Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/heur, Win32/Polycrypt, Trojan Horse Pakes.DIE, and generics


  • This topic is locked This topic is locked
30 replies to this topic

#1 cdellert

cdellert

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 18 April 2009 - 09:35 AM

AVG has reported the following infections:

Trojan Horse Generic11.AQFN - several instances
Trojan Horse Generic13.XWV
Trojan Horse Pakes.DIE
Win32/Heur
Win32/Polycrypt

Most applications close after a few minutes unexpectedly. Firefox, Word, AVG User Interface. The AVG User Interface closes but the scanner will keep running in the background. Zone Alarm disappears from the system tray a few minutes after opening.

Since my browser won't stay open for more than two minutes at a time I'll be communication from my other computer using the browser on the Active Disk CD. This computer is also infected but we'll save that for another day.

Here is the HijackThis Log. Please let me know what other information you may need.

Thanks in advance,
Chris


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:49 AM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\PROGRA~1\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Marge\Desktop\HiJackThis.exe
C:\PROGRA~1\UTILIT~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: (no name) - {D7BF4552-94F1-42BD-F434-3604812C856D} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [lxdwmon.exe] "C:\Program Files\Lexmark 7600 Series\lxdwmon.exe"
O4 - HKLM\..\Run: [lxdwamon] "C:\Program Files\Lexmark 7600 Series\lxdwamon.exe"
O4 - HKLM\..\Run: [Lexmark 7600 Series Fax Server] "C:\Program Files\Lexmark 7600 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-21-725345543-484763869-1060284298-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-725345543-484763869-1060284298-500\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Administrator')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.com/plugin/awarewebplay...cab/awswaxf.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe
O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6641 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:24 AM

Posted 19 April 2009 - 11:30 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

You'll need to find a way to transfer these programs over to the infected computer to run them and then transfer the logs back so that you can post them here.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 19 April 2009 - 01:57 PM

I forgot to mention SUPERantiSpyware, Spyware Doctor, and Malwarebytes can''t connect to their servers for update.

OTListIT created two logs. I'll include both just in case.


OTListIT.TXT:

OTListIt logfile created on: 4/19/2009 1:21:05 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Marge\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 122.50 Mb Available Physical Memory | 23.95% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.42% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 5.36 Gb Free Space | 9.59% Space Free | Partition Type: NTFS
Drive D: | 27.95 Gb Total Space | 0.13 Gb Free Space | 0.45% Space Free | Partition Type: NTFS
Drive E: | 27.95 Gb Total Space | 0.51 Gb Free Space | 1.82% Space Free | Partition Type: NTFS
Drive F: | 66.90 Gb Total Space | 0.47 Gb Free Space | 0.71% Space Free | Partition Type: NTFS
Drive G: | 44.89 Gb Total Space | 1.01 Gb Free Space | 2.26% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL2
Current User Name: Marge
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/11/13 16:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/01 13:58:13 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/03/21 10:33:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/05/16 10:33:10 | 00,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe
PRC - [2008/01/11 17:54:42 | 00,061,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/02/01 13:58:20 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/02/01 13:58:29 | 00,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/02/01 13:58:28 | 00,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/02/01 13:58:01 | 01,601,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2008/09/10 05:15:24 | 00,676,520 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
PRC - [2008/09/10 05:15:21 | 00,025,256 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
PRC - [2005/12/12 23:18:16 | 00,222,784 | ---- | M] (BillP Studios) -- C:\Program Files\Utilities\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2001/08/17 17:36:42 | 00,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe
PRC - [2009/02/01 13:58:26 | 00,592,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/02/01 09:56:16 | 01,032,984 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe
PRC - [2008/04/19 13:09:28 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/01 13:58:20 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/02/01 13:58:13 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/09/08 11:42:43 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c911d1ff2591c0 [Disabled | Stopped])
SRV - [2007/01/03 20:40:21 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Disabled | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/03/21 10:33:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/05/16 10:32:56 | 00,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe -- (lxdwCATSCustConnectService [Auto | Stopped])
SRV - [2008/05/16 10:33:10 | 00,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe -- (lxdw_device [Auto | Running])
SRV - [2003/07/28 15:19:00 | 00,077,824 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Disabled | Stopped])
SRV - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService [On_Demand | Stopped])
SRV - [2009/01/21 14:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService [On_Demand | Stopped])
SRV - [2008/11/13 16:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2008/01/11 17:54:42 | 00,061,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum [Auto | Running])
SRV - [2008/01/11 17:55:38 | 02,138,528 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc [On_Demand | Stopped])
SRV - [2008/01/11 17:54:58 | 00,245,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/02/01 13:58:28 | 00,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/02/01 13:58:28 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/02/01 13:58:26 | 00,107,272 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2001/08/17 07:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\DRIVERS\ctljystk.sys -- (ctljystk [On_Demand | Running])
DRV - [2004/08/22 17:31:10 | 00,155,136 | ---- | M] ( ) -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus [Boot | Running])
DRV - [2004/08/22 17:31:48 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt [Boot | Running])
DRV - [2008/01/22 04:00:00 | 00,385,072 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2001/08/17 07:19:26 | 00,283,904 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k [On_Demand | Running])
DRV - [2001/08/17 07:19:28 | 00,006,912 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1 [On_Demand | Running])
DRV - [2008/04/13 13:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2001/08/17 08:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2003/07/28 15:19:00 | 01,341,339 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2001/08/17 07:50:26 | 00,731,648 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4.sys -- (nv4 [On_Demand | Stopped])
DRV - [2007/11/13 22:37:19 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2009/03/06 16:45:06 | 00,130,424 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore [Boot | Running])
DRV - [2003/08/11 10:07:46 | 00,014,604 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2005/03/15 04:45:20 | 00,020,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\point32.sys -- (Point32 [On_Demand | Stopped])
DRV - [2004/05/05 21:48:40 | 00,004,228 | ---- | M] (PowerQuest Corporation) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv [System | Running])
DRV - [2001/08/23 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/02/02 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/07/12 04:49:16 | 00,096,384 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 23:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2007/04/03 13:59:30 | 00,083,208 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616bus.sys -- (s616bus [On_Demand | Stopped])
DRV - [2007/04/03 13:59:36 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616mdfl.sys -- (s616mdfl [On_Demand | Stopped])
DRV - [2007/04/03 13:59:38 | 00,108,680 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616mdm.sys -- (s616mdm [On_Demand | Stopped])
DRV - [2007/04/03 13:59:40 | 00,100,360 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616mgmt.sys -- (s616mgmt [On_Demand | Stopped])
DRV - [2007/04/03 13:59:42 | 00,098,568 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616obex.sys -- (s616obex [On_Demand | Stopped])
DRV - [2007/04/03 13:59:42 | 00,099,080 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616unic.sys -- (s616unic [On_Demand | Stopped])
DRV - [2008/09/03 14:07:14 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2008/09/03 14:07:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
DRV - [2008/09/03 14:07:12 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 07:19:34 | 00,036,480 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman [On_Demand | Running])
DRV - [2008/04/21 08:19:58 | 00,051,648 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2001/08/23 07:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra [Boot | Running])
DRV - [2008/04/13 13:45:36 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usbser.sys -- (usbser [On_Demand | Stopped])
DRV - [2008/01/25 21:59:34 | 00,022,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usbsermpt.sys -- (usbsermpt [On_Demand | Stopped])
DRV - [2008/04/13 13:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
DRV - [2008/11/13 16:19:00 | 00,353,680 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2008/01/11 17:39:34 | 00,040,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\zumbus.sys -- (zumbus [Auto | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.default\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-18\s-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-19\s-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-20\s-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-21-725345543-484763869-1060284298-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
IE - HKU\s-1-5-21-725345543-484763869-1060284298-500\s-1-5-21-725345543-484763869-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\PROGRAM FILES\GOOGLE\GOOGLE GEARS\FIREFOX\ [2008/09/08 11:43:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/02/01 14:01:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/21 10:33:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\PROGRAM FILES\UTILITIES\MOZILLA FIREFOX\COMPONENTS [2009/03/08 17:16:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\PROGRAM FILES\UTILITIES\MOZILLA FIREFOX\PLUGINS [2009/03/18 18:51:25 | 00,000,000 | ---D | M]

[2009/03/18 18:54:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Extensions
[2009/03/18 18:54:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/05/07 19:28:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions
[2008/04/19 16:12:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
[2006/04/03 12:16:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}
[2007/10/22 19:00:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}
[2008/03/02 21:22:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{B2EA3FAB-912C-48a1-BABD-C5B00BB885BB}

O1 HOSTS File: (227676 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 7988 more lines...
O2 - BHO: (no name) - {D7BF4552-94F1-42BD-F434-3604812C856D} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Reg Error: Key error. File not found
O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Lexmark 7600 Series Fax Server] "C:\Program Files\Lexmark 7600 Series\fm3032.exe" /s ()
O4 - HKLM..\Run: [lxdwamon] "C:\Program Files\Lexmark 7600 Series\lxdwamon.exe" ()
O4 - HKLM..\Run: [lxdwmon.exe] "C:\Program Files\Lexmark 7600 Series\lxdwmon.exe" ()
O4 - HKLM..\Run: [WinPatrol] C:\PROGRA~1\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe (BillP Studios)
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKU\s-1-5-21-725345543-484763869-1060284298-1004..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (Microsoft Corporation)
O4 - HKU\s-1-5-21-725345543-484763869-1060284298-1004..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\s-1-5-21-725345543-484763869-1060284298-500..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.default\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-19_classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-20_classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions =
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004_classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-500\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll (Google Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.default\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\s-1-5-18\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..Trusted Sites: ([]msn in My Computer)
O15 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..Trusted Sites: turbotax.com ([]https in Trusted sites)
O15 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://www.phgenit.com/plugin/awarewebplay...cab/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab (LSSupCtl Class)
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (Symantec SmartIssue)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab (ActiveDataInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\Utilities\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/01 16:49:35 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/04/19 13:20:04 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTListIt2.exe
[2009/04/19 13:20:04 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\ibgkiifx.exe
[2009/04/18 16:53:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Marge\Desktop\FIX
[2009/04/18 15:52:33 | 00,288,267 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\fix_download.exe
[2009/04/18 09:03:22 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Marge\Desktop\HiJackThis.exe
[2009/04/18 08:17:58 | 00,089,448 | ---- | C] () -- C:\WINDOWS\System32\drivers\67a49d28.sys
[2009/04/18 08:12:52 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\dds.scr
[2009/04/16 22:40:08 | 53,644,9024 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/16 18:55:23 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/04/16 18:55:03 | 00,130,424 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/04/16 18:55:03 | 00,073,840 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/04/16 18:54:49 | 00,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/16 18:54:45 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/04/16 18:54:44 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/04/16 18:54:33 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/04/16 18:54:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/04/15 16:44:24 | 00,000,000 | ---D | C] -- C:\060d62d8d00142e9fb8399e544264a
[2009/04/15 10:28:00 | 00,074,240 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2009/04/14 15:48:18 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/14 15:48:17 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/14 15:48:17 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/14 15:48:16 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/14 15:48:15 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/14 15:48:15 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/14 15:48:14 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/14 15:48:14 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/14 15:48:13 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/14 15:47:36 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/14 15:47:34 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/14 15:47:33 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/13 19:37:05 | 00,000,782 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\FruityLoops 3.4.lnk
[2009/04/13 19:34:43 | 00,000,000 | ---D | C] -- C:\Program Files\FruityLoops 3.4
[2009/04/11 08:24:38 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/04/11 08:24:38 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/04/09 17:47:43 | 00,000,000 | ---D | C] -- C:\Program Files\AnalogX
[2009/04/07 17:24:29 | 00,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbccgp.sys
[2009/04/07 17:24:29 | 00,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2009/04/04 13:47:19 | 00,000,000 | ---D | C] -- C:\Program Files\Sonic Foundry
[2009/03/28 16:57:14 | 00,000,048 | ---- | C] () -- C:\plug_in.ini
[2009/03/28 16:39:31 | 00,000,000 | ---D | C] -- C:\Program Files\VirtualDJ
[2009/03/28 14:54:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/03/24 22:58:59 | 00,244,258 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\RUSCO PACK FEBRUARY 2009 (PL1,PL5 & PL4)..pdf
[2009/03/24 18:46:42 | 00,000,000 | ---D | C] -- C:\Program Files\Project64 1.6
[2009/03/21 09:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/10 23:05:25 | 00,175,104 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/03/10 23:01:34 | 04,762,112 | ---- | C] () -- C:\WINDOWS\System32\NCMedia.dll
[2009/03/10 23:01:34 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/10 23:01:34 | 00,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2009/02/08 20:59:42 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/02/08 20:59:25 | 00,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/02/08 20:58:05 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/02/08 20:58:04 | 01,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/02/08 20:58:03 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/02/08 20:57:35 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDWPMON.DLL
[2009/02/08 20:57:35 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDWFXPU.DLL
[2009/02/08 20:57:15 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxdwoem.dll
[2009/02/08 20:53:30 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/02/08 20:51:32 | 00,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/02/08 20:51:31 | 00,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/02/08 20:51:31 | 00,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/02/08 20:51:30 | 00,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/02/08 20:51:29 | 00,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/02/08 20:51:28 | 01,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/02/08 20:51:28 | 00,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/02/08 20:51:27 | 00,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwlmpm.dll
[2009/02/08 20:51:25 | 00,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/02/08 20:51:25 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2009/02/08 20:51:22 | 00,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[2009/02/08 20:51:21 | 00,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[2009/01/23 22:24:36 | 00,006,592 | ---- | C] () -- C:\WINDOWS\gwpreset.ini
[2009/01/23 22:24:35 | 00,000,725 | ---- | C] () -- C:\WINDOWS\goldwave.ini
[2008/11/13 04:08:37 | 00,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/10/02 21:59:20 | 00,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/01/25 18:45:24 | 00,000,076 | ---- | C] () -- C:\WINDOWS\System32\NemuVideo.ini
[2008/01/16 17:28:29 | 00,000,274 | ---- | C] () -- C:\WINDOWS\Clony2.ini
[2008/01/06 17:11:46 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/06 16:17:50 | 00,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2008/01/06 16:17:50 | 00,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2007/12/10 20:40:32 | 00,000,071 | ---- | C] () -- C:\WINDOWS\pex.INI
[2007/12/10 20:31:42 | 00,000,142 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2007/11/13 20:34:35 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2007/11/13 20:34:34 | 00,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2007/11/13 20:34:34 | 00,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2007/11/13 20:34:32 | 02,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2007/08/26 01:18:29 | 00,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2006/12/23 18:33:13 | 00,000,311 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2006/06/09 19:35:26 | 00,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/04/13 16:27:25 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2006/04/13 13:52:44 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2006/04/02 13:33:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/01 14:05:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/22 18:04:56 | 00,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2001/08/23 07:00:00 | 00,001,133 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/08/23 06:59:05 | 01,614,848 | ---- | C] () -- C:\WINDOWS\System32\sfcfiles.dll
[1995/03/13 23:22:21 | 00,000,080 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll
[1765/05/29 22:37:00 | 00,004,263 | -HS- | C] () -- C:\WINDOWS\windllreg1c.sys

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/19 13:23:14 | 00,089,448 | ---- | M] () -- C:\WINDOWS\System32\drivers\67a49d28.sys
[2009/04/18 16:32:07 | 00,348,370 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/04/18 16:16:32 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/18 16:16:25 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/18 16:16:17 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/18 16:16:16 | 53,644,9024 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/18 15:52:27 | 00,288,267 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\fix_download.exe
[2009/04/18 09:44:53 | 35,215,767 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/18 09:44:53 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/18 09:03:17 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Marge\Desktop\HiJackThis.exe
[2009/04/18 08:12:46 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\dds.scr
[2009/04/17 03:08:30 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/17 00:29:20 | 00,100,885 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/16 18:54:49 | 00,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/16 18:01:12 | 00,000,748 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/15 19:24:57 | 00,477,846 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/15 19:24:57 | 00,406,328 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/15 19:24:57 | 00,063,528 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/15 16:50:02 | 00,000,206 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 10:28:00 | 00,074,240 | ---- | M] () -- C:\WINDOWS\System32\zlib.dll
[2009/04/13 20:28:47 | 00,001,744 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/13 19:37:05 | 00,000,782 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\FruityLoops 3.4.lnk
[2009/04/11 08:24:38 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/11 08:24:38 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/04/07 20:41:32 | 00,040,960 | ---- | M] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/07 17:30:07 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 09:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/28 16:57:21 | 00,000,048 | ---- | M] () -- C:\plug_in.ini
[2009/03/27 01:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/24 22:59:01 | 00,244,258 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\RUSCO PACK FEBRUARY 2009 (PL1,PL5 & PL4)..pdf
[2009/03/24 18:49:59 | 00,001,632 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/03/23 18:31:37 | 00,023,040 | ---- | M] () -- D:\My Documents\Why I Want to Teach.doc
[2009/03/21 09:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 09:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> D:\My Documents\shakira70_44f826238ba5b.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\shakira_007_pj.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\mumsample.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\dse.gif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\condom.gif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\bbyb.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\06-29-07_1703.jpg:Roxio EMC Stream
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >



EXTRAS.TXT:


OTListIt Extras logfile created on: 4/19/2009 1:21:05 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Marge\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 122.50 Mb Available Physical Memory | 23.95% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.42% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 5.36 Gb Free Space | 9.59% Space Free | Partition Type: NTFS
Drive D: | 27.95 Gb Total Space | 0.13 Gb Free Space | 0.45% Space Free | Partition Type: NTFS
Drive E: | 27.95 Gb Total Space | 0.51 Gb Free Space | 1.82% Space Free | Partition Type: NTFS
Drive F: | 66.90 Gb Total Space | 0.47 Gb Free Space | 0.71% Space Free | Partition Type: NTFS
Drive G: | 44.89 Gb Total Space | 1.01 Gb Free Space | 2.26% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL2
Current User Name: Marge
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Utilities\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
[2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
[2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2009/02/01 13:58:20 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2009/02/01 09:56:16 | 01,032,984 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/03/10 15:10:51 | 00,139,776 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000
[2008/02/14 15:57:42 | 10,335,520 | ---- | M] (Intuit, Inc.) -- C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax
[2007/10/22 19:56:52 | 03,597,600 | ---- | M] (Intuit, Inc.) -- C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager
[2008/11/18 20:18:46 | 01,805,552 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe:*:Enabled:SUPERAntiSpyware Free Edition
[2007/02/20 05:10:26 | 00,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare
[2007/11/15 19:14:56 | 00,588,080 | ---- | M] () -- C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Utilities\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service
[2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
[2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
[2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[2008/05/16 10:33:10 | 00,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe:*:Enabled:7600 Series Server

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{084709F7-38C5-4609-B55F-2417939315EB}" = Adobe Premiere Pro
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{171818BA-E0AD-313D-B45A-1BC9D77ADA86}" = YouTube Uploader
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1EECBA68-8BE4-4076-94DF-E9ED206B1D21}" = Star Wars Jedi Knight Jedi Academy
"{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 12
"{2A38B5AA-EA84-4F87-9937-2FB23982243A}" = Sonic Foundry ACID 4.0
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}" = Macromedia Flash MX
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4D826618-59C6-11D4-976E-00C04F8EEB39}" = Macromedia FreeHand 10
"{556DF27F-5B74-11D5-B876-004005E12EF1}" = GPSoftware Directory Opus
"{5B09BD67-4C99-46A1-8161-B7208CE18121}" = QuickTime
"{5B39603F-2A77-40E6-950D-ED7B8307933D}" = Microsoft IntelliPoint 5.3
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{62631D34-D839-3214-92A2-D2F13C235694}" = Google Gears
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7583239A-D4BE-48CA-A253-396122B3D3E9}" = Zune
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{8681B1E6-CD96-46EF-9065-CE0D1085ED99}" = Star Wars JK II Jedi Outcast
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{930B2432-43D4-11D5-9871-00C04F8EEB39}" = Macromedia Fireworks MX
"{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}" = TTS Wrapper
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B772E270-02DF-4B70-9FA8-1383BBB81FDD}" = Intel® Processor Frequency ID Utility
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{C03E8D2E-3526-4C5D-9744-86FBBC098C43}" = Sudoku Puzzle Addict
"{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}" = Microsoft Streets & Trips 2007
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}" = Ulead Photo Explorer 8.0
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{E953623A-BCCB-474F-AB3D-E241651C4E0B}" = IDimager V4 Professional Desktop Edition | BETA R.5
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"{FFFDEC7F-B24F-4C40-8639-7702671B8D67}_is1" = NS Virtual DJ 6.0 Full
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"AnalogX Vocoder" = AnalogX Vocoder
"AVG8Uninstall" = AVG Free 8.0
"Bink and Smacker" = Bink and Smacker
"bitRipper" = bitRipper
"Core FTP LE 2.0" = Core FTP LE 2.0
"DVDFab Platinum_is1" = DVDFab Platinum 4.0.0.8 Beta
"EPSON Printer and Utilities" = EPSON Printer Software
"ERUNT_is1" = ERUNT 1.1j
"ExtractNow_is1" = ExtractNow
"FastStone Image Viewer" = FastStone Image Viewer 2.4
"Free Video to iPod Converter_is1" = Free Video to iPod Converter version 2.4
"Free Video to Mp3 Converter_is1" = Free Video to Mp3 Converter version 3.1
"Free YouTube to iPod Converter_is1" = Free YouTube to iPod Converter version 3.1
"Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 2.4
"Freez FLV to MP3 Converter V1.2_is1" = Freez FLV to MP3 Converter
"FruityLoops v3.4" = FruityLoops v3.4
"GoldWave v4.26" = GoldWave v4.26
"GrabIt_is1" = GrabIt 1.6.2 Beta (build 940)
"hijackthis" = HijackThis 2.0.2
"IDimager V4 Professional Desktop Edition | BETA R.5" = IDimager V4 Professional Desktop Edition | BETA R.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic 8.0
"Lexmark 7600 Series" = Lexmark 7600 Series
"LimeWire" = LimeWire 5.1.2
"Magic ISO Maker v5.4 (build 0256)" = Magic ISO Maker v5.4 (build 0256)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2005b" = Microsoft Money 2005
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"Nero PhotoShow Deluxe 4" = Nero PhotoShow Deluxe 4
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Picasa2" = Picasa 2
"Prism" = Prism
"ProcessScanner_is1" = Uniblue ProcessScanner
"RealPlayer 6.0" = RealPlayer
"Riva FLV Encoder 2.0_is1" = Riva FLV Encoder 2.0
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Spyware Doctor" = Spyware Doctor 6.0
"TagScanner_is1" = TagScanner 5.0 build 525
"The Font Thing" = The Font Thing
"ToolBox" = NCH Toolbox
"TurboTax Basic 2007" = TurboTax Basic 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows Mobile Device Handbook" = Windows Mobile® Device Handbook
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPatrol" = WinPatrol
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XGames Pro Boarder" = ESPN Digital Games XGames Pro Boarder
"ZoneAlarm" = ZoneAlarm

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent 6.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent 6.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/16/2009 6:26:15 PM | Computer Name = DELL2 | Source = Application Error | ID = 1000
Description = Faulting application jqsnotify.exe, version 6.0.120.4, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 4/16/2009 7:51:11 PM | Computer Name = DELL2 | Source = pctsSvc.exe | ID = 0
Description =

Error - 4/16/2009 7:55:44 PM | Computer Name = DELL2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 4/16/2009 8:48:45 PM | Computer Name = DELL2 | Source = Application Hang | ID = 1002
Description = Hanging application sdloader.exe, version 6.1.0.5, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/16/2009 9:03:18 PM | Computer Name = DELL2 | Source = Application Error | ID = 1000
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00002338.

Error - 4/16/2009 10:32:12 PM | Computer Name = DELL2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 4/16/2009 11:42:34 PM | Computer Name = DELL2 | Source = Application Error | ID = 1000
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00002338.

Error - 4/17/2009 11:01:58 PM | Computer Name = DELL2 | Source = Application Hang | ID = 1002
Description = Hanging application avgui.exe, version 8.0.0.223, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/18/2009 10:15:18 AM | Computer Name = DELL2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 4/18/2009 10:15:59 AM | Computer Name = DELL2 | Source = Application Error | ID = 1000
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00002338.

[ System Events ]
Error - 4/18/2009 5:02:06 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7000
Description = The lxdwCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 4/18/2009 5:07:09 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdwCATSCustConnectService
service to connect.

Error - 4/18/2009 5:07:09 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7000
Description = The lxdwCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 4/18/2009 5:16:41 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdwCATSCustConnectService
service to connect.

Error - 4/18/2009 5:16:41 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7000
Description = The lxdwCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 4/18/2009 5:32:04 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7022
Description = The Server service hung on starting.

Error - 4/18/2009 5:32:04 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1070

Error - 4/18/2009 5:32:45 PM | Computer Name = DELL2 | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 e1d6f000, parameter2 00000002, parameter3
00000000, parameter4 f1279cf1.

Error - 4/18/2009 5:33:33 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/18/2009 5:36:36 PM | Computer Name = DELL2 | Source = Service Control Manager | ID = 7034
Description = The HTTP SSL service terminated unexpectedly. It has done this 1
time(s).


< End of report >


ibgkiifx.log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-19 13:37:48
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !
? C:\WINDOWS\System32\drivers\67a49d28.sys The system cannot find the file specified. !
? System32\Drivers\sfc.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F24E5410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F24E5220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F24E5B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F24E3780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F24E3780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F24E5410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F24E5220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F24E5B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F24E5410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F24E3780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F24E5B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F24E5220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F24E5B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F24E5220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F24E5410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F24E3780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F24E5410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F24E5220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F24E5B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F24E5410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F24E3780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F24E5B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F24E5220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisRegisterProtocol] [F24E5410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisOpenAdapter] [F24E5220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisDeregisterProtocol] [F24E3780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisCloseAdapter] [F24E5B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5A8F0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5A8F0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A528E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A62110] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A53F40] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [61A53DB0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [61A53EB0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5A8F0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!CreateThread] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1832] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\AVG\AVG8\avgupd.exe[2404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00972650
IAT C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2732] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 003A3F58

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 67a49d28.sys
Device \FileSystem\Ntfs \Ntfs 82F9D330
Device \FileSystem\Fastfat \FatCdrom 82919148
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip 67a49d28.sys

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp 67a49d28.sys

Device \Driver\AvgTdiX \Device\AvgTdi 67a49d28.sys
Device \FileSystem\Rdbss \Device\FsWrap 82CEBAD0
Device \Driver\atapi \Device\Ide\IdePort0 82C0D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82C0D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82C0D1E8
Device \FileSystem\Srv \Device\LanmanServer 825931F0
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp 67a49d28.sys

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp 67a49d28.sys

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82C76240
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82C76240
Device \FileSystem\Npfs \Device\NamedPipe 82CC3EB0
Device \FileSystem\Msfs \Device\Mailslot 82E85440
Device \FileSystem\Fastfat \Fat 82919148

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82EA0440
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82EA0440
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82EA0440
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82EA0440
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82EA0440
Device \FileSystem\Cdfs \Cdfs 82D01150

---- Modules - GMER 1.0.15 ----

Module _________ F8778000-F8790000 (98304 bytes)

---- EOF - GMER 1.0.15 ----


Let me know what's next. Thanks for your help and quick reply.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:24 AM

Posted 19 April 2009 - 06:02 PM

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

==================


Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    C:\WINDOWS\System32\drivers\67a49d28.sys


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html


======================



Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    O2 - BHO: (no name) - {D7BF4552-94F1-42BD-F434-3604812C856D} - Reg Error: Key error. File not found
    O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
    O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
    O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
    O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
    O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
    O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Reg Error: Key error. File not found
    O3 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 19 April 2009 - 06:46 PM

I got the Hosts file restored. I can't scan that file though as that computer will not connect to the internet anymore. I'm not sure what happened there. I can't even connect to my router through the browser. The other fix is running right now and I'll try the internet connection after it reboots to scan that file. I'll post the logs afterward.

#6 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 19 April 2009 - 07:26 PM

After manually rebooting (OTListIT did NOT reboot after running that code) the following log came up on the screen. After rebooting the internet connection is restored however I could not submit the file to either site. Both said 0 bytes received. One mentioned that either a firewall or malware was keeping it from being submitted. According to the properties it was created yesterday morning.

I ran OTListIT again to create a new log and a Zone Alarm notification popped up saying OTListIT was trying to access the internet. I think I clicked "ALLOW" although I did not choose to remember that setting. While I was saving the log file another notification popped up for Notepad. I clicked "DENY" as I could not think of any reason it needed internet access. Then a few minutes later ALG.EXE requested access which I denied, not sure what that program is. Then SUPERantiSpyware opened on it's own and tried to update itself. I told it to try later and closed it so I could continue what I was doing.

Here are the logs.

========== OTLISTIT ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7BF4552-94F1-42BD-F434-3604812C856D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7BF4552-94F1-42BD-F434-3604812C856D}\ not found.
Registry value HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Marge\Local Settings\Temp\lxdw\lxdwuser.pdf scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Marge\Local Settings\Temporary Internet Files\Content.IE5\PFWABG4A\Fwd__77Passthisontoyourdaughters... scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marge\Local Settings\Temporary Internet Files\Content.IE5\5CC6U1MA\Fw_ a message from Bill Gates...so true. scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marge\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT025c0.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04192009_184050

Files moved on Reboot...
C:\Documents and Settings\Marge\Local Settings\Temp\lxdw\lxdwuser.pdf moved successfully.
File C:\Documents and Settings\Marge\Local Settings\Temporary Internet Files\Content.IE5\PFWABG4A\Fwd__77Passthisontoyourdaughters... not found!
File C:\Documents and Settings\Marge\Local Settings\Temporary Internet Files\Content.IE5\5CC6U1MA\Fw_ a message from Bill Gates...so true. not found!
C:\WINDOWS\temp\Perflib_Perfdata_110.dat moved successfully.
File C:\WINDOWS\temp\ZLT025c0.TMP not found!

Registry entries deleted on Reboot...


Here is the OTListIT log:


OTListIt logfile created on: 4/19/2009 7:06:16 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Marge\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 204.92 Mb Available Physical Memory | 40.06% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 78.29% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 7.53 Gb Free Space | 13.47% Space Free | Partition Type: NTFS
Drive D: | 27.95 Gb Total Space | 0.13 Gb Free Space | 0.45% Space Free | Partition Type: NTFS
Drive E: | 27.95 Gb Total Space | 0.51 Gb Free Space | 1.82% Space Free | Partition Type: NTFS
Drive F: | 66.90 Gb Total Space | 0.47 Gb Free Space | 0.71% Space Free | Partition Type: NTFS
Drive G: | 44.89 Gb Total Space | 1.01 Gb Free Space | 2.26% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL2
Current User Name: Marge
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/11/13 16:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/01 13:58:13 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/03/21 10:33:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/05/16 10:33:10 | 00,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe
PRC - [2008/01/11 17:54:42 | 00,061,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/02/01 13:58:01 | 01,601,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/02/01 13:58:20 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2008/11/13 16:18:56 | 00,981,904 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/02/01 13:58:29 | 00,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2008/09/10 05:15:24 | 00,676,520 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
PRC - [2009/02/01 13:58:26 | 00,592,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2005/12/12 23:18:16 | 00,222,784 | ---- | M] (BillP Studios) -- C:\Program Files\Utilities\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2008/09/10 05:15:21 | 00,025,256 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
PRC - [2008/11/18 20:18:46 | 01,805,552 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/02/01 13:58:28 | 00,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2001/08/17 17:36:42 | 00,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe
PRC - [2008/04/19 13:09:28 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/01 13:58:20 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/02/01 13:58:13 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/09/08 11:42:43 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c911d1ff2591c0 [Disabled | Stopped])
SRV - [2007/01/03 20:40:21 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Disabled | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/03/21 10:33:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/05/16 10:32:56 | 00,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe -- (lxdwCATSCustConnectService [Auto | Stopped])
SRV - [2008/05/16 10:33:10 | 00,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe -- (lxdw_device [Auto | Running])
SRV - [2003/07/28 15:19:00 | 00,077,824 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Disabled | Stopped])
SRV - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService [On_Demand | Stopped])
SRV - [2009/01/21 14:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService [On_Demand | Stopped])
SRV - [2008/11/13 16:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2008/01/11 17:54:42 | 00,061,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum [Auto | Running])
SRV - [2008/01/11 17:55:38 | 02,138,528 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc [On_Demand | Stopped])
SRV - [2008/01/11 17:54:58 | 00,245,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/02/01 13:58:28 | 00,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/02/01 13:58:28 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/02/01 13:58:26 | 00,107,272 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2001/08/17 07:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\DRIVERS\ctljystk.sys -- (ctljystk [On_Demand | Running])
DRV - [2004/08/22 17:31:10 | 00,155,136 | ---- | M] ( ) -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus [Boot | Running])
DRV - [2004/08/22 17:31:48 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt [Boot | Running])
DRV - [2008/01/22 04:00:00 | 00,385,072 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2001/08/17 07:19:26 | 00,283,904 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k [On_Demand | Running])
DRV - [2001/08/17 07:19:28 | 00,006,912 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1 [On_Demand | Running])
DRV - [2008/04/13 13:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2001/08/17 08:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2003/07/28 15:19:00 | 01,341,339 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2001/08/17 07:50:26 | 00,731,648 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4.sys -- (nv4 [On_Demand | Stopped])
DRV - [2007/11/13 22:37:19 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2009/03/06 16:45:06 | 00,130,424 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore [Boot | Running])
DRV - [2003/08/11 10:07:46 | 00,014,604 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2005/03/15 04:45:20 | 00,020,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\point32.sys -- (Point32 [On_Demand | Stopped])
DRV - [2004/05/05 21:48:40 | 00,004,228 | ---- | M] (PowerQuest Corporation) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv [System | Running])
DRV - [2001/08/23 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/02/02 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/07/12 04:49:16 | 00,096,384 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 23:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2007/04/03 13:59:30 | 00,083,208 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616bus.sys -- (s616bus [On_Demand | Stopped])
DRV - [2007/04/03 13:59:36 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616mdfl.sys -- (s616mdfl [On_Demand | Stopped])
DRV - [2007/04/03 13:59:38 | 00,108,680 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616mdm.sys -- (s616mdm [On_Demand | Stopped])
DRV - [2007/04/03 13:59:40 | 00,100,360 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616mgmt.sys -- (s616mgmt [On_Demand | Stopped])
DRV - [2007/04/03 13:59:42 | 00,098,568 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616obex.sys -- (s616obex [On_Demand | Stopped])
DRV - [2007/04/03 13:59:42 | 00,099,080 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\s616unic.sys -- (s616unic [On_Demand | Stopped])
DRV - [2008/09/03 14:07:14 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2008/09/03 14:07:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2008/09/03 14:07:12 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 07:19:34 | 00,036,480 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman [On_Demand | Running])
DRV - [2008/04/21 08:19:58 | 00,051,648 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2001/08/23 07:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra [Boot | Running])
DRV - [2008/04/13 13:45:36 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usbser.sys -- (usbser [On_Demand | Stopped])
DRV - [2008/01/25 21:59:34 | 00,022,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usbsermpt.sys -- (usbsermpt [On_Demand | Stopped])
DRV - [2008/04/13 13:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
DRV - [2008/11/13 16:19:00 | 00,353,680 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2008/01/11 17:39:34 | 00,040,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\zumbus.sys -- (zumbus [Auto | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.default\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-18\s-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-19\s-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-20\s-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
IE - HKU\s-1-5-21-725345543-484763869-1060284298-1004\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\PROGRAM FILES\GOOGLE\GOOGLE GEARS\FIREFOX\ [2008/09/08 11:43:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/02/01 14:01:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/21 10:33:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\PROGRAM FILES\UTILITIES\MOZILLA FIREFOX\COMPONENTS [2009/03/08 17:16:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\PROGRAM FILES\UTILITIES\MOZILLA FIREFOX\PLUGINS [2009/03/18 18:51:25 | 00,000,000 | ---D | M]

[2009/03/18 18:54:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Extensions
[2009/03/18 18:54:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/05/07 19:28:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions
[2008/04/19 16:12:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
[2006/04/03 12:16:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}
[2007/10/22 19:00:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}
[2008/03/02 21:22:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Marge\Application Data\mozilla\Firefox\Profiles\2fz0ve0c.default\extensions\{B2EA3FAB-912C-48a1-BABD-C5B00BB885BB}

O1 HOSTS File: (698 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Lexmark 7600 Series Fax Server] "C:\Program Files\Lexmark 7600 Series\fm3032.exe" /s ()
O4 - HKLM..\Run: [lxdwamon] "C:\Program Files\Lexmark 7600 Series\lxdwamon.exe" ()
O4 - HKLM..\Run: [lxdwmon.exe] "C:\Program Files\Lexmark 7600 Series\lxdwmon.exe" ()
O4 - HKLM..\Run: [WinPatrol] C:\PROGRA~1\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe (BillP Studios)
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKU\s-1-5-21-725345543-484763869-1060284298-1004..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (Microsoft Corporation)
O4 - HKU\s-1-5-21-725345543-484763869-1060284298-1004..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnceEx: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.default\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-19_classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-20_classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions =
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\s-1-5-21-725345543-484763869-1060284298-1004_classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll (Google Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.default\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\s-1-5-18\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..Trusted Sites: ([]msn in My Computer)
O15 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..Trusted Sites: turbotax.com ([]https in Trusted sites)
O15 - HKU\s-1-5-21-725345543-484763869-1060284298-1004\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://www.phgenit.com/plugin/awarewebplay...cab/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab (LSSupCtl Class)
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (Symantec SmartIssue)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab (ActiveDataInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\Utilities\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/01 16:49:35 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/04/19 18:40:50 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/04/19 18:26:48 | 00,000,000 | ---D | C] -- C:\HostsXpert
[2009/04/19 13:20:04 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Marge\Desktop\OTListIt2.exe
[2009/04/19 13:20:04 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\ibgkiifx.exe
[2009/04/18 16:53:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Marge\Desktop\FIX
[2009/04/18 15:52:33 | 00,288,267 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\fix_download.exe
[2009/04/18 09:03:22 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Marge\Desktop\HiJackThis.exe
[2009/04/18 08:17:58 | 00,089,448 | ---- | C] () -- C:\WINDOWS\System32\drivers\67a49d28.sys
[2009/04/18 08:12:52 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\dds.scr
[2009/04/16 22:40:08 | 53,644,9024 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/16 18:55:23 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/04/16 18:55:03 | 00,130,424 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/04/16 18:55:03 | 00,073,840 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/04/16 18:54:49 | 00,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/16 18:54:45 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/04/16 18:54:44 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/04/16 18:54:33 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/04/16 18:54:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/04/15 16:44:24 | 00,000,000 | ---D | C] -- C:\060d62d8d00142e9fb8399e544264a
[2009/04/15 10:28:00 | 00,074,240 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2009/04/14 15:48:18 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/14 15:48:17 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/14 15:48:17 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/14 15:48:16 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/14 15:48:15 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/14 15:48:15 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/14 15:48:14 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/14 15:48:14 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/14 15:48:13 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/14 15:47:36 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/14 15:47:34 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/14 15:47:33 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/13 19:37:05 | 00,000,782 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\FruityLoops 3.4.lnk
[2009/04/13 19:34:43 | 00,000,000 | ---D | C] -- C:\Program Files\FruityLoops 3.4
[2009/04/11 08:24:38 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/04/11 08:24:38 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/04/09 17:47:43 | 00,000,000 | ---D | C] -- C:\Program Files\AnalogX
[2009/04/07 17:24:29 | 00,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbccgp.sys
[2009/04/07 17:24:29 | 00,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2009/04/04 13:47:19 | 00,000,000 | ---D | C] -- C:\Program Files\Sonic Foundry
[2009/03/28 16:57:14 | 00,000,048 | ---- | C] () -- C:\plug_in.ini
[2009/03/28 16:39:31 | 00,000,000 | ---D | C] -- C:\Program Files\VirtualDJ
[2009/03/28 14:54:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/03/24 22:58:59 | 00,244,258 | ---- | C] () -- C:\Documents and Settings\Marge\Desktop\RUSCO PACK FEBRUARY 2009 (PL1,PL5 & PL4)..pdf
[2009/03/24 18:46:42 | 00,000,000 | ---D | C] -- C:\Program Files\Project64 1.6
[2009/03/21 09:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/10 23:05:25 | 00,175,104 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/03/10 23:01:34 | 04,762,112 | ---- | C] () -- C:\WINDOWS\System32\NCMedia.dll
[2009/03/10 23:01:34 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/10 23:01:34 | 00,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2009/02/08 20:59:42 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/02/08 20:59:25 | 00,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/02/08 20:58:05 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/02/08 20:58:04 | 01,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/02/08 20:58:03 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/02/08 20:57:35 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDWPMON.DLL
[2009/02/08 20:57:35 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDWFXPU.DLL
[2009/02/08 20:57:15 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxdwoem.dll
[2009/02/08 20:53:30 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/02/08 20:51:32 | 00,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/02/08 20:51:31 | 00,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/02/08 20:51:31 | 00,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/02/08 20:51:30 | 00,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/02/08 20:51:29 | 00,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/02/08 20:51:28 | 01,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/02/08 20:51:28 | 00,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/02/08 20:51:27 | 00,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwlmpm.dll
[2009/02/08 20:51:25 | 00,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/02/08 20:51:25 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2009/02/08 20:51:22 | 00,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[2009/02/08 20:51:21 | 00,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[2009/01/23 22:24:36 | 00,006,592 | ---- | C] () -- C:\WINDOWS\gwpreset.ini
[2009/01/23 22:24:35 | 00,000,725 | ---- | C] () -- C:\WINDOWS\goldwave.ini
[2008/11/13 04:08:37 | 00,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/10/02 21:59:20 | 00,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/01/25 18:45:24 | 00,000,076 | ---- | C] () -- C:\WINDOWS\System32\NemuVideo.ini
[2008/01/16 17:28:29 | 00,000,274 | ---- | C] () -- C:\WINDOWS\Clony2.ini
[2008/01/06 17:11:46 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/06 16:17:50 | 00,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2008/01/06 16:17:50 | 00,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2007/12/10 20:40:32 | 00,000,071 | ---- | C] () -- C:\WINDOWS\pex.INI
[2007/12/10 20:31:42 | 00,000,142 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2007/11/13 20:34:35 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2007/11/13 20:34:34 | 00,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2007/11/13 20:34:34 | 00,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2007/11/13 20:34:32 | 02,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2007/08/26 01:18:29 | 00,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2006/12/23 18:33:13 | 00,000,311 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2006/06/09 19:35:26 | 00,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/04/13 16:27:25 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2006/04/13 13:52:44 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2006/04/02 13:33:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/01 14:05:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/22 18:04:56 | 00,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2001/08/23 07:00:00 | 00,001,133 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/08/23 06:59:05 | 01,614,848 | ---- | C] () -- C:\WINDOWS\System32\sfcfiles.dll
[1995/03/13 23:22:21 | 00,000,080 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll
[1765/05/29 22:37:00 | 00,004,263 | -HS- | C] () -- C:\WINDOWS\windllreg1c.sys

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/19 19:08:12 | 00,089,448 | ---- | M] () -- C:\WINDOWS\System32\drivers\67a49d28.sys
[2009/04/19 18:59:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/19 18:59:38 | 00,348,370 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/04/19 18:59:32 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/19 18:59:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/19 18:59:23 | 53,644,9024 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/18 15:52:27 | 00,288,267 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\fix_download.exe
[2009/04/18 09:44:53 | 35,215,767 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/18 09:44:53 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/18 09:03:17 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Marge\Desktop\HiJackThis.exe
[2009/04/18 08:12:46 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\dds.scr
[2009/04/17 03:08:30 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/17 00:29:20 | 00,100,885 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/16 18:54:49 | 00,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/16 18:01:12 | 00,000,748 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/15 19:24:57 | 00,477,846 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/15 19:24:57 | 00,406,328 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/15 19:24:57 | 00,063,528 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/15 16:50:02 | 00,000,206 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 10:28:00 | 00,074,240 | ---- | M] () -- C:\WINDOWS\System32\zlib.dll
[2009/04/13 20:28:47 | 00,001,744 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/13 19:37:05 | 00,000,782 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\FruityLoops 3.4.lnk
[2009/04/11 08:24:38 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/11 08:24:38 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/04/07 20:41:32 | 00,040,960 | ---- | M] () -- C:\Documents and Settings\Marge\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/07 17:30:07 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 09:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/28 16:57:21 | 00,000,048 | ---- | M] () -- C:\plug_in.ini
[2009/03/27 01:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/24 22:59:01 | 00,244,258 | ---- | M] () -- C:\Documents and Settings\Marge\Desktop\RUSCO PACK FEBRUARY 2009 (PL1,PL5 & PL4)..pdf
[2009/03/24 18:49:59 | 00,001,632 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/03/23 18:31:37 | 00,023,040 | ---- | M] () -- D:\My Documents\Why I Want to Teach.doc
[2009/03/21 09:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 09:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> D:\My Documents\shakira70_44f826238ba5b.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\shakira_007_pj.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\mumsample.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\dse.gif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\condom.gif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\bbyb.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\My Documents\06-29-07_1703.jpg:Roxio EMC Stream
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:24 AM

Posted 20 April 2009 - 10:45 AM

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 20 April 2009 - 05:14 PM

The browser didn't stay open long enough for it to download the components. It got about 35Mb downloaded. Will it work in SafeMode? I don't know if the browser will stay open long there either but it's worth a shot I guess. Also, I search for the scanner on msn.com and the link I clicked on got redirected somewhere else, then the browser closed. After a few redirects I got to the site and started the scanner but the browser closed.

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:24 AM

Posted 20 April 2009 - 05:20 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 20 April 2009 - 09:09 PM

I ran ComboFix and it was unsuccessful in downloading the Windows Recovery Console. I continued on with the malware scan which took about 15 minutes or so then it rebooted. On startup it said it was preparing the log file. After a few minutes I got a notification from WinPatrol (It ran on startup) that the Hosts file was being changed. I reviewed the old and new file and the only changes were the comment lines at the beginning were deleted so I accepted it. It still says it's preparing the log file and it's been about 20 minutes since the reboot. I'm not sure if it's still doing anything. Now Zone Alarm is alerting me to requested internet access from ALG.exe and some file I've never heard of PEV.CFEXE on port 10080. I'm going to deny access to both.

#11 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 20 April 2009 - 09:17 PM

It finally finished shortly after that last reply. Here is the log from ComboFix:


ComboFix 09-04-21.06 - Marge 04/20/2009 20:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.153 [GMT -5:00]
Running from: c:\documents and settings\Marge\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marge\Application Data\inst.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sfc
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-20 23:16 . 2009-04-20 23:16 21504 ----a-w c:\windows\system32\ak1.exe
2009-04-20 22:03 . 2009-04-20 22:03 -------- d-----w C:\fsaua.data
2009-04-19 23:40 . 2009-04-19 23:40 -------- d-----w C:\_OTListIt
2009-04-19 23:26 . 2009-04-19 23:29 -------- d-----w C:\HostsXpert
2009-04-18 13:17 . 2009-04-21 02:05 89448 ----a-w c:\windows\system32\drivers\67a49d28.sys
2009-04-16 23:55 . 2008-12-11 13:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-16 23:55 . 2009-03-06 21:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-16 23:55 . 2008-12-18 17:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-16 23:54 . 2008-12-10 17:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-16 23:54 . 2009-04-16 23:55 -------- d-----w c:\program files\Spyware Doctor
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\documents and settings\Administrator.DELL2\Application Data\PC Tools
2009-04-16 22:52 . 2009-04-16 22:52 78448 ----a-w c:\documents and settings\Administrator.DELL2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 03:32 . 2009-04-16 03:32 -------- d-----w c:\documents and settings\Administrator.DELL2\Application Data\SUPERAntiSpyware.com
2009-04-16 02:38 . 2009-04-16 02:38 -------- d-----w c:\documents and settings\Administrator.DELL2\Application Data\Malwarebytes
2009-04-15 21:44 . 2009-04-15 21:44 -------- d-----w C:\060d62d8d00142e9fb8399e544264a
2009-04-15 15:28 . 2009-04-15 15:28 74240 ----a-w c:\windows\system32\zlib.dll
2009-04-14 20:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 20:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:47 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:47 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 00:34 . 2009-04-14 00:38 -------- d-----w c:\program files\FruityLoops 3.4
2009-04-11 13:24 . 2009-04-11 13:24 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-11 13:24 . 2009-04-11 13:24 1409 ----a-w c:\windows\QTFont.for
2009-04-09 22:47 . 2009-04-09 22:47 -------- d-----w c:\program files\AnalogX
2009-04-07 22:24 . 2008-04-13 17:45 32128 -c--a-w c:\windows\system32\dllcache\usbccgp.sys
2009-04-07 22:24 . 2008-04-13 17:45 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-04-04 18:47 . 2009-04-04 18:47 -------- d-----w c:\program files\Sonic Foundry
2009-03-28 21:57 . 2009-03-28 21:57 48 ----a-w C:\plug_in.ini
2009-03-28 21:39 . 2009-03-28 22:16 -------- d-----w c:\program files\VirtualDJ
2009-03-24 23:46 . 2009-03-24 23:47 -------- d-----w c:\program files\Project64 1.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:16 . 2008-04-15 01:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 08:16 . 2009-04-17 08:17 2483712 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-16 23:01 . 2008-10-01 22:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 00:34 . 2008-09-29 23:37 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-14 01:28 . 2006-06-10 00:32 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-12 04:19 . 2008-01-02 03:21 -------- d-----w c:\documents and settings\Marge\Application Data\LimeWire
2009-04-08 01:10 . 2009-01-16 04:11 1434 ----a-w C:\ASLog.txt
2009-04-06 20:32 . 2008-10-01 22:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-01 22:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 03:34 . 2007-12-11 01:21 -------- d-----w c:\documents and settings\Marge\Application Data\BitTorrent
2009-03-24 23:49 . 2008-01-06 21:23 1632 ----a-w c:\windows\system32\d3d8caps.dat
2009-03-21 15:33 . 2009-03-18 23:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-21 15:33 . 2006-05-28 18:25 -------- d-----w c:\program files\Java
2009-03-18 23:52 . 2008-01-02 02:06 -------- d-----w c:\program files\LimeWire
2009-03-11 04:01 . 2009-03-11 04:01 -------- d-----w c:\program files\Smallvideosoft
2009-03-08 19:54 . 2009-03-08 19:54 66230 ----a-w c:\documents and settings\All Users\SPL42C.tmp
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-23 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 20:36 . 2006-04-01 22:25 78448 ----a-w c:\documents and settings\Marge\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2006-04-01 22:15 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-23 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2001-08-23 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-23 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2001-08-23 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-23 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-23 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2001-08-23 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-01 18:58 . 2008-09-29 23:38 10520 ----a-w c:\windows\system32\avgrsstx.dll
2008-04-09 22:04 . 2006-05-06 19:54 78808 ----a-w c:\documents and settings\Marge\Application Data\GDIPFONTCACHEV1.DAT
2008-01-26 02:59 . 2008-01-26 02:59 24192 ----a-w c:\documents and settings\Marge\usbsermptxp.sys
2008-01-26 02:59 . 2008-01-26 02:59 22768 ----a-w c:\documents and settings\Marge\usbsermpt.sys
2007-11-14 03:37 . 2007-11-14 03:37 47360 ----a-w c:\documents and settings\Marge\Application Data\pcouffin.sys
1765-05-30 03:37 . 1765-05-30 03:37 4263 --sh--w c:\windows\windllreg1c.sys
2008-12-18 03:10 . 2008-12-18 03:10 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121720081218\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-19 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"WinPatrol"="c:\progra~1\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-12-13 222784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\Utilities\GPSoftware\Directory Opus\dopuslib.dll" [2006-01-30 479232]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 18:58 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe [2008-05-16 98984]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R4 gupdate1c911d1ff2591c0;Google Update Service (gupdate1c911d1ff2591c0);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-08 133104]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-01 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-01 107272]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-01 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-01 298264]
S2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe [2008-05-16 594600]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - sfc
*Deregistered* - sfc
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Marge\Application Data\Mozilla\Firefox\Profiles\2fz0ve0c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears_ff2.dll
FF - component: c:\program files\Utilities\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Utilities\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 21:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxxuprpvvb.sys 84992 bytes executable
c:\windows\system32\ovfsthxdqdvofun.dll 19456 bytes executable
c:\windows\system32\ovfsthxkntkrqvv.dat 1090272 bytes
c:\windows\system32\ovfsthxnawfmixi.dll 61952 bytes executable
c:\windows\system32\ovfsthxplbisoht.dat 43 bytes
c:\windows\system32\ovfsthxpukayhqg.dll 19456 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxktwytqcf]
"imagepath"="\systemroot\system32\drivers\ovfsthxxuprpvvb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\67a49d28]
"ImagePath"="\SystemRoot\System32\drivers\67a49d28.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2084)
c:\windows\system32\zlib.dll
c:\progra~1\UTILIT~1\BILLPS~1\WINPAT~1\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Lexmark 7600 Series\lxdwmsdmon.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-21 21:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 02:12

Pre-Run: 7,932,776,448 bytes free
Post-Run: 7,875,371,008 bytes free

236 --- E O F --- 2009-04-17 08:10

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:24 AM

Posted 21 April 2009 - 03:46 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
ovfsthxktwytqcf
67a49d28

File::
c:\windows\system32\drivers\ovfsthxxuprpvvb.sys 
c:\windows\system32\ovfsthxdqdvofun.dll 
c:\windows\system32\ovfsthxkntkrqvv.dat 
c:\windows\system32\ovfsthxnawfmixi.dll 
c:\windows\system32\ovfsthxplbisoht.dat 
c:\windows\system32\ovfsthxpukayhqg.dll 
c:\windows\system32\drivers\67a49d28.sys
c:\windows\system32\ak1.exe
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 21 April 2009 - 07:25 PM

ComboFix has been running for about 20 minutes. I've got a blue box on the screen. There was a flashing cursor for a while but it stopped flashing about 5 minutes ago. I can't tell if it's still running although last time it took a while and looked like it was stuck so I'll leave it alone for now. How long should I give it on an 800mhz machine?

#14 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 21 April 2009 - 08:18 PM

Update: After about 30 minutes I got the "Terms" popup. I clicked yes, Then it asked about Windows Recovery Console. I figured I'd try again and clicked "Yes." After about 15 minutes it said I wasn't connected to the internet, and asked me to connect before clicking YES. So I clicked YES since that was the only option. For about the past 20+ minutes it has said "Connecting to http://download.microsoft.com. If it couldn't find my connection before I don't think it will this time. I just don't know why it takes SO long. Regardless, I'll leave it running for now. It's going on 1.5 hours since I first started it. Now it's back to a blank blue box.

#15 cdellert

cdellert
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 21 April 2009 - 09:04 PM

A notification popped up as it was trying to reboot:

Catchme.cfexe - DLL Initialization Failed

The application failed to initialize because the window station is shutting down.

My only option was "OK".

Once again it was unsuccessful in downloading Microsoft Recovery Console.
It finally finished. Took 2 hours. Here is the latest ComboFix log.


ComboFix 09-04-21.06 - Marge 04/21/2009 20:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.63 [GMT -5:00]
Running from: c:\documents and settings\Marge\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marge\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\ak1.exe
c:\windows\system32\drivers\67a49d28.sys
c:\windows\system32\drivers\ovfsthxxuprpvvb.sys
c:\windows\system32\ovfsthxdqdvofun.dll
c:\windows\system32\ovfsthxkntkrqvv.dat
c:\windows\system32\ovfsthxnawfmixi.dll
c:\windows\system32\ovfsthxplbisoht.dat
c:\windows\system32\ovfsthxpukayhqg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\67a49d28.sys
c:\windows\system32\drivers\ovfsthxxuprpvvb.sys
c:\windows\system32\ovfsthxdqdvofun.dll
c:\windows\system32\ovfsthxkntkrqvv.dat
c:\windows\system32\ovfsthxnawfmixi.dll
c:\windows\system32\ovfsthxplbisoht.dat
c:\windows\system32\ovfsthxpukayhqg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sfc
-------\Service_67a49d28


((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-20 22:03 . 2009-04-20 22:03 -------- d-----w C:\fsaua.data
2009-04-19 23:40 . 2009-04-19 23:40 -------- d-----w C:\_OTListIt
2009-04-19 23:26 . 2009-04-19 23:29 -------- d-----w C:\HostsXpert
2009-04-16 23:55 . 2008-12-11 13:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-16 23:55 . 2009-03-06 21:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-16 23:55 . 2008-12-18 17:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-16 23:54 . 2008-12-10 17:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-16 23:54 . 2009-04-16 23:55 -------- d-----w c:\program files\Spyware Doctor
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\documents and settings\Administrator.DELL2\Application Data\PC Tools
2009-04-16 22:52 . 2009-04-16 22:52 78448 ----a-w c:\documents and settings\Administrator.DELL2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 03:32 . 2009-04-16 03:32 -------- d-----w c:\documents and settings\Administrator.DELL2\Application Data\SUPERAntiSpyware.com
2009-04-16 02:38 . 2009-04-16 02:38 -------- d-----w c:\documents and settings\Administrator.DELL2\Application Data\Malwarebytes
2009-04-15 21:44 . 2009-04-15 21:44 -------- d-----w C:\060d62d8d00142e9fb8399e544264a
2009-04-15 15:28 . 2009-04-15 15:28 74240 ----a-w c:\windows\system32\zlib.dll
2009-04-14 20:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 20:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:47 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:47 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 00:34 . 2009-04-14 00:38 -------- d-----w c:\program files\FruityLoops 3.4
2009-04-11 13:24 . 2009-04-11 13:24 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-11 13:24 . 2009-04-11 13:24 1409 ----a-w c:\windows\QTFont.for
2009-04-09 22:47 . 2009-04-09 22:47 -------- d-----w c:\program files\AnalogX
2009-04-07 22:24 . 2008-04-13 17:45 32128 -c--a-w c:\windows\system32\dllcache\usbccgp.sys
2009-04-07 22:24 . 2008-04-13 17:45 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-04-04 18:47 . 2009-04-04 18:47 -------- d-----w c:\program files\Sonic Foundry
2009-03-28 21:57 . 2009-03-28 21:57 48 ----a-w C:\plug_in.ini
2009-03-28 21:39 . 2009-03-28 22:16 -------- d-----w c:\program files\VirtualDJ
2009-03-24 23:46 . 2009-03-24 23:47 -------- d-----w c:\program files\Project64 1.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:16 . 2008-04-15 01:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 08:16 . 2009-04-17 08:17 2483712 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-16 23:01 . 2008-10-01 22:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 00:34 . 2008-09-29 23:37 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-14 01:28 . 2006-06-10 00:32 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-12 04:19 . 2008-01-02 03:21 -------- d-----w c:\documents and settings\Marge\Application Data\LimeWire
2009-04-08 01:10 . 2009-01-16 04:11 1434 ----a-w C:\ASLog.txt
2009-04-06 20:32 . 2008-10-01 22:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-01 22:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 03:34 . 2007-12-11 01:21 -------- d-----w c:\documents and settings\Marge\Application Data\BitTorrent
2009-03-24 23:49 . 2008-01-06 21:23 1632 ----a-w c:\windows\system32\d3d8caps.dat
2009-03-21 15:33 . 2009-03-18 23:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-21 15:33 . 2006-05-28 18:25 -------- d-----w c:\program files\Java
2009-03-18 23:52 . 2008-01-02 02:06 -------- d-----w c:\program files\LimeWire
2009-03-11 04:01 . 2009-03-11 04:01 -------- d-----w c:\program files\Smallvideosoft
2009-03-08 19:54 . 2009-03-08 19:54 66230 ----a-w c:\documents and settings\All Users\SPL42C.tmp
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-23 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 20:36 . 2006-04-01 22:25 78448 ----a-w c:\documents and settings\Marge\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2006-04-01 22:15 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-23 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2001-08-23 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-23 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2001-08-23 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-23 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-23 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2001-08-23 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-01 18:58 . 2008-09-29 23:38 10520 ----a-w c:\windows\system32\avgrsstx.dll
2008-04-09 22:04 . 2006-05-06 19:54 78808 ----a-w c:\documents and settings\Marge\Application Data\GDIPFONTCACHEV1.DAT
2008-01-26 02:59 . 2008-01-26 02:59 24192 ----a-w c:\documents and settings\Marge\usbsermptxp.sys
2008-01-26 02:59 . 2008-01-26 02:59 22768 ----a-w c:\documents and settings\Marge\usbsermpt.sys
2007-11-14 03:37 . 2007-11-14 03:37 47360 ----a-w c:\documents and settings\Marge\Application Data\pcouffin.sys
1765-05-30 03:37 . 1765-05-30 03:37 4263 --sh--w c:\windows\windllreg1c.sys
2008-12-18 03:10 . 2008-12-18 03:10 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121720081218\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-21_02.05.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-22 01:51 . 2009-04-22 01:51 16384 c:\windows\Temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-19 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"WinPatrol"="c:\progra~1\UTILIT~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-12-13 222784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\Utilities\GPSoftware\Directory Opus\dopuslib.dll" [2006-01-30 479232]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 18:58 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SFC
*Deregistered* - sfc
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Marge\Application Data\Mozilla\Firefox\Profiles\2fz0ve0c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears_ff2.dll
FF - component: c:\program files\Utilities\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Utilities\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 20:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-484763869-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2988)
c:\windows\system32\zlib.dll
c:\progra~1\UTILIT~1\BILLPS~1\WINPAT~1\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdwcoms.exe
c:\windows\system32\ZuneBusEnum.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Lexmark 7600 Series\lxdwmsdmon.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-04-22 20:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 01:58
ComboFix2.txt 2009-04-21 02:12

Pre-Run: 7,823,360,000 bytes free
Post-Run: 7,805,485,056 bytes free

237 --- E O F --- 2009-04-17 08:10

Edited by cdellert, 21 April 2009 - 09:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users