Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
44 replies to this topic

#1 adaml

adaml

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 April 2009 - 06:14 PM

My computer is infected with some worm, virus, malware, etc....Please assist in removing it. Symptoms are:

-Cannot access security websites like Mcafee.com or even Bleepingcomputer.com
-Cannot perform Run: CMD
-When clidking on web-links, get connect to unintended websites.

Have tried Mcafee stinger, adaware, f-secure, k killer, malwarebytes, superantispyware, Spybot...and have cleaned up some of my issues but the problems mentioned above still persists.

Please see below HijackThis log details. Would very much appreciate your assistance!

Thank you,
AL


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:47 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\a-squared Free\a2free.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Filter hijack: text/html - {0d74c0b0-5e4a-4295-a413-5994ed266ca1} - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6746 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:33 AM

Posted 19 April 2009 - 11:53 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 19 April 2009 - 10:37 PM

Sam,
Appreciate your help. PLease let me know of your findings and solution for my problems.

Thanks, AL



Here are my OTListIT results:



OTListIt logfile created on: 4/19/2009 3:45:21 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = I:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 69.51% Memory free
2.11 Gb Paging File | 1.73 Gb Available in Paging File | 81.95% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.86 Gb Total Space | 38.62 Gb Free Space | 55.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 14.92 Gb Total Space | 14.85 Gb Free Space | 99.57% Space Free | Partition Type: FAT32

Computer Name: THOMAS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/03/09 12:06:55 | 00,951,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/25 19:18:14 | 00,425,080 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/03/09 12:06:55 | 00,515,416 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2001/08/17 22:37:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2007/02/12 21:01:37 | 00,067,128 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PRC - [2008/11/03 15:45:50 | 03,522,296 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
PRC - [2009/03/23 14:07:24 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/06 03:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 17:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2006/06/22 14:15:48 | 00,462,848 | ---- | M] (Southwest Airlines) -- C:\Program Files\Southwest Airlines\Ding\Ding.exe
PRC - [2009/04/19 15:41:38 | 00,501,248 | ---- | M] (OldTimer Tools) -- I:\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/02/25 19:18:14 | 00,425,080 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe -- (a2free [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Stopped])
SRV - [2009/03/09 12:06:55 | 00,951,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/04/13 11:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp [Boot | Running])
DRV - [2001/08/17 05:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2001/10/15 12:05:50 | 00,044,544 | ---- | M] (Zero-Knowledge Systems Inc.) -- C:\WINDOWS\System32\DRIVERS\FREEDOM.SYS -- (Freedom [On_Demand | Running])
DRV - [2008/04/13 11:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2001/08/08 07:13:36 | 00,158,140 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\i81xnt5.sys -- (i81x [On_Demand | Stopped])
DRV - [2001/08/08 07:13:30 | 00,012,479 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV01nt.sys -- (iAimFP0 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:30 | 00,012,031 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV02NT.sys -- (iAimFP1 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:30 | 00,011,679 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV05NT.sys -- (iAimFP2 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:28 | 00,011,999 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys -- (iAimFP3 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:28 | 00,019,359 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys -- (iAimFP4 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:24 | 00,029,215 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV01nt.sys -- (iAimTV0 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:24 | 00,019,199 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV02NT.sys -- (iAimTV1 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:26 | 00,033,503 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV04nt.sys -- (iAimTV3 [On_Demand | Stopped])
DRV - [2001/08/08 07:13:24 | 00,023,519 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys -- (iAimTV4 [On_Demand | Stopped])
DRV - [2008/02/29 03:12:48 | 00,020,240 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\Drivers\L8042Kbd.sys -- (L8042Kbd [On_Demand | Stopped])
DRV - [2006/07/19 12:27:46 | 00,055,936 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\Drivers\L8042mou.sys -- (L8042mou [On_Demand | Stopped])
DRV - [2009/03/09 12:06:56 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2008/02/29 03:13:16 | 00,035,344 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys -- (LHidFilt [On_Demand | Stopped])
DRV - [2006/07/19 12:29:08 | 00,027,136 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\LHidKE.Sys -- (LHidKe [On_Demand | Stopped])
DRV - [2006/07/19 12:28:04 | 00,036,736 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\Drivers\LHidUsbK.Sys -- (LHidUsbK [On_Demand | Stopped])
DRV - [2008/02/29 03:13:24 | 00,036,880 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys -- (LMouFilt [On_Demand | Stopped])
DRV - [2006/07/19 12:28:56 | 00,071,936 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\Drivers\LMouKE.sys -- (LMouKE [On_Demand | Stopped])
DRV - [2003/03/31 14:29:00 | 00,625,537 | ---- | M] (LT) -- C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys -- (ltmodem5 [On_Demand | Running])
DRV - [2007/01/23 15:45:00 | 00,028,176 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\Drivers\LUsbFilt.Sys -- (LUsbFilt [On_Demand | Stopped])
DRV - [2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
DRV - [2006/02/26 20:24:16 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM [Auto | Running])
DRV - [2001/08/17 15:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
DRV - [2001/11/06 19:15:08 | 00,026,996 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [Auto | Running])
DRV - [2007/08/31 12:15:45 | 00,018,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\NuidFltr.sys -- (NuidFltr [On_Demand | Stopped])
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2001/08/17 05:50:26 | 00,731,648 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4.sys -- (nv4 [On_Demand | Stopped])
DRV - [2001/09/16 11:45:04 | 00,013,716 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2001/06/04 08:00:00 | 00,014,112 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\DRIVERS\PS2.sys -- (Ps2 [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2001/07/30 03:02:00 | 00,015,680 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/10/12 12:44:12 | 00,114,816 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\DRIVERS\s3gnbm.sys -- (S3SavageNB [On_Demand | Stopped])
DRV - [2009/03/23 14:07:26 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/03/23 14:07:28 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
DRV - [2009/03/23 14:07:26 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/09/24 08:27:18 | 00,463,848 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com;
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
IE - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\S-1-5-21-163748893-2587936551-2969962186-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\S-1-5-21-163748893-2587936551-2969962186-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost



O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Key error. File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (&Zero-Knowledge Freedom) - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll (Zero-Knowledge Systems Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O4 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (Veoh Networks)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.)
O9 - Extra Button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy ()
O9 - Extra 'Tools' menuitem : MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\System32\ZKLSPR.DLL (Zero-Knowledge Systems Inc.)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Sites: ameritrade.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Domains: ameritrade.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Domains: ameritrade.com ([wwws] https in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Domains: ameritrade.com ([wwws.*] https in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Sites: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Sites: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Sites: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Sites: tdameritrade.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Domains: tdameritrade.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-163748893-2587936551-2969962186-1003\..Trusted Sites: turbotax.com ([]https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msansspc.dll) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/24 14:33:02 | 00,000,619 | ---- | M] () - C:\autoAlbum.log -- [ NTFS ]
O32 - AutoRun File - [2001/11/06 14:36:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/17 10:34:37 | 00,000,309 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{a7a1dd34-2baa-11de-abfe-00e0185cd44f}\Shell - "" = AutoRun
O33 - MountPoints2\{a7a1dd34-2baa-11de-abfe-00e0185cd44f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a7a1dd34-2baa-11de-abfe-00e0185cd44f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2007/10/23 00:45:39 | 01,336,632 | R--- | M] ()
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2007/10/23 00:45:39 | 01,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[150 C:\WINDOWS\*.tmp files]
[2009/04/18 14:56:57 | 00,000,659 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2009/04/18 14:56:35 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2009/04/18 14:56:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\a-squared Free
[2009/04/18 13:41:36 | 16,101,90848 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/18 13:35:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/04/18 10:38:46 | 00,000,944 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2009/04/18 10:38:37 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/04/18 10:38:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/18 09:59:51 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/04/17 23:32:58 | 00,000,000 | ---D | C] -- C:\Program Files\Network Associates
[2009/04/17 21:19:10 | 00,000,314 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\MyTaxes.sbr
[2009/04/17 21:19:09 | 00,003,798 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\MyTaxes.T03
[2009/04/16 23:40:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2009/04/16 23:40:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/04/16 23:39:39 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/04/16 22:34:05 | 00,000,258 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/04/16 22:34:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2009/04/16 22:14:10 | 00,000,000 | ---D | C] -- C:\c98a27cc626e5755939f
[2009/04/16 22:13:46 | 00,000,000 | ---D | C] -- C:\14b4f42bcc12269dcaf6042103
[2009/04/16 22:12:40 | 00,000,000 | ---D | C] -- C:\1f8ab51d7bc8f4eb8a8a1ae4f2651a92
[2009/04/16 22:12:13 | 00,000,000 | ---D | C] -- C:\5f6cb440dd52d4ea8f0bc16cd1e9ae98
[2009/04/16 21:56:41 | 00,000,000 | ---D | C] -- C:\592e4c0a76b06ce80a42
[2009/04/16 21:56:16 | 00,000,000 | ---D | C] -- C:\eff80ef544169593b38c855a98daac64
[2009/04/16 20:34:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/04/16 20:15:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/04/16 20:15:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/04/16 20:15:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/04/16 08:27:36 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/16 08:27:35 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/16 08:27:34 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 08:27:31 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/16 08:27:31 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/16 08:27:30 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/16 08:27:30 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/16 08:27:29 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/16 08:27:28 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/16 08:27:26 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/16 08:27:26 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/16 08:27:25 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 20:29:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/04/15 20:29:53 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/15 20:29:53 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/15 20:29:50 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/15 20:29:49 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/15 20:29:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/15 20:20:25 | 00,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2009/04/15 20:20:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2009/04/15 20:20:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2009/04/15 20:19:21 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
[2009/04/15 19:25:25 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/14 20:14:33 | 00,000,000 | ---D | C] -- C:\93fc3d6d92f50d2a58694fa5
[2009/04/14 12:59:51 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/14 12:57:44 | 00,000,000 | ---D | C] -- C:\Program Files\AVG8
[2009/04/14 12:57:15 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/14 12:55:52 | 00,000,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/04/14 12:55:21 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/04/14 12:54:54 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/14 12:47:16 | 37,452,296 | ---- | C] (Lavasoft ) -- C:\Program Files\Ad-AwareAE.exe
[2009/04/14 09:12:08 | 00,648,560 | ---- | C] (Microsoft Corporation) -- C:\Program Files\WindowsXP-KB958644-x86-ENU.exe
[2009/04/14 08:52:02 | 00,000,017 | ---- | C] () -- C:\Program Files\s.t.i.n.g.e.r.opt
[2009/04/14 00:16:05 | 00,162,816 | ---- | C] (McAfee, Inc.) -- C:\Program Files\ConTest.exe
[2009/04/13 23:58:28 | 01,502,215 | ---- | C] (McAfee Inc.) -- C:\Program Files\S.T.I.N.G.E.R.exe
[2009/04/13 20:39:42 | 02,348,928 | ---- | C] () -- C:\Program Files\FixDwndp.exe
[2009/04/13 08:53:23 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/04/13 08:02:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/04/13 00:22:59 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/04/12 21:32:00 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/04/12 16:15:18 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/04/12 15:51:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/04/12 15:46:19 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/04/12 15:43:09 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/04/08 20:52:31 | 00,001,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboTax Deluxe 2007.lnk
[2009/04/08 20:37:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
[2009/04/06 20:09:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/04/06 18:20:52 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/04/06 18:20:52 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/04/06 18:20:52 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/04/06 18:20:51 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/04/06 18:20:51 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/04/06 18:20:51 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/04/06 18:20:51 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/04/06 18:20:50 | 00,000,000 | ---D | C] -- C:\60c52a26f2c18a5416
[2009/03/21 07:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2008/06/02 19:52:37 | 00,000,853 | ---- | C] () -- C:\WINDOWS\Reswiz.ini
[2007/03/27 19:48:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\user_32.dll
[2007/01/25 20:57:22 | 00,027,136 | ---- | C] () -- C:\WINDOWS\toFront.dll
[2007/01/25 20:57:22 | 00,026,624 | ---- | C] () -- C:\WINDOWS\GetIe.dll
[2007/01/14 16:23:33 | 00,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2006/10/18 18:01:45 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\intr32.dll
[2006/03/19 16:12:44 | 00,003,677 | R--- | C] () -- C:\WINDOWS\PlaySnd.INI
[2006/03/19 16:12:43 | 00,007,207 | R--- | C] () -- C:\WINDOWS\Disktool.INI
[2006/03/19 16:12:43 | 00,006,399 | R--- | C] () -- C:\WINDOWS\fwupgrade.ini
[2005/04/30 20:50:01 | 00,299,454 | ---- | C] () -- C:\WINDOWS\ALLSIM.INI
[2005/04/30 20:50:01 | 00,061,268 | ---- | C] () -- C:\WINDOWS\BIUTILSM.INI
[2005/04/30 20:50:01 | 00,057,969 | ---- | C] () -- C:\WINDOWS\SIMSIM.INI
[2005/04/30 20:50:01 | 00,000,580 | ---- | C] () -- C:\WINDOWS\Common.ini
[2005/04/30 20:50:00 | 00,051,712 | ---- | C] () -- C:\WINDOWS\System32\ngprtserv.dll
[2005/04/30 20:49:58 | 00,000,645 | ---- | C] () -- C:\WINDOWS\Setupwizard.ini
[2005/03/07 21:16:27 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/03/06 20:25:25 | 00,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/09/16 14:26:40 | 00,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS
[2004/09/16 14:26:40 | 00,012,634 | ---- | C] () -- C:\WINDOWS\ADFUUD.SYS
[2004/09/16 10:40:02 | 00,000,004 | ---- | C] () -- C:\WINDOWS\uccspecb.sys
[2003/09/17 20:46:44 | 00,000,073 | ---- | C] () -- C:\WINDOWS\webica.ini
[2003/07/15 21:36:57 | 00,000,050 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2003/07/15 21:36:14 | 00,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini
[2003/02/03 06:26:18 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/19 23:11:45 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2002/11/04 16:55:39 | 00,050,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2002/07/28 11:55:24 | 00,007,930 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2002/05/06 19:49:56 | 01,991,716 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2002/05/06 19:49:56 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2002/05/01 11:27:01 | 00,003,234 | ---- | C] () -- C:\WINDOWS\System32\eefblfh.drv
[2002/05/01 11:27:01 | 00,003,202 | ---- | C] () -- C:\WINDOWS\mec.drv
[2002/05/01 11:27:01 | 00,001,586 | ---- | C] () -- C:\WINDOWS\System32\nenfh.drv
[2002/05/01 11:27:01 | 00,000,482 | ---- | C] () -- C:\WINDOWS\jagh.drv
[2002/05/01 11:27:01 | 00,000,450 | ---- | C] () -- C:\WINDOWS\System32\nlec.drv
[2002/05/01 11:27:01 | 00,000,132 | ---- | C] () -- C:\WINDOWS\System32\aagago.sys
[2002/05/01 11:27:01 | 00,000,082 | ---- | C] () -- C:\WINDOWS\System32\hnhhfg.drv
[2002/04/13 14:43:40 | 00,001,495 | ---- | C] () -- C:\WINDOWS\MPCWIN01.INI
[2002/04/13 14:41:50 | 00,000,071 | ---- | C] () -- C:\WINDOWS\MPCWIN00.INI
[2002/04/11 00:17:55 | 00,004,133 | ---- | C] () -- C:\WINDOWS\entrust.ini
[2002/04/11 00:17:53 | 00,102,479 | ---- | C] () -- C:\WINDOWS\System32\fwnetcfg.dll
[2002/03/17 18:29:57 | 00,000,447 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2002/03/15 17:01:11 | 00,000,454 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2001/11/09 11:41:10 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2001/11/08 20:43:04 | 00,000,562 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2001/11/06 19:50:46 | 00,377,600 | ---- | C] () -- C:\WINDOWS\System32\BOCOLE.DLL
[2001/11/06 19:50:46 | 00,167,456 | ---- | C] () -- C:\WINDOWS\System32\Bocof.dll
[2001/11/06 19:45:01 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\hpREG.DLL
[2001/11/06 19:45:01 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2001/11/06 19:37:54 | 00,009,876 | ---- | C] () -- C:\WINDOWS\System32\usbbc.sys
[2001/11/06 19:29:04 | 00,000,786 | ---- | C] () -- C:\WINDOWS\Studio7.ini
[2001/11/06 19:28:49 | 00,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2001/11/06 19:28:49 | 00,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2001/11/06 19:28:49 | 00,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2001/11/06 19:28:49 | 00,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2001/11/06 19:28:49 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2001/11/06 19:21:26 | 00,000,507 | ---- | C] () -- C:\WINDOWS\fantasy2.ini
[2001/11/06 19:21:26 | 00,000,317 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2001/11/06 19:21:26 | 00,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2001/11/06 18:50:13 | 00,249,921 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM15.dll
[2001/11/06 18:50:13 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes15.dll
[2001/11/06 18:49:47 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2001/11/06 14:40:54 | 00,000,778 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2001/11/06 14:31:15 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2001/11/06 06:21:55 | 00,000,537 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/11/06 06:21:36 | 00,000,780 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/11/06 06:21:33 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/10/15 11:44:16 | 00,659,456 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2001/10/15 11:44:16 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2001/08/08 07:13:22 | 00,012,351 | ---- | C] () -- C:\WINDOWS\System32\i81xcoin.dll
[2001/08/07 18:07:02 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2001/05/22 18:37:50 | 00,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll
[2000/12/29 10:34:01 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[1999/01/22 11:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[150 C:\WINDOWS\*.tmp files]
[2009/04/19 15:33:44 | 00,000,258 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/04/19 15:33:13 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/19 15:33:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/19 15:33:03 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/19 15:33:01 | 16,101,90848 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/18 20:06:05 | 00,001,632 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/04/18 14:56:57 | 00,000,659 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2009/04/18 10:38:46 | 00,000,944 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2009/04/18 09:59:51 | 00,001,745 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/04/17 21:19:18 | 00,003,798 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\MyTaxes.T03
[2009/04/17 21:19:18 | 00,000,314 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\MyTaxes.sbr
[2009/04/16 22:41:29 | 00,470,058 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/16 22:41:29 | 00,403,240 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/16 22:41:29 | 00,062,136 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/16 21:34:00 | 00,055,952 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/04/16 21:33:26 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/04/16 21:26:20 | 00,000,780 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/16 21:01:56 | 00,001,559 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/04/16 20:33:57 | 00,210,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/16 20:07:10 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/04/15 20:29:53 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/14 12:59:52 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/14 12:55:52 | 00,000,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/04/14 09:30:52 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/14 09:30:52 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/04/13 22:54:21 | 04,280,874 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/04/13 00:14:28 | 00,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2008.lnk
[2009/04/12 15:56:47 | 00,000,076 | -HS- | M] () -- C:\Documents and Settings\Owner\My Documents\desktop.ini
[2009/04/08 20:52:31 | 00,001,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax Deluxe 2007.lnk
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/29 12:30:59 | 00,000,028 | ---- | M] () -- C:\WINDOWS\album.ini
[2009/03/26 23:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/21 07:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 07:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/21 07:06:58 | 00,023,040 | ---- | M] () -- C:\WINDOWS\kumlvj.dcl
[2009/03/21 07:06:58 | 00,001,323 | ---- | M] () -- C:\WINDOWS\System32\sqlsodbc.chm
< End of report >





AND HERE ARE MY GREM RESULTS:





GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-19 20:07:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647C10]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB60B4DF0]

---- User code sections - GMER 1.0.15 ----

.text I:\OTListIt2.exe[660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text I:\OTListIt2.exe[660] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text I:\OTListIt2.exe[660] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text I:\OTListIt2.exe[660] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text I:\OTListIt2.exe[660] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text I:\OTListIt2.exe[660] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\winlogon.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\winlogon.exe[944] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\winlogon.exe[944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\winlogon.exe[944] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\winlogon.exe[944] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\winlogon.exe[944] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\lsass.exe[1004] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\lsass.exe[1004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\lsass.exe[1004] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\lsass.exe[1004] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\lsass.exe[1004] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\System32\alg.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\System32\alg.exe[1112] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\System32\alg.exe[1112] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\System32\alg.exe[1112] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\System32\alg.exe[1112] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\System32\alg.exe[1112] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1248] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\System32\svchost.exe[1316] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\System32\svchost.exe[1316] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\System32\svchost.exe[1316] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\System32\svchost.exe[1316] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\System32\svchost.exe[1316] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1692] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1692] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1692] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1692] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1692] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10043658
.text C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe[1724] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100435A0
.text C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe[1724] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10042E84
.text C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe[1724] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100426A0
.text C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe[1724] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10042624
.text C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe[1724] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10043554
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\Explorer.EXE[1824] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\Explorer.EXE[1824] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\Explorer.EXE[1824] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\Explorer.EXE[1824] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\Explorer.EXE[1824] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\spoolsv.exe[1884] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\spoolsv.exe[1884] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\spoolsv.exe[1884] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\spoolsv.exe[1884] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\spoolsv.exe[1884] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\ctfmon.exe[1944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\ctfmon.exe[1944] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\ctfmon.exe[1944] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\ctfmon.exe[1944] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\ctfmon.exe[1944] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\ctfmon.exe[1944] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1980] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1980] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1980] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1980] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1980] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[2068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10043658
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[2068] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[2068] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100435A0
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[2068] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10042E84
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[2068] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100426A0
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[2068] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10042624
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[2068] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10043554
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10063658
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2116] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100635A0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2116] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10062E84
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2116] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100626A0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2116] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10062624
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2116] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10063554
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2160] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2160] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2160] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2160] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2160] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10043658
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2244] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100435A0
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2244] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10042E84
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2244] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100426A0
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2244] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10042624
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2244] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10043554

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:33 AM

Posted 20 April 2009 - 10:32 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 20 April 2009 - 10:32 PM

Hi Sam,

Please see my Combofix log below.

As I am trying to get some education on this, would you mind briefly describing what each of the downloaded apps you suggested did on my computer?

So far, downloaded:

OTListIt2
GMER
ComboFix

Thanks much!
Tom.

Here's the ComboFix Log:




ComboFix 09-04-21.07 - Owner 04/20/2009 19:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536.1084 [GMT -7:00]
Running from: c:\program files\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\ASEMBL~1
c:\documents and settings\Owner\My Documents\ASEMBL~1\a?sembly\ctxad-582.0001
c:\documents and settings\Owner\My Documents\ASEMBL~1\a?sembly\ctxad-582.0002
c:\documents and settings\Owner\My Documents\ASEMBL~1\a?sembly\ctxad-582.0003
c:\documents and settings\Owner\My Documents\ASEMBL~1\a?sembly\ctxad-582.0004
c:\documents and settings\Owner\My Documents\ASEMBL~1\a?sembly\ctxad-582.0005
c:\documents and settings\Owner\My Documents\ASEMBL~1\a?sembly\ctxad-582.0006
c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\Temp
c:\windows\system\oeminfo.ini
c:\windows\system32\intr32.dll
c:\windows\system32\msdtc_32.exe
c:\windows\system32\msmapi32.exe
c:\windows\system32\smartdrv.exe
c:\windows\system32\sumsw32.exe
c:\windows\system32\usb.exe
c:\windows\system32\user_32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ias
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-20 05:44 . 2009-04-20 05:44 -------- d-----w C:\4c8bfdb957487a4638aa047f1e
2009-04-20 05:44 . 2009-04-20 05:54 -------- d-----w C:\5fa71df0cf37e43f93d9edda6a7c0092
2009-04-20 05:18 . 2009-04-21 03:06 8051 ----a-w c:\windows\system32\Config.MPF
2009-04-20 05:17 . 2006-03-03 15:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-20 05:11 . 2007-11-22 13:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-20 05:11 . 2007-12-02 19:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-20 05:11 . 2007-11-22 13:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-20 05:11 . 2007-11-22 13:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-20 05:11 . 2007-11-22 13:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-20 05:11 . 2007-07-13 13:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-19 23:57 . 2009-04-21 01:42 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 17:38 . 2009-04-21 01:43 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-17 06:40 . 2009-04-17 06:40 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-04-17 06:40 . 2009-04-17 06:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 05:34 . 2009-04-17 05:34 -------- d-----w c:\windows\system32\KB905474
2009-04-17 05:34 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-17 05:34 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-17 05:34 . 2009-02-10 01:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-17 05:14 . 2009-04-17 05:14 -------- d-----w C:\c98a27cc626e5755939f
2009-04-17 05:13 . 2009-04-17 05:14 -------- d-----w C:\14b4f42bcc12269dcaf6042103
2009-04-17 05:12 . 2009-04-17 05:12 -------- d-----w C:\1f8ab51d7bc8f4eb8a8a1ae4f2651a92
2009-04-17 05:12 . 2009-04-17 05:13 -------- d-----w C:\5f6cb440dd52d4ea8f0bc16cd1e9ae98
2009-04-17 04:56 . 2009-04-17 04:56 -------- d-----w C:\592e4c0a76b06ce80a42
2009-04-17 04:56 . 2009-04-17 04:59 -------- d-----w C:\eff80ef544169593b38c855a98daac64
2009-04-17 03:15 . 2009-04-17 03:15 -------- d-----w c:\windows\system32\scripting
2009-04-17 03:15 . 2009-04-17 03:15 -------- d-----w c:\windows\l2schemas
2009-04-17 03:15 . 2009-04-17 03:15 -------- d-----w c:\windows\system32\en
2009-04-16 15:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 15:27 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 15:27 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 15:27 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 15:27 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 15:27 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 15:27 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 15:27 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 15:27 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 15:27 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 15:27 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 15:27 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 03:29 . 2009-04-16 03:29 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-16 03:29 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 03:29 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 03:29 . 2009-04-16 03:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 03:20 . 2009-04-16 03:22 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-16 03:20 . 2009-04-16 03:20 -------- d-----w c:\documents and settings\Owner\Application Data\Uniblue
2009-04-16 03:19 . 2009-04-16 03:20 -------- dc-h--w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-16 02:25 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-15 03:14 . 2009-04-15 03:14 -------- d-----w C:\93fc3d6d92f50d2a58694fa5
2009-04-14 19:57 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-14 19:54 . 2009-04-14 19:56 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-14 06:31 . 2009-04-14 06:31 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-04-13 15:53 . 2009-04-15 20:36 -------- d--h--w C:\$AVG8.VAULT$
2009-04-13 15:02 . 2009-04-17 16:11 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-13 05:08 . 2009-04-13 05:08 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-12 23:29 . 2009-04-12 23:29 -------- d-sh--w c:\documents and settings\Owner\IECompatCache
2009-04-12 23:01 . 2009-04-12 23:01 -------- d-sh--w c:\documents and settings\Owner\PrivacIE
2009-04-12 22:59 . 2009-04-12 22:59 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-12 22:53 . 2009-04-12 22:53 -------- d-sh--w c:\documents and settings\Owner\IETldCache
2009-04-12 22:51 . 2009-04-12 22:51 -------- d-----w c:\windows\ie8updates
2009-04-12 22:46 . 2009-04-12 22:48 -------- dc-h--w c:\windows\ie8
2009-04-12 22:43 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-09 03:37 . 2009-04-09 03:37 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-04-07 04:18 . 2009-04-07 04:18 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Intuit
2009-04-07 04:18 . 2009-04-07 04:18 55176 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 04:17 . 2009-04-07 04:17 -------- d-----w c:\documents and settings\Administrator\Application Data\Intuit
2009-04-07 03:09 . 2009-04-09 04:07 -------- d-----w c:\windows\SxsCaPendDel
2009-04-07 01:20 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-07 01:20 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-07 01:20 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-07 01:20 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-07 01:20 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-07 01:20 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-07 01:20 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-07 01:20 . 2009-04-07 01:21 -------- d-----w C:\60c52a26f2c18a5416

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 03:04 . 2009-03-01 17:53 7418 ----a-w C:\aaw7boot.log
2009-04-21 02:37 . 2009-04-21 02:52 2997971 ----a-r c:\program files\ComboFix.exe
2009-04-21 02:03 . 2002-03-28 00:09 1632 ----a-w c:\windows\SYSTEM32\d3d8caps.dat
2009-04-21 01:20 . 2009-04-20 05:10 -------- d-----w c:\program files\McAfee
2009-04-21 01:08 . 2009-04-18 21:56 -------- d-----w c:\program files\a-squared Free
2009-04-20 05:18 . 2006-01-08 23:40 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-20 05:11 . 2005-04-17 22:14 -------- d-----w c:\program files\Common Files\McAfee
2009-04-20 05:10 . 2009-04-20 05:10 -------- d-----w c:\program files\McAfee.com
2009-04-20 00:06 . 2009-04-19 23:56 -------- d-----w c:\program files\SpywareBlaster
2009-04-19 22:43 . 2006-11-11 21:09 -------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-04-18 19:04 . 2009-04-18 17:38 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-18 16:46 . 2009-04-14 15:52 17 ----a-w c:\program files\s.t.i.n.g.e.r.opt
2009-04-18 06:38 . 2009-04-18 06:32 -------- d-----w c:\program files\Network Associates
2009-04-18 03:18 . 2009-03-01 01:40 -------- d-----w c:\program files\DivX
2009-04-18 03:17 . 2004-04-06 05:22 -------- d-----w c:\program files\CursonZone
2009-04-18 03:11 . 2006-03-20 00:04 -------- d-----w c:\program files\ItsDeductible2005
2009-04-17 06:40 . 2009-04-17 06:39 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-17 04:34 . 2002-06-17 02:46 55952 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 03:20 . 2006-01-20 05:07 87345 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-17 03:18 . 2009-04-17 03:18 49152 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2009-04-17 03:18 . 2009-04-17 03:18 77824 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2009-04-17 03:18 . 2009-04-17 03:18 126976 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2009-04-17 03:18 . 2009-04-17 03:18 122880 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2009-04-17 03:18 . 2009-04-17 03:18 420432 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2009-04-17 03:18 . 2009-04-17 03:18 155648 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2009-04-17 03:18 . 2009-04-17 03:18 731136 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2009-04-17 03:18 . 2009-04-17 03:18 106496 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2009-04-17 03:07 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-04-17 02:25 . 2002-10-17 05:17 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-16 15:11 . 2009-04-16 03:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 03:20 . 2009-04-16 03:20 -------- d-----w c:\program files\Uniblue
2009-04-14 19:58 . 2009-04-14 19:57 -------- d-----w c:\program files\AVG8
2009-04-14 19:55 . 2009-04-14 19:55 -------- d-----w c:\program files\Lavasoft
2009-04-14 19:11 . 2009-04-14 19:47 37452296 ----a-w c:\program files\Ad-AwareAE.exe
2009-04-14 15:50 . 2009-04-14 15:50 297 ----a-w c:\program files\s.t.i.n.g.e.r.txt
2009-04-14 07:27 . 2009-04-14 16:12 648560 ----a-w c:\program files\WindowsXP-KB958644-x86-ENU.exe
2009-04-14 07:07 . 2009-04-14 07:16 162816 ----a-w c:\program files\ConTest.exe
2009-04-14 06:40 . 2009-04-14 03:39 386 ----a-w c:\program files\FixDwndp.log
2009-04-14 06:08 . 2009-04-14 06:58 1502215 ----a-w c:\program files\S.T.I.N.G.E.R.exe
2009-04-13 23:47 . 2009-04-14 03:39 2348928 ----a-w c:\program files\FixDwndp.exe
2009-04-13 07:22 . 2009-04-13 07:22 -------- d-----w c:\program files\AVG
2009-04-09 04:07 . 2006-07-13 02:06 -------- d-----w c:\program files\Common Files\Logitech
2009-04-09 04:04 . 2008-02-12 03:35 -------- d-----w c:\program files\Common Files\Logishrd
2009-03-08 11:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-08 11:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll
2009-03-08 11:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll
2009-03-08 11:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll
2009-03-08 11:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll
2009-03-08 11:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll
2009-03-08 11:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\SYSTEM32\imgutil.dll
2009-03-08 11:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\SYSTEM32\mshtmler.dll
2009-03-08 11:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\SYSTEM32\mshta.exe
2009-03-08 11:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll
2009-03-07 23:47 . 2008-09-14 21:07 1744 ----a-w c:\windows\SYSTEM32\d3d9caps.dat
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-26 16:38 . 2008-08-20 03:51 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 06:50 . 2005-02-05 16:15 122 ----a-w C:\ss_udp2.dat
2009-02-26 06:50 . 2005-02-05 16:13 122 ----a-w C:\ss_nb.dat
2009-02-26 06:50 . 2005-02-05 16:15 122 ----a-w C:\ss_udp.dat
2009-02-22 20:19 . 2005-02-05 16:14 -------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2006-05-15 21:47 . 2007-03-04 16:55 21254280 ----a-w c:\program files\AdbeRdr707_en_US.exe
2005-02-27 19:06 . 2002-06-21 16:58 60456 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-10-24 19:22 . 2004-10-24 19:22 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2002-10-17 05:17 . 2002-10-17 05:17 7441920 ----a-w c:\documents and settings\Owner\bchoice4.exe
2002-10-10 16:34 . 2002-10-10 16:34 5334110 ----a-w c:\documents and settings\Owner\qtsetup.exe
2002-09-23 00:05 . 2002-09-23 00:05 4742396 ----a-w c:\documents and settings\Owner\HotSyncUpdater_ENG.exe
2002-09-22 23:46 . 2002-03-18 02:08 94 ----a-w c:\program files\users.dat
2002-07-18 18:58 . 2002-07-18 18:58 299008 ----a-w c:\program files\HOTSYNC.EXE
2002-05-07 02:46 . 2002-05-07 02:45 385 ----a-w c:\program files\trace.txt
2000-12-12 19:17 . 2000-12-14 02:22 100432 ----a-w c:\program files\Win2000PPAHotfix.exe
1999-08-16 22:01 . 2002-05-06 20:57 1316 ----a-w c:\program files\MAIL.INF
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-13 67128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-11-03 3522296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-27 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^AutoPlay.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
backup=c:\windows\pss\AutoPlay.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-20 20:32]

2009-04-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-20 20:32]

2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-04-21 c:\windows\Tasks\User_Feed_Synchronization-{64F3470F-906F-4B10-8BBE-BB0911FA6A0B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2009-04-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-17 05:18]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
uInternet Settings,ProxyOverride = localhost
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
LSP: c:\windows\System32\ZKLSPR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\www
Trusted Zone: ameritrade.com\wwws
Trusted Zone: ameritrade.com\wwws.*
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\www
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1004)
c:\windows\System32\ZKLSPR.DLL
c:\windows\system32\sxlrt232.dll

- - - - - - - > 'explorer.exe'(2980)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Free\a2service.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\SYSTEM32\wbem\unsecapp.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\McAfee\MSC\mcshell.exe
.
**************************************************************************
.
Completion time: 2009-04-21 20:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 03:18

Pre-Run: 40,893,140,992 bytes free
Post-Run: 41,002,590,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

345 --- E O F --- 2009-04-17 15:38

#6 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 21 April 2009 - 01:18 PM

Hi Sam,
I was also wondering if you could tell me what form of virus I have/had on my computer based on your findings. I was wondering if it was Conficker...


Thank you,
AL

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:33 AM

Posted 21 April 2009 - 04:22 PM

As I am trying to get some education on this, would you mind briefly describing what each of the downloaded apps you suggested did on my computer?

So far, downloaded:

OTListIt2
GMER
ComboFix



Sure thing. OTListIt2 creates a log that shows common places that malware is found in your registry and recently created/accessed files that may be malicious. Gmer scans for hidden files, or rootkits. Combofix scans your computer searching for specific files and services that are known to be malicious. It also creates a log that gives us more information about what's on your computer.


I was also wondering if you could tell me what form of virus I have/had on my computer based on your findings. I was wondering if it was Conficker...


It doesn't appear to be Conficker. There are so many different variants that I couldn't tell you exactly what you've got. It doesn't appear to be anything too bad so far.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb in your next reply.
How is your computer behaving?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 22 April 2009 - 12:16 AM

Thanks.

On my initial attempt at using Dr.Web CureIt, it caught a couple infections, but midstream the appears to have shut down. I stepped away from my computer and when I returned to it, the app was no longer running.

I am running it again now, but I'm not sure how to retrieve the Log for the scan that was cut short (if there is one)...

I can now reach Mcafee.com website and my Run: cmd prompt is working...but haven't spent much time on the computer to tell if there are still any issues.

AL

#9 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 22 April 2009 - 11:36 AM

Sam,
I ran the Dr.Web CureIt overnight, and realized this morning that the App shut down again (on its own) at some point while it was running. This is the second time it's happened (see prior posting)...Do you recommend anything.

Thanks,
AL

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:33 AM

Posted 22 April 2009 - 11:51 AM

Let's try this. Instead of a complete scan, select Custom scan.
Then select only the C:\Windows\System32 folder to be scanned.

That should be able to run in 10-20 minutes and hopefully you can get a log.


Did you happen to notice on any of the previous scans if malware had been detected?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 22 April 2009 - 02:03 PM

Actually, that is what I did (hit Custom and selected only C drive, as I could not select the other drivers )....I did get a few Infections and hit Cure All each time as per instructions...

Note that when I tried to run to do this (twice), each time the app shut down (while i was away from the computer)...not sure exactly when...

Also, note that it was taking way longer than 10-20 min for the scan to run on C drive only.....i think i had it running for at least 2 hours including the brief time it paused to do the CureAll...after 2 hours the status bar indicated it was only at about 1/10th completion....

Thanks

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:33 AM

Posted 22 April 2009 - 06:22 PM

Don't do the whole drive, just scan C:\Windows\System32
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 22 April 2009 - 10:37 PM

Sorry, didn't read your earlier email thoroughly...I've just run the scan on C:\Windows\System32 . It completed with No viruses found. Took only 10-20 minutes as you originally mentioned.

However, the File/Save Report List option was greyed-out so I could not save the report.

Also, note that I tried to run the scan on the entire C drive 5 times since yesterday and each time the scan shut-off mid way after over 1-2 hours of scanning each time....is this an indication of another infection?

Thanks.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:33 AM

Posted 23 April 2009 - 05:02 PM

That's a good sign! :thumbup2:

There's a few things that could cause the scan to shut down before completing. Your PC may be getting hot. Or you can have a conflict with your current antivirus and that shuts it down.

How is your computer behaving overall now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 adaml

adaml
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 23 April 2009 - 07:09 PM

Computer seems to be running better now...I can now access the McAfee website. However, I'm still concerned that there are still infections lingering in my computer. Each time I've run a program that you've suggested, I see more infections in the results. The first scan on Dr.Web CureIt revealed a few infections that were removed before the app shut off (during the scan) by itself. The last scan I ran showed no infections but this was only after I removed them during the first scan...

Is there anything else you would recommend to determine whether other infections are still on my computer?

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users