20 22:47 124,416 --a------ C:\elfd.exe
2009-03-20 22:47 . 117,228 c:\windows\system32\drivers\44bd9c70.sys
2009-03-20 22:46 . 2009-03-20 22:46 7,321,032 --a------ c:\documents and settings\Chris\biDLhwa.exe
2009-03-20 22:46 . 2009-03-20 22:46 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-20 22:46 . 2009-03-20 22:46 28,672 --a------ c:\documents and settings\Chris\DiLhBizX.exe
2009-03-20 22:46 . 2009-03-20 22:48 19,968 --a------ C:\jvmtiw.exe
2009-03-20 22:46 . 2009-03-20 22:47 2 --a------ C:\206950031
2009-03-20 22:45 . 2009-03-20 22:49 43 --a------ c:\windows\system32\ovfsthgphllfveubedcukwkrqyihqxwrqxclgs.dat
2009-03-20 22:44 . 2009-03-20 22:44 7,321,032 --a------ c:\documents and settings\Chris\bwDZGd.exe
2009-03-20 22:44 . 2009-03-20 22:44 38,400 --a------ c:\documents and settings\Chris\IDEzhKSW.exe
2009-03-20 22:44 . 2009-03-20 22:57 5,183 --a------ c:\windows\system32\ovfsthlmfpdiirhrjnwnpjansumpjpddwtiijd.dat
2009-03-20 22:44 . 2009-03-20 22:44 266 --a------ c:\documents and settings\Chris\rQzPpWGlncu.bat
2009-03-12 21:22 . 2009-03-12 21:22 <DIR> d-------- c:\program files\Common Files\DirectX
2009-02-24 18:05 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-21 02:46 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-21 02:44 --------- d-----w c:\documents and settings\Chris\Application Data\uTorrent
2009-03-13 00:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-06 20:52 --------- d-----w c:\documents and settings\Chris\Application Data\Vso
2009-03-03 22:47 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle
2009-02-16 23:17 89,784 ----a-w c:\documents and settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 21:59 --------- d-----w c:\program files\Coupons
2009-02-08 16:59 --------- d-----w c:\program files\MSBuild
2009-02-08 16:58 --------- d-----w c:\program files\Reference Assemblies
2009-02-03 22:41 --------- d-----w c:\program files\Common Files\Adobe
2009-02-03 22:31 --------- d-----w c:\documents and settings\Chris\Application Data\Apple Computer
2009-01-27 18:47 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-23 05:30 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle Card Games
2009-01-21 03:07 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle FaceCreator
2009-01-21 02:19 --------- d-----w c:\program files\Encore
2009-01-07 20:23 6 ----a-w c:\windows\Fonts\wfonts.key
2007-08-17 21:35 87,608 ----a-w c:\documents and settings\Chris\Application Data\ezpinst.exe
2007-08-17 21:35 47,360 ----a-w c:\documents and settings\Chris\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-04 02:14 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-03-20 22:46 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-03-20 22:46 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nmqleb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\365]
--a------ 2009-03-20 22:48 19968 C:\jvmtiw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 19:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Filetopia3\\Filetopia.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Encore\\Hoyle Card Games 2009\\Hoyle Card Games.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:RAdmin
"1214:TCP"= 1214:TCP:Kazaa Port

R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2001-09-12 61440]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2008-01-16 814728]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-01 33752]
S3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\ET5\MARKFUN.W32 [2008-09-10 17912]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-09-05 217600]
S3 suscom;Susteen Serial port driver;c:\windows\system32\drivers\suscom.sys [2002-04-16 39680]
S3 XMUNIVERSAL;xmuni.sys driver;c:\windows\system32\drivers\xmuni.sys [2006-12-02 49408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jgeruent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{701ad5c7-f2ed-11dc-92ce-001a4d9415ea}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-20 23:44]

2009-03-21 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool\VundoFixTool.exe []

2009-03-21 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool []
.
- - - - ORPHANS REMOVED - - - -

BHO-{32f6d196-ec38-4b9b-8b10-a5a10c669267} - c:\windows\system32\nmqleb.dll
HKCU-Run-VundoFixTool - c:\program files\VundoFixTool\VundoFixTool.exe
MSConfigStartUp-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
MSConfigStartUp-lphct98j0ea67 - c:\windows\system32\lphct98j0ea67.exe
MSConfigStartUp-SMrhcp98j0ea67 - c:\program files\rhcp98j0ea67\rhcp98j0ea67.exe
MSConfigStartUp-SNM - c:\program files\SpyNoMore\SNM.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://broadband.zoomtown.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: turbotax.com
TCP: {9B229D30-45B8-4637-995A-B6E187AA8993} = 216.68.4.10,216.68.5.10
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://r:\cdviewer\CdViewer.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wrestlezone.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 11:10:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\44bd9c70]
"ImagePath"="\SystemRoot\System32\drivers\44bd9c70.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-2025429265-2052111302-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bd,19,08,9e,87,f7,43,75,73,0b,c6,63,98,ac,d2,76,cf,4d,ad,f1,37,3d,8e,
08,e4,91,45,96,bb,35,24,dd,ae,0f,90,ad,4d,4a,db,e4,92,73,33,4c,76,88,45,c0,\
"??"=hex:12,8d,f9,c9,10,48,e9,dd,6f,9f,cd,b7,89,8f,7d,62
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1508)
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(1756)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\WFXSVC.EXE
c:\program files\Symantec\WinFax\WFXMOD32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-21 11:12:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 15:12:17

Pre-Run: 16,174,448,640 bytes free
Post-Run: 17,156,866,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

222 --- E O F --- 2009-03-12 07:00:59

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:27 AM

Posted 21 March 2009 - 12:31 PM

...the problem I am experiencing now is that nothing is really showing up in my task bar next to the clock. My CA Antivirus Shield has to be manually started, my speaker icon is gone, my Epson Printer Status icon is gone, etc.


Before we start to troubleshoot these other issues, we really need to make sure that the malware is eliminated. The combofix log that you posted I'm guessing is from before the steps we just took with OTListIt2. I need to see a fresh log from Combofix to see any files that may still be present the would need dealt with.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 March 2009 - 02:49 PM

My mistake. Here is the one I just ran:

ComboFix 09-03-19.02 - Chris 2009-03-21 15:36:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1543 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\Virus Help\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ntndis.sys

.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-21 12:56 . 2009-03-21 12:56 <DIR> d-------- C:\_OTListIt
2009-03-21 12:18 . 2009-03-21 12:20 250 --a------ c:\windows\gmer.ini
2009-03-21 12:11 . 2009-03-21 12:11 <DIR> d-------- C:\gmer
2009-03-21 00:37 . 2009-03-21 00:37 <DIR> d-------- c:\documents and settings\Chris\Application Data\VundoFixTool
2009-03-21 00:33 . 2005-09-23 07:29 626,688 --a------ c:\windows\system32\msvcr80.dll
2009-03-21 00:32 . 2009-03-21 00:32 <DIR> d-------- c:\program files\InterMute
2009-03-21 00:17 . 2009-03-21 00:17 <DIR> d-------- c:\program files\Lavasoft
2009-03-20 23:01 . 2009-03-20 23:01 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-20 22:47 . 117,228 c:\windows\system32\drivers\44bd9c70.sys
2009-03-20 22:46 . 2009-03-20 22:46 7,321,032 --a------ c:\documents and settings\Chris\biDLhwa.exe
2009-03-20 22:46 . 2009-03-20 22:46 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-20 22:46 . 2009-03-20 22:46 28,672 --a------ c:\documents and settings\Chris\DiLhBizX.exe
2009-03-20 22:44 . 2009-03-20 22:44 7,321,032 --a------ c:\documents and settings\Chris\bwDZGd.exe
2009-03-20 22:44 . 2009-03-20 22:44 38,400 --a------ c:\documents and settings\Chris\IDEzhKSW.exe
2009-03-20 22:44 . 2009-03-20 22:44 266 --a------ c:\documents and settings\Chris\rQzPpWGlncu.bat
2009-03-12 21:22 . 2009-03-12 21:22 <DIR> d-------- c:\program files\Common Files\DirectX
2009-02-24 18:05 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-21 03:50 14,336 ----a-w c:\windows\system32\svchost.exe
2009-03-21 02:46 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-21 02:44 --------- d-----w c:\documents and settings\Chris\Application Data\uTorrent
2009-03-13 00:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-06 20:52 --------- d-----w c:\documents and settings\Chris\Application Data\Vso
2009-03-03 22:47 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle
2009-02-16 23:17 89,784 ----a-w c:\documents and settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 21:59 --------- d-----w c:\program files\Coupons
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 16:59 --------- d-----w c:\program files\MSBuild
2009-02-08 16:58 --------- d-----w c:\program files\Reference Assemblies
2009-02-03 22:41 --------- d-----w c:\program files\Common Files\Adobe
2009-02-03 22:31 --------- d-----w c:\documents and settings\Chris\Application Data\Apple Computer
2009-01-27 18:47 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-23 05:30 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle Card Games
2009-01-21 03:07 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle FaceCreator
2009-01-21 02:19 --------- d-----w c:\program files\Encore
2009-01-07 20:23 6 ----a-w c:\windows\Fonts\wfonts.key
2007-08-17 21:35 87,608 ----a-w c:\documents and settings\Chris\Application Data\ezpinst.exe
2007-08-17 21:35 47,360 ----a-w c:\documents and settings\Chris\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-04 02:14 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-03-20 22:46 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-03-20 22:46 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-21_11.11.33.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-21 16:18:50 565,311 ----a-w c:\windows\gmer.dll
+ 2006-11-28 19:23:32 573,440 ----a-w c:\windows\gmer.exe
+ 2009-03-21 16:18:50 68,961 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 19:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Filetopia3\\Filetopia.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Encore\\Hoyle Card Games 2009\\Hoyle Card Games.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:RAdmin
"1214:TCP"= 1214:TCP:Kazaa Port

R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2001-09-12 61440]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2008-01-16 814728]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-01 33752]
S3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\ET5\MARKFUN.W32 [2008-09-10 17912]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-09-05 217600]
S3 suscom;Susteen Serial port driver;c:\windows\system32\drivers\suscom.sys [2002-04-16 39680]
S3 XMUNIVERSAL;xmuni.sys driver;c:\windows\system32\drivers\xmuni.sys [2006-12-02 49408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jgeruent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{701ad5c7-f2ed-11dc-92ce-001a4d9415ea}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-20 23:44]

2009-03-21 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool\VundoFixTool.exe []

2009-03-21 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-365 - C:\jvmtiw.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://broadband.zoomtown.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: turbotax.com
TCP: {9B229D30-45B8-4637-995A-B6E187AA8993} = 216.68.4.10,216.68.5.10
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://r:\cdviewer\CdViewer.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wrestlezone.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 15:45:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\44bd9c70]
"ImagePath"="\SystemRoot\System32\drivers\44bd9c70.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-2025429265-2052111302-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bd,19,08,9e,87,f7,43,75,73,0b,c6,63,98,ac,d2,76,cf,4d,ad,f1,37,3d,8e,
08,e4,91,45,96,bb,35,24,dd,ae,0f,90,ad,4d,4a,db,e4,92,73,33,4c,76,88,45,c0,\
"??"=hex:12,8d,f9,c9,10,48,e9,dd,6f,9f,cd,b7,89,8f,7d,62
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1792)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\WFXSVC.EXE
c:\program files\Symantec\WinFax\WFXMOD32.EXE
.
**************************************************************************
.
Completion time: 2009-03-21 15:47:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 19:47:38
ComboFix2.txt 2009-03-21 15:12:27

Pre-Run: 17,158,639,616 bytes free
Post-Run: 17,145,356,288 bytes free

180 --- E O F --- 2009-03-12 07:00:59

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:27 AM

Posted 21 March 2009 - 04:08 PM

Not clean yet I'm afraid.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
44bd9c70
jgeruent

Rootkit::
c:\windows\system32\drivers\44bd9c70.sys

NetSvc::
jgeruent

File::
c:\documents and settings\Chris\biDLhwa.exe
c:\documents and settings\Chris\DiLhBizX.exe
c:\documents and settings\Chris\bwDZGd.exe
c:\documents and settings\Chris\IDEzhKSW.exe
c:\documents and settings\Chris\rQzPpWGlncu.bat
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb and the new combofix log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 March 2009 - 06:46 PM

DrWeb.csv is attached.

Log.txt is as follows:

ComboFix 09-03-19.02 - Chris 2009-03-21 17:20:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Chris\biDLhwa.exe
c:\documents and settings\Chris\bwDZGd.exe
c:\documents and settings\Chris\DiLhBizX.exe
c:\documents and settings\Chris\IDEzhKSW.exe
c:\documents and settings\Chris\rQzPpWGlncu.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\biDLhwa.exe
c:\documents and settings\Chris\bwDZGd.exe
c:\documents and settings\Chris\DiLhBizX.exe
c:\documents and settings\Chris\IDEzhKSW.exe
c:\documents and settings\Chris\rQzPpWGlncu.bat
c:\windows\system32\drivers\44bd9c70.sys
c:\windows\system32\drivers\ntndis.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_44bd9c70


((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-21 12:56 . 2009-03-21 12:56 <DIR> d-------- C:\_OTListIt
2009-03-21 12:18 . 2009-03-21 12:20 250 --a------ c:\windows\gmer.ini
2009-03-21 12:11 . 2009-03-21 12:11 <DIR> d-------- C:\gmer
2009-03-21 00:37 . 2009-03-21 00:37 <DIR> d-------- c:\documents and settings\Chris\Application Data\VundoFixTool
2009-03-21 00:33 . 2005-09-23 07:29 626,688 --a------ c:\windows\system32\msvcr80.dll
2009-03-21 00:32 . 2009-03-21 00:32 <DIR> d-------- c:\program files\InterMute
2009-03-21 00:17 . 2009-03-21 00:17 <DIR> d-------- c:\program files\Lavasoft
2009-03-20 23:01 . 2009-03-20 23:01 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-20 22:46 . 2009-03-20 22:46 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-12 21:22 . 2009-03-12 21:22 <DIR> d-------- c:\program files\Common Files\DirectX
2009-02-24 18:05 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-21 02:46 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-21 02:44 --------- d-----w c:\documents and settings\Chris\Application Data\uTorrent
2009-03-13 00:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-06 20:52 --------- d-----w c:\documents and settings\Chris\Application Data\Vso
2009-03-03 22:47 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle
2009-02-16 23:17 89,784 ----a-w c:\documents and settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 21:59 --------- d-----w c:\program files\Coupons
2009-02-08 16:59 --------- d-----w c:\program files\MSBuild
2009-02-08 16:58 --------- d-----w c:\program files\Reference Assemblies
2009-02-03 22:41 --------- d-----w c:\program files\Common Files\Adobe
2009-02-03 22:31 --------- d-----w c:\documents and settings\Chris\Application Data\Apple Computer
2009-01-27 18:47 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-23 05:30 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle Card Games
2009-01-21 03:07 --------- d-----w c:\documents and settings\Chris\Application Data\Hoyle FaceCreator
2009-01-21 02:19 --------- d-----w c:\program files\Encore
2009-01-07 20:23 6 ----a-w c:\windows\Fonts\wfonts.key
2007-08-17 21:35 87,608 ----a-w c:\documents and settings\Chris\Application Data\ezpinst.exe
2007-08-17 21:35 47,360 ----a-w c:\documents and settings\Chris\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-04 02:14 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-03-20 22:46 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-03-20 22:46 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-21_11.11.33.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-21 16:18:50 565,311 ----a-w c:\windows\gmer.dll
+ 2006-11-28 19:23:32 573,440 ----a-w c:\windows\gmer.exe
+ 2009-03-21 16:18:50 68,961 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 19:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Filetopia3\\Filetopia.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Encore\\Hoyle Card Games 2009\\Hoyle Card Games.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:RAdmin
"1214:TCP"= 1214:TCP:Kazaa Port

R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2001-09-12 61440]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2008-01-16 814728]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-01 33752]
S3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\ET5\MARKFUN.W32 [2008-09-10 17912]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-09-05 217600]
S3 suscom;Susteen Serial port driver;c:\windows\system32\drivers\suscom.sys [2002-04-16 39680]
S3 XMUNIVERSAL;xmuni.sys driver;c:\windows\system32\drivers\xmuni.sys [2006-12-02 49408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{701ad5c7-f2ed-11dc-92ce-001a4d9415ea}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-20 23:44]

2009-03-21 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool\VundoFixTool.exe []

2009-03-21 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://broadband.zoomtown.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: turbotax.com
TCP: {9B229D30-45B8-4637-995A-B6E187AA8993} = 216.68.4.10,216.68.5.10
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://r:\cdviewer\CdViewer.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\whfe2mjn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wrestlezone.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 17:29:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-2052111302-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bd,19,08,9e,87,f7,43,75,73,0b,c6,63,98,ac,d2,76,cf,4d,ad,f1,37,3d,8e,
08,e4,91,45,96,bb,35,24,dd,ae,0f,90,ad,4d,4a,db,e4,92,73,33,4c,76,88,45,c0,\
"??"=hex:12,8d,f9,c9,10,48,e9,dd,6f,9f,cd,b7,89,8f,7d,62
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1932)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\WFXSVC.EXE
c:\program files\Symantec\WinFax\WFXMOD32.EXE
.
**************************************************************************
.
Completion time: 2009-03-21 17:31:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 21:31:29
ComboFix2.txt 2009-03-21 19:47:52
ComboFix3.txt 2009-03-21 15:12:27

Pre-Run: 17,128,120,320 bytes free
Post-Run: 17,099,587,584 bytes free

184 --- E O F --- 2009-03-12 07:00:59

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:27 AM

Posted 22 March 2009 - 09:06 AM

Looks like that attachment didn't take. You should be able to just copy and paste it here.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 22 March 2009 - 12:10 PM

admdll.dll;C:\WINDOWS\system32;Program.RemoteAdmin.21;;
raddrv.dll;C:\WINDOWS\system32;Program.RemoteAdmin;;
r_server.exe;C:\WINDOWS\system32;Program.RemoteAdmin;;
setup_blazemp.res\mMSIExec.dll;C:\Documents and Settings\All Users\Application Data\{56759C22-EA1E-4BE5-A903-72F67D450F43}\setup_blazemp.res;Win32.HLLW.Autoruner.6456;;
setup_blazemp.res;C:\Documents and Settings\All Users\Application Data\{56759C22-EA1E-4BE5-A903-72F67D450F43};Archive contains infected objects;Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Chris\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Chris\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Chris\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Chris\Desktop;Container contains infected objects;;
AdmDll.dll;C:\Program Files\Radmin;Program.RemoteAdmin.21;;
raddrv.dll;C:\Program Files\Radmin;Program.RemoteAdmin;;
radmin.exe;C:\Program Files\Radmin;Program.RemoteAdmin;;
r_server.exe;C:\Program Files\Radmin;Program.RemoteAdmin;;
reader_s.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Chris;Trojan.DownLoad.32229;Deleted.;
reader_s.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoad.32229;Deleted.;
A0054954.dll;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP741;Adware.Coupons.34;;
A0054955.ocx;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP741;Adware.Coupons.34;;
A0057412.exe;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP781;Trojan.DownLoad.32229;Deleted.;
A0057416.exe;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP781;Trojan.DownLoad.32229;Deleted.;
A0057436.bat;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP781;Probably BATCH.Virus;;
A0057453.EXE;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP781;Program.PsExec.170;;
A0057455.exe;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP781;BackDoor.IRC.Itan;Deleted.;
A0057582.bat;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP781;Probably BATCH.Virus;;
A0057599.EXE;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP781;Program.PsExec.170;;
A0057683.bat;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782;Probably BATCH.Virus;;
A0057700.EXE;C:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782;Program.PsExec.170;;
admdll.dll;C:\WINDOWS\system32;Program.RemoteAdmin.21;;
raddrv.dll;C:\WINDOWS\system32;Program.RemoteAdmin;;
r_server.exe;C:\WINDOWS\system32;Program.RemoteAdmin;;
KuzSmall.exe;C:\_OTListIt\MovedFiles\03212009_125629\WINDOWS\System32;Trojan.DownLoad.28462;Deleted.;
ymsgrie.exe\data161;D:\InstallFiles\ymsgrie.exe;Probably DLOADER.Trojan;;
ymsgrie.exe;D:\InstallFiles;Archive contains infected objects;Moved.;
RADMIN21.EXE\#setuppath#\AdmDll.dll;D:\Keri\cubscouts\cdpics\Chris\RADMIN21.EXE;Program.RemoteAdmin.21;;
RADMIN21.EXE\#setuppath#\raddrv.dll;D:\Keri\cubscouts\cdpics\Chris\RADMIN21.EXE;Program.RemoteAdmin;;
RADMIN21.EXE\#setuppath#\radmin.exe;D:\Keri\cubscouts\cdpics\Chris\RADMIN21.EXE;Program.RemoteAdmin;;
RADMIN21.EXE\#setuppath#\r_server.exe;D:\Keri\cubscouts\cdpics\Chris\RADMIN21.EXE;Program.RemoteAdmin;;
RADMIN21.EXE;D:\Keri\cubscouts\cdpics\Chris;Container contains infected objects;Moved.;
AdmDll.dll;D:\Radmin;Program.RemoteAdmin.21;;
raddrv.dll;D:\Radmin;Program.RemoteAdmin;;
radmin.exe;D:\Radmin;Program.RemoteAdmin;;
r_server.exe;D:\Radmin;Program.RemoteAdmin;;
A0057753.exe\data161;D:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782\A0057753.exe;Probably DLOADER.Trojan;;
A0057753.exe;D:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782;Archive contains infected objects;Moved.;
A0057754.EXE\#setuppath#\AdmDll.dll;D:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782\A0057754.EXE;Program.RemoteAdmin.21;;
A0057754.EXE\#setuppath#\raddrv.dll;D:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782\A0057754.EXE;Program.RemoteAdmin;;
A0057754.EXE\#setuppath#\radmin.exe;D:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782\A0057754.EXE;Program.RemoteAdmin;;
A0057754.EXE\#setuppath#\r_server.exe;D:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782\A0057754.EXE;Program.RemoteAdmin;;
A0057754.EXE;D:\System Volume Information\_restore{11AB23FE-3F9A-400F-ADF8-F265BCE7CCAE}\RP782;Container contains infected objects;Moved.;

#13 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 22 March 2009 - 12:12 PM

If you don't see a smoking gun fix, I think I'm prepared to just scrub the drive and start from scratch. This is the big reason why I keep the data on a separate drive than my programs.

Again, thanks for all your help. Let's hope this last post shows you something.

Chris

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:27 AM

Posted 22 March 2009 - 07:21 PM

Here's where we're at. Your log is looking pretty good but I'm still suspicious of a couple files that show up in your log. The next step will be to have these files scanned to see if they are infected or clean, which I will post below. Then we proceed from there. And of course, if your problems still persist once we've eliminated the malware, it may take some time to troubleshoot them.

Your call how you want to proceed.

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\dllcache\ndis.sys


    also this file:

    c:\windows\system32\drivers\ndis.sys

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 ChrisH15

ChrisH15
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 23 March 2009 - 07:48 PM

File: ndis.sys
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 1df7f42665c94b825322fae71721130d
Packers detected:
-

Scan taken on 23 Mar 2009 22:00:26 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users