Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Dns.changer


  • This topic is locked This topic is locked
13 replies to this topic

#1 urbrefstinx

urbrefstinx

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 26 April 2009 - 09:18 PM

Hello:
After running MBAM, I found out that I have this trojan.dns.changer virus. Please help with removing this terrible thing....
Below is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:23 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL,UPF
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47/skillgam/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/Ligh...loadControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169686528031
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196293649531
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Slingo%20Deluxe/Images/armhelper.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://l.yimg.com/jh/games/web_games/gameh...outLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 15292 bytes

==============


The following is the log from MBAM:


Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 3

4/26/2009 9:31:53 PM
mbam-log-2009-04-26 (21-31-53).txt

Scan type: Quick Scan
Objects scanned: 90258
Time elapsed: 24 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:00 PM

Posted 03 May 2009 - 03:52 AM

Hi Urbrefstinx,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:00 PM

Posted 03 May 2009 - 08:44 AM

Hi Urbrefstinx,

Let's see what we can do then.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker and then double click dds.scr to run the tool.

When done, DDS will open two logs:
  • DDS.txt
  • Attach.txt
Save both reports to your desktop first and then copy & paste them into your next reply.


Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Thanks. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 urbrefstinx

urbrefstinx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 03 May 2009 - 08:51 PM

Thank you M0le,
Here are the 2 logs from DDS:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/20/2007 4:06:49 PM
System Uptime: 5/2/2009 12:16:22 PM (33 hours ago)

Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2792/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 87.644 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ROOT\LEGACY_LIVEUPDATE_NOTICE\$%&'(
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_LIVEUPDATE_NOTICE\$%&'(
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
Adobe Shockwave Player
AIO_Scan
BitTorrent
BlackBerry Desktop Software 4.3
BufferChm
CardRd81
CCleaner (remove only)
CCScore
Compatibility Pack for the 2007 Office system
Conexant SmartHSFi V.9x 56K DF PCI Modem
Copy
CR2
Critical Update for Windows Media Player 11 (KB959772)
Crossword Weaver 8.0
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell ResourceCD
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Disney Pix 2.2
Disney Pix Micro Downloader
Disneys Digital Coloring Book Featuring Little Mermaid
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
DNA
Dr. Seuss Kindergarten
Drivers Install For Linksys Easylink Advisor
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
eSupportQFolder
F4100
F4100_doccd
F4100_Help
FrostWire 4.17.0
GameTap
GEAR driver installer for x86 and x64
GearDrvs
getPlus® for Adobe
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Intel® PRO Network Connections Drivers
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 6
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
JumpStart Advanced Kindergarten
JumpStart Animal Adventures
JumpStart Animal Field Trip
JumpStart Artist
JumpStart Arts and Crafts
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Linksys EasyLink Advisor 1.6 (0032)
Little Mermaid Coloring Book
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Picture It! Photo Premium 9
Microsoft Silverlight
Microsoft Streets and Trips 2004
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Monopoly Here & Now Edition (remove only)
mp3-2-wav converter 1.14
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
Norton 360
Notifier
NVIDIA Drivers
OpenOffice.org 2.4
OTtBP
OTtBPSDK
Personalized Learning Center
Phonics 4 Kids Advanced Flash Cards
Phonics 4 Kids Flash Cards
Phonics 4 Kids Video
PhonicsWorks
PSSWCORE
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit Personalized 1st Grade
Reading Blaster Ages 4-6
RealArcade
Road Runner Install
Road Runner Medic 6.1
Roxio Media Manager
Sansa Updater
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SFR
SHASTA
Shockwave
SKIN0001
SKINXSDK
SolutionCenter
Sound Blaster Live!
SpongeBob SquarePants - Battle for Bikini Bottom DEMO
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
Supple (remove only)
Symantec Technical Support Web Controls
System Requirements Lab
Talking Flash Cards
Toolbox
TrayApp
UnloadSupport
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoToolkit01
VPRINTOL
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip 12.0
WIRELESS
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

5/2/2009 10:47:45 AM, error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm OMCI

SASDIFSV SASKUTIL SRTSP SRTSPX SYMTDI
5/2/2009 10:46:41 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the

service EventSystem with arguments "" in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}
4/29/2009 10:04:11 PM, error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: SYMTDI
4/29/2009 10:04:11 PM, error: Service Control Manager [7000] - The SYMTDI service failed

to start due to the following error: A device attached to the system is not functioning.
4/28/2009 6:06:31 PM, error: Service Control Manager [7023] - The HP CUE DeviceDiscovery

Service service terminated with the following error: Unspecified error
4/26/2009 9:47:54 PM, error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: IntelIde
4/26/2009 9:30:54 PM, error: Service Control Manager [7001] - The Telephony service

depends on the Plug and Play service which failed to start because of the following error:

The service cannot be started, either because it is disabled or because it has no enabled

devices associated with it.
4/26/2009 9:30:54 PM, error: Service Control Manager [7001] - The Remote Access Connection

Manager service depends on the Telephony service which failed to start because of the

following error: The dependency service or group failed to start.

==== End Of File ===========================


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 21:41:44.82 on Sun 05/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.114 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\d446aa56-e9fd-4f0d-8716-9371535c667a.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rr.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uWindow Title = Road Runner High Speed Online
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-D0DF-78A89CEC79C9} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SansaDispatch] c:\documents and settings\owner\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\d446aa56-e9fd-4f0d-8716-9371535c667a.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB6930] command.com /c del "c:\windows\SchedLgU.Txt"
uRunOnce: [SpybotDeletingD2422] cmd.exe /c del "c:\windows\SchedLgU.Txt"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [medicsp2] c:\program files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [SpybotDeletingA1714] command.com /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC2267] cmd.exe /c del "c:\windows\SchedLgU.Txt"
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web

printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web

printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: yahoo.com\games
Trusted Zone: musicmatch.com\online
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} - hxxp://www.worldwinner.com/games/v47/skillgam/skillgam.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169686528031
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196293649531
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} -

hxxps://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game12.zylom.com/activex/zylomgamesplayer.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Slingo%20Deluxe/Images/armhelper.ocx
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://l.yimg.com/jh/games/web_games/gamehouse/frenzy/SproutLauncher.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-4-29 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-4-29 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-4-29 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090501.001\IDSXpx86.sys [2009-5-1 276344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-4-29 115560]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2008-7-28 202280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-30 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090503.022\NAVENG.SYS [2009-5-3 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090503.022\NAVEX15.SYS [2009-5-3 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-10-2 33752]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]

=============== Created Last 30 ================

2009-04-29 22:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-29 22:47 47,912 a------- c:\program files\RUNSAS.EXE
2009-04-29 22:23 <DIR> --d----- c:\program files\Norton Support
2009-04-29 22:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-04-29 22:10 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-29 22:10 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-29 22:10 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-29 22:10 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-29 22:10 <DIR> --d----- c:\program files\Symantec
2009-04-29 22:09 <DIR> --d----- c:\windows\system32\drivers\N360
2009-04-29 22:09 <DIR> --d----- c:\program files\Norton 360
2009-04-29 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-04-29 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-04-29 20:23 <DIR> --d----- c:\program files\NortonInstaller
2009-04-29 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-29 20:12 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-04-29 20:12 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-29 20:11 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-04-29 20:11 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-04-26 21:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-26 21:33 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-04-25 16:42 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-04-25 16:03 <DIR> --d----- c:\documents and settings\owner\.housecall6.6
2009-04-25 13:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-25 13:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 13:45 <DIR> --d----- c:\program files\Lovedontcost
2009-04-25 13:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-25 12:07 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-25 09:14 <DIR> --d----- c:\windows\LMI55.tmp
2009-04-25 09:07 <DIR> --d----- c:\windows\LMI54.tmp
2009-04-25 09:02 <DIR> --d----- c:\windows\LMI53.tmp
2009-04-24 18:49 2,967,800 a------- c:\program files\mbam-setup.exe
2009-04-22 21:47 0 a------- c:\windows\system32\commonpriv.log.lock
2009-04-21 20:26 141,197 -------- c:\windows\hpoins14.dat.temp
2009-04-21 20:26 2,000 -------- c:\windows\hpomdl14.dat.temp
2009-04-15 05:24 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 05:24 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 05:24 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 05:24 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 05:24 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 05:24 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 05:24 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 05:24 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 05:24 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 05:24 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 05:24 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 05:24 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-05-02 11:41 2,728 a------- c:\windows\system32\d3d9caps.dat
2009-04-29 22:48 16,409,960 a------- c:\program files\spybotsd162.exe
2009-04-22 07:13 12,376 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-03-17 22:27 14,648,672 a------- c:\program files\winzip120.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-26 22:27 3,171,208 a------- c:\program files\ccsetup216.exe
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-16 11:22 355,136 a------- c:\program files\SansaUpdaterInstall.exe
2009-02-09 08:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-07 23:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-04 22:16 442,304 a------- c:\program files\FixBrisvA.exe
2009-02-03 23:36 286,720 a------- c:\windows\iun506.exe
2009-02-03 23:35 997,692 a------- c:\program files\mp32wav.zip
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-01-25 19:29 19,030,672 a------- c:\program files\AVSAudioEditor.exe
2009-01-22 22:00 77,738,888 a------- c:\program files\ExcelViewer.exe
2008-12-22 09:47 98,816 a------- c:\program files\Shoe.xls
2008-12-17 00:51 71,656,960 a------- c:\program files\180.48_geforce_winxp_32bit_english_whql.exe
2008-12-16 22:30 26,617 a------- c:\program files\Jamie_Foxx_-_Intuition_2008_leak.torrent
2008-12-16 20:31 39,789 a------- c:\program files\Brandy_Human_2008.torrent
2008-12-16 20:30 32,770 a------- c:\program files\Jamie_Foxx_-_Intuition_-_(new)_-_2009.torrent
2008-12-16 20:19 1,754,496 a------- c:\program files\BitTorrent-6.1.2.exe
2008-08-20 19:00 4,891,216 a------- c:\program files\Silverlight.2.0.exe
2008-08-19 23:33 1,330 a------- c:\program files\desktoptab.reg
2008-08-19 23:20 1,180 a------- c:\program files\ScrnSvrTb.Show.reg
2008-08-18 20:14 2,400,784 a------- c:\program files\WLinstaller.exe
2008-08-14 21:46 871,544 a------- c:\program files\megayahtzee.exe
2008-08-07 21:56 133,227,519 a------- c:\program files\OOo_2.4.1_Win32Intel_install_wJRE_en-US.exe
2008-07-29 22:12 812,344 a------- c:\program files\HJTInstall.exe
2008-07-28 21:35 774,144 a------- c:\program files\RngInterstitial.dll
2008-07-27 21:08 14,946,782 a------- c:\program files\frostwire-4.17.0.windows.exe
2008-04-10 21:09 52,797,752 a------- c:\program files\yahoo_supple_tm6-3.exe
2008-02-27 20:34 62,712 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2007-12-20 21:00 763 a------- c:\program files\Install Norton Internet Security 2008.lnk
2007-12-20 20:12 1,394,568 a------- c:\program files\install_easyshare.exe
2007-12-20 20:10 827,024 a------- c:\program files\PhotoGreetingCards.exe
2007-12-15 16:00 16,434,976 a------- c:\program files\yahoo_monopolyherenow_tm6-2.exe
2007-11-09 12:52 28,868,320 a------- c:\program files\FileFormatConverters.exe
2007-10-16 21:49 7,069,640 a------- c:\program files\PurePlayPokerSetup.exe
2007-10-05 09:09 5,344,952 a------- c:\program files\EasyLink_Connect.exe
2007-07-09 19:38 27,024,112 a------- c:\program files\PowerPointViewer.exe
2007-03-14 22:11 18,921 a------- c:\program files\mackan.zip
2007-02-07 19:54 467 a------- c:\program files\NIS06910_2YR.exe.lnk
2007-02-07 19:39 849 a------- c:\program files\Install Norton Internet Security-2006.lnk
2007-02-05 00:14 25,755,448 a------- c:\program files\wmp11-windowsxp-x86-enu.exe
2007-02-05 00:03 15,505,200 a------- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-09-01 01:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 21:42:26.93 ===============

Here are the 2 logs from OTviewIT:


Error - 5/3/2009 11:03:43 AM | Computer Name = JAMILA | Source = Application Hang | ID = 1002
Description = Hanging application wow.bat, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/3/2009 9:37:14 PM | Computer Name = JAMILA | Source = Application Hang | ID = 1001
Description = Fault bucket 1259083446.

Error - 5/3/2009 9:37:15 PM | Computer Name = JAMILA | Source = Application Hang | ID = 1001
Description = Fault bucket 1259083446.

Error - 5/3/2009 9:37:15 PM | Computer Name = JAMILA | Source = Application Hang | ID = 1001
Description = Fault bucket 1259083446.

[ System Events ]
Error - 4/29/2009 10:04:40 PM | Computer Name = JAMILA | Source = Service Control Manager | ID = 7000
Description = The SYMTDI service failed to start due to the following error: %%31

Error - 4/29/2009 10:04:40 PM | Computer Name = JAMILA | Source = Service Control Manager | ID = 7000
Description = The SYMTDI service failed to start due to the following error: %%31

Error - 4/29/2009 10:04:40 PM | Computer Name = JAMILA | Source = Service Control Manager | ID = 7000
Description = The SYMTDI service failed to start due to the following error: %%31

Error - 4/29/2009 10:04:50 PM | Computer Name = JAMILA | Source = Service Control Manager | ID = 7000
Description = The SYMTDI service failed to start due to the following error: %%31

Error - 4/29/2009 10:04:50 PM | Computer Name = JAMILA | Source = Service Control Manager | ID = 7000
Description = The SYMTDI service failed to start due to the following error: %%31

Error - 4/29/2009 10:04:50 PM | Computer Name = JAMILA | Source = Service Control Manager | ID = 7000
Description = The SYMTDI service failed to start due to the following error: %%31

Error - 5/2/2009 10:46:41 AM | Computer Name = JAMILA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/2/2009 10:47:45 AM | Computer Name = JAMILA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm OMCI SASDIFSV SASKUTIL SRTSP SRTSPX SYMTDI

Error - 5/2/2009 12:16:03 PM | Computer Name = JAMILA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/2/2009 7:07:00 PM | Computer Name = JAMILA | Source = DCOM | ID = 10010
Description = The server {204810B9-73B2-11D4-BF42-00B0D0118B56} did not register
with DCOM within the required timeout.


< End of report >

=======================================================================

OTViewIt logfile created on: 5/3/2009 9:44:32 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 152.75 Mb Available Physical Memory | 29.89% Memory free
1.45 Gb Paging File | 0.85 Gb Available in Paging File | 58.86% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.75 Gb Total Space | 87.64 Gb Free Space | 78.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAMILA
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2009/02/07 23:28:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2009/04/29 22:10:37 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
[2007/12/05 01:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2007/03/07 11:54:06 | 00,202,280 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
[2009/04/29 22:10:37 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
[2008/04/13 20:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2003/06/07 07:32:32 | 00,050,688 | ---- | M] (Microsoft® Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[2009/02/07 23:28:46 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2007/03/07 11:53:58 | 00,198,184 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[2008/12/16 20:19:44 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
[2009/02/16 11:19:20 | 00,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
[2009/03/23 14:07:24 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\d446aa56-e9fd-4f0d-8716-9371535c667a.exe
[2009/03/05 16:07:20 | 02,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[2007/03/11 21:26:24 | 00,210,520 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2007/03/11 21:32:42 | 00,151,552 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
[2009/02/28 00:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2007/03/02 16:51:40 | 00,173,672 | R--- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
[2008/04/13 20:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\notepad.exe
[2008/04/13 20:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\notepad.exe
[2009/05/03 21:43:51 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/08/29 10:00:30 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
[2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
File not found -- -- (iPod Service [Disabled | Stopped])
[2009/02/07 23:28:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/03/30 17:46:56 | 00,411,920 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS [Disabled | Stopped])
[2003/06/02 12:01:26 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS [Disabled | Stopped])
[2009/04/29 22:10:37 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe -- (N360 [Auto | Running])
[2007/12/05 01:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2007/07/24 05:14:08 | 00,088,560 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [On_Demand | Stopped])
[2007/07/24 05:14:06 | 00,358,896 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Auto | Stopped])
[2007/08/16 08:56:16 | 00,309,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [Disabled | Stopped])
[2007/08/16 08:56:10 | 01,092,080 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
[2007/08/16 08:56:14 | 00,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
[2007/03/07 11:54:06 | 00,202,280 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\twc\medicsp2\bin\sprtsvc.exe -- (sprtsvc_medicsp2 [Auto | Running])
[2008/01/29 16:09:02 | 00,394,704 | ---- | M] (Symantec, Inc.) -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2009/04/29 22:10:39 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\BHDrvx86.sys -- (BHDrvx86 [System | Running])
[2009/04/29 22:10:39 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\cchpx86.sys -- (ccHP [System | Running])
[2003/09/22 09:48:06 | 00,130,192 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2005/06/16 15:41:02 | 00,037,150 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcCam.sys -- (DcCam [System | Running])
[2005/03/31 08:47:42 | 00,061,564 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcFpoint.sys -- (DcFpoint [On_Demand | Stopped])
[2005/03/31 08:47:48 | 00,038,673 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DCFS2k.sys -- (DCFS2K [Auto | Running])
[2005/03/31 08:47:50 | 00,008,022 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcLps.sys -- (DcLps [On_Demand | Stopped])
[2005/03/31 08:47:56 | 00,070,262 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\DcPtp.sys -- (DcPTP [On_Demand | Stopped])
[2005/06/13 12:58:04 | 00,162,816 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2009/04/29 22:10:39 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2007/03/22 12:57:14 | 00,028,672 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro [Auto | Running])
[2007/03/22 12:57:14 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr [Auto | Running])
[2009/04/29 22:10:39 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2005/03/31 09:00:08 | 00,152,081 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\ExportIt.sys -- (Exportit [System | Stopped])
[2008/04/13 14:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2009/01/15 12:19:36 | 00,023,848 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2006/10/19 12:11:40 | 00,010,664 | ---- | M] (Applied Networking Inc.) -- C:\WINDOWS\system32\drivers\gan_adapter.sys -- (hamachi_oem [On_Demand | Stopped])
[2007/03/08 00:20:48 | 00,049,920 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Running])
[2007/03/08 00:20:49 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Running])
[2007/03/08 00:20:50 | 00,021,568 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Running])
[2003/07/02 11:26:20 | 00,202,368 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
[2003/07/02 11:24:16 | 01,063,936 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
[2009/04/29 22:10:39 | 00,276,344 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090501.001\IDSXpx86.sys -- (IDSxpx86 [System | Running])
[2003/04/09 14:48:08 | 00,011,043 | R--- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2009/04/29 22:10:39 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090503.022\NAVENG.SYS -- (NAVENG [On_Demand | Running])
[2009/04/29 22:10:40 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090503.022\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
[2007/12/05 01:41:00 | 07,435,392 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2001/08/22 09:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI [System | Running])
[2003/09/22 09:47:38 | 00,178,672 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[2003/09/22 13:43:06 | 01,330,048 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X [On_Demand | Running])
[2003/03/05 13:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/05/01 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2007/05/31 13:39:50 | 00,022,656 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\system32\drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
[2009/03/23 14:07:26 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[2009/03/23 14:07:28 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
[2009/03/23 14:07:26 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:50:46 | 00,101,760 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sis300ip.sys -- (SiS300i [On_Demand | Stopped])
[2007/05/18 12:41:30 | 00,037,760 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
[2009/04/29 22:10:40 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\srtsp.sys -- (SRTSP [System | Running])
[2009/04/29 22:10:40 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\srtspx.sys -- (SRTSPX [System | Running])
[2009/04/29 22:10:40 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SymEFA.sys -- (SymEFA [Boot | Running])
[2009/04/29 22:10:53 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2009/04/29 22:10:40 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\symfw.sys -- (SYMFW [On_Demand | Running])
[2009/04/29 22:10:40 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\symids.sys -- (SYMIDS [On_Demand | Running])
[2007/02/07 20:32:46 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])
[2009/04/29 22:10:40 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\symndis.sys -- (SYMNDIS [On_Demand | Running])
[2009/04/29 22:10:40 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\N360\0300000.087\symtdi.sys -- (SYMTDI [System | Running])
[2008/04/13 14:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS_XP [On_Demand | Stopped])
[2003/07/02 11:25:24 | 00,631,680 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
[2004/08/04 08:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
"Start Page"=http://www.rr.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\PE_C_ALL USERS\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
"Start Page"=http://www.rr.com/

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://home.disney.go.com/tv/index

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomSearch"=http://red.clientapps.yahoo.com/customize/ie/defaults/cs/verizon/*http://www.yahoo.com/search/ie.html

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-500\Software\Microsoft\Internet Explorer\SearchURL]
"@"=http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (305826 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
10529 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{0347C33E-8762-4905-BF09-768834316C61} (HKLM) -- C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
{053F9267-DC04-4294-A72C-58F732D338C0} (HKLM) -- C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} (HKLM) -- C:\Program Files\Norton 360\Engine\3.0.0.135\CoIEPlg.dll (Symantec Corporation)
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} (HKLM) -- C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.dll (Symantec Corporation)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" (HKLM) -- C:\Program Files\Norton 360\Engine\3.0.0.135\CoIEPlg.dll (Symantec Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{C4069E3A-68F1-403E-B40E-20066696354B}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" (HKLM) -- C:\Program Files\Norton 360\Engine\3.0.0.135\CoIEPlg.dll (Symantec Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-D0DF-78A89CEC79C9}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{C4069E3A-68F1-403E-B40E-20066696354B}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" (HKLM) -- C:\Program Files\Norton 360\Engine\3.0.0.135\CoIEPlg.dll (Symantec Corporation)

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-D0DF-78A89CEC79C9}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{C4069E3A-68F1-403E-B40E-20066696354B}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" (HKLM) -- C:\Program Files\Norton 360\Engine\3.0.0.135\CoIEPlg.dll (Symantec Corporation)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""= File not found
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"medicsp2"=C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2 (SupportSoft, Inc.)
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" (Sonic Solutions)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"UpdReg"=C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" (BitTorrent, Inc.)
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (Microsoft Corporation)
"SansaDispatch"=C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\d446aa56-e9fd-4f0d-8716-9371535c667a.exe (SUPERAntiSpyware.com)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" (BitTorrent, Inc.)
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (Microsoft Corporation)
"SansaDispatch"=C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\d446aa56-e9fd-4f0d-8716-9371535c667a.exe (SUPERAntiSpyware.com)

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" (Microsoft Corp.)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe File not found

========== (O4) RunOnce Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA1714"=command.com /c del "C:\WINDOWS\SchedLgU.Txt" ()
"SpybotDeletingC2267"=cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB6930"=command.com /c del "C:\WINDOWS\SchedLgU.Txt" ()
"SpybotDeletingD2422"=cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt" (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB6930"=command.com /c del "C:\WINDOWS\SchedLgU.Txt" ()
"SpybotDeletingD2422"=cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt" (Microsoft Corporation)

========== (O4) RunOnceEx Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
""= File not found

========== (O4) Startup Folders ==========

[2007/03/11 21:26:24 | 00,210,520 | ---- | M] (Hewlett-Packard Co.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2001/02/13 02:01:04 | 00,083,360 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"NoDispScrSavPage"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"ClassicShell"=0
"NoActiveDesktopChanges"=0
"NoActiveDesktop"=0
"NoSaveSettings"=0
"NoThemesTab"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=0
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0
"NoDispAppearancePage"=0
"NoColorChoice"=0
"NoSizeChoice"=0
"NoDispCPL"=0
"NoVisualStyleChoice"=0
"NoDispSettingsPage"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"ClassicShell"=0
"NoActiveDesktopChanges"=0
"NoActiveDesktop"=0
"NoSaveSettings"=0
"NoThemesTab"=0

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=0
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0
"NoDispAppearancePage"=0
"NoColorChoice"=0
"NoSizeChoice"=0
"NoDispCPL"=0
"NoVisualStyleChoice"=0
"NoDispSettingsPage"=0

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\Software\Microsoft\Internet Explorer\MenuExt\]
&Search: File not found

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-500\Software\Microsoft\Internet Explorer\MenuExt\]
&Search: Reg Error: Key does not exist or could not be opened. File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{58ECB495-38F0-49cb-A538-10282ABF65E7}: Button: HP Clipbook -- %ProgramFiles%\HP\Smart Web Printing\hpswp_extensions.dll [2007/03/02 16:53:20 | 00,153,192 | R--- | M] (Hewlett-Packard Co.)
{700259D7-1666-479a-93B1-3250410481E8}: Button: HP Smart Select -- %ProgramFiles%\HP\Smart Web Printing\hpswp_extensions.dll [2007/03/02 16:53:20 | 00,153,192 | R--- | M] (Hewlett-Packard Co.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
musicmatch.com\online: https in Computer
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
yahoo.com\games: http in My Computer
50 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
49 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
49 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
yahoo.com\games: http in My Computer
50 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
49 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1960408961-2147086089-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
48 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{01113300-3E00-11D2-8470-0060089874ED}: http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab -- Support.com Configuration Class
{02BCC737-B171-4746-94C9-0D8A0B2C0089}: http://office.microsoft.com/templates/ieawsdc.cab -- Microsoft Office Template and Media Control
{05D44720-58E3-49E6-BDF6-D00330E511D3}: http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab -- StagingUI Object
{0CCA191D-13A6-4E29-B746-314DEE697D83}: http://upload.facebook.com/controls/2008.1...toUploader5.cab -- Facebook Photo Uploader 5 Control
{149E45D8-163E-4189-86FC-45022AB2B6C9}: file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/stg_drm.ocx -- SpinTop DRM Control
{166B1BCA-3F9C-11CF-8075-444553540000}: http://download.macromedia.com/pub/shockwa...director/sw.cab -- Shockwave ActiveX Control
{17492023-C23A-453E-A040-C7C580BBF700}: http://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{18C3FD15-74F6-4280-9C98-3590C966B7B8}: http://www.worldwinner.com/games/v47/skillgam/skillgam.cab -- SkillGam Control
{1A1F56AA-3401-46F9-B277-D57F3421F821}: http://www.worldwinner.com/games/v47/share...GamesLoader.cab -- FunGamesLoader Object
{1D082E71-DF20-4AAF-863B-596428C49874}: http://www.worldwinner.com/games/v50/tpir/tpir.cab -- TPIR Control
{1E54D648-B804-468d-BC78-4AFFED8E262E}: http://www.srtest.com/srl_bin/sysreqlab_srl.cab -- System Requirements Lab Class
{215B8138-A3CF-44C5-803F-8226143CFC0A}: http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab -- Trend Micro ActiveX Scan Agent 6.6
{3BB54395-5982-4788-8AF4-B5388FFDD0D8}: http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab -- MSN Games – Buddy Invite
{48DD0448-9209-4F81-9F6D-D83562940134}: http://lads.myspace.com/upload/MySpaceUploader1006.cab -- MySpace Uploader Control
{528C14CD-CF9E-489C-A365-5999F17B69B9}: http://pictures.sprintpcs.com/activex/Ligh...loadControl.cab -- LightSurfUploadCtl Class
{55027008-315F-4F45-BBC3-8BE119764741}: http://www.slide.com/uploader/SlideImageUploader.cab -- Slide Image Uploader Control
{5736C456-EA94-4AAC-BB08-917ABDD035B3}: http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab -- ZonePAChat Object
{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}: http://upload.facebook.com/controls/Facebo...toUploader3.cab -- Facebook Photo Uploader 4 Control
{5D6F45B3-9043-443D-A792-115447494D24}: http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab -- UnoCtrl Class
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://update.microsoft.com/windowsupdate/...b?1169686528031 -- WUWebControl Class
{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}: http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab -- Reg Error: Key does not exist or could not be opened.
{6A344D34-5231-452A-8A57-D064AC9B7862}: https://webdl.symantec.com/activex/symdlmgr.cab -- Symantec Download Manager
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/microsoftu...b?1196293649531 -- MUWebControl Class
{8A94C905-FF9D-43B6-8708-F0F22D22B1CB}: http://www.worldwinner.com/games/shared/wwlaunch.cab -- Wwlaunch Control
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{94299420-321F-4FF9-A247-62A23EBB640B}: http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab -- WordMojo Control
{A4110378-789B-455F-AE86-3A1BFC402853}: http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab -- ZPA_SHVL Object
{B020B534-4AA2-4B99-BD6D-5F6EE286DF5C}: https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab -- Reg Error: Key does not exist or could not be opened.
{B06CE1BC-5D9D-4676-BD28-1752DBF394E0}: http://www.worldwinner.com/games/v41/hangman/hangman.cab -- Hangman Control
{B8BE5E93-A60C-4D26-A2DC-220313175592}: http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab -- MSN Games - Installer
{BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}: http://game12.zylom.com/activex/zylomgamesplayer.cab -- Zylom Games Player
{C3F79A2B-B9B4-4A66-B012-3EE46475B072}: http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab -- MessengerStatsClient Class
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_04
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_06
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CC450D71-CC90-424C-8638-1F2DBAC87A54}: file:///C:/Program%20Files/Slingo%20Deluxe/Images/armhelper.ocx -- Reg Error: Key does not exist or could not be opened.
{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}: http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab -- get_atlcom Class
{CF969D51-F764-4FBF-9E90-475248601C8A}: http://www.worldwinner.com/games/v47/famil.../familyfeud.cab -- FamilyFeud Control
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwa...ash/swflash.cab -- Shockwave Flash Object
{D54160C3-DB7B-4534-9B65-190EE4A9C7F7}: http://l.yimg.com/jh/games/web_games/gameh...outLauncher.cab -- SproutLauncherCtrl Class
{DA2AA6CF-5C7A-4B71-BC3B-C771BB369937}: http://zone.msn.com/binframework/v10/StProxy.cab55579.cab -- MSN Games – Game Communicator
{FF3C5A9F-5A99-4930-80E8-4709194C2AD3}: http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab -- MSN Games – Backgammon

========== (O17) DNS Name Servers ==========

{2D015606-35A0-43B4-B961-998108115441} (Servers: | Description: Intel® PRO/100 VE Network Connection)
{9F03FD8E-6C4F-413D-96F7-C1674E9D9C9C} (Servers: | Description: Westell WireSpeed Dual Connect Modem)
{EE77C7B4-14B0-48C5-A3E6-2FEB056606CA} (Servers: | Description: )

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/01/20 17:04:57 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[10 C:\WINDOWS\*.tmp files]
[2009/05/03 21:43:45 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/05/03 21:40:41 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/05/02 12:16:54 | 53,587,5584 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/29 22:50:24 | 00,001,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2009/04/29 22:47:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/04/29 22:47:15 | 00,047,912 | ---- | C] () -- C:\Program Files\RUNSAS.EXE
[2009/04/29 22:39:37 | 42,154,848 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\20090429-023-v5i32.exe
[2009/04/29 22:23:52 | 00,000,000 | ---D | C] -- C:\Program Files\Norton Support
[2009/04/29 22:12:58 | 00,635,996 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\Cat.DB
[2009/04/29 22:12:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2009/04/29 22:12:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
[2009/04/29 22:10:53 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/04/29 22:10:53 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/04/29 22:10:53 | 00,007,386 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/04/29 22:10:53 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/04/29 22:10:53 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/04/29 22:10:42 | 00,001,909 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton 360.LNK
[2009/04/29 22:10:40 | 00,310,320 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.sys
[2009/04/29 22:10:40 | 00,307,760 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.sys
[2009/04/29 22:10:40 | 00,217,392 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symtdi.sys
[2009/04/29 22:10:40 | 00,089,776 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symfw.sys
[2009/04/29 22:10:40 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.sys
[2009/04/29 22:10:40 | 00,039,984 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndisv.sys
[2009/04/29 22:10:40 | 00,037,296 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndis.sys
[2009/04/29 22:10:40 | 00,034,736 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symids.sys
[2009/04/29 22:10:39 | 00,258,608 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.sys
[2009/04/29 22:10:16 | 00,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.inf
[2009/04/29 22:10:16 | 00,001,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.inf
[2009/04/29 22:10:16 | 00,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.inf
[2009/04/29 22:10:16 | 00,001,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.inf
[2009/04/29 22:10:16 | 00,000,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.inf
[2009/04/29 22:10:16 | 00,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\isolate.ini
[2009/04/29 22:09:56 | 00,009,423 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.cat
[2009/04/29 22:09:56 | 00,007,410 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.cat
[2009/04/29 22:09:56 | 00,007,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.cat
[2009/04/29 22:09:56 | 00,007,364 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.CAT
[2009/04/29 22:09:56 | 00,007,355 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.cat
[2009/04/29 22:09:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\0300000.087
[2009/04/29 22:09:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
[2009/04/29 22:09:48 | 00,000,000 | ---D | C] -- C:\Program Files\Norton 360
[2009/04/29 20:29:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2009/04/29 20:29:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/04/29 20:23:46 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2009/04/29 20:23:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/04/29 20:12:05 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2009/04/29 20:12:05 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2009/04/29 20:11:59 | 00,010,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidusb.sys
[2009/04/29 20:11:59 | 00,010,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidusb.sys
[2009/04/29 19:01:40 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Granddad's bday 2009.doc
[2009/04/27 22:02:21 | 00,001,503 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/26 21:34:25 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/04/26 21:33:57 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/04/26 21:33:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2009/04/25 17:27:35 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/04/25 16:42:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/04/25 13:45:46 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/25 13:45:44 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/25 13:45:43 | 00,000,000 | ---D | C] -- C:\Program Files\Lovedontcost
[2009/04/25 13:45:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/25 13:33:37 | 00,000,082 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\cc_20090425_133303.reg
[2009/04/25 12:07:42 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/04/25 09:14:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\LMI55.tmp
[2009/04/25 09:07:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\LMI54.tmp
[2009/04/25 09:02:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\LMI53.tmp
[2009/04/25 08:46:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec
[2009/04/24 19:21:27 | 63,752,952 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stf_en_85_287a1483.exe
[2009/04/24 18:49:59 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Program Files\mbam-setup.exe
[2009/04/23 22:31:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/04/22 19:30:06 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Wedding-Reception Expenses.doc
[2009/04/22 19:30:06 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$dding-Reception Expenses.doc
[2009/04/16 19:59:04 | 00,026,233 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CrosswordWeaverLive.zip
[2009/04/16 19:59:04 | 00,026,233 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CrosswordWeaverLive.jar
[2009/04/16 19:59:04 | 00,000,949 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\InteractivePuzzleTemporaryFile1.html
[2009/04/15 05:24:42 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 05:24:42 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 05:24:41 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 05:24:41 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 05:24:41 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 05:24:40 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 05:24:40 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 05:24:40 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 05:24:39 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 05:24:05 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 05:24:04 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 05:24:04 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/14 18:35:44 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Missing Letter.doc
[2009/04/14 18:24:43 | 00,049,152 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Jaliya's word search.doc
[2009/04/07 20:12:32 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Write each word 3 times.doc

========== Files - Modified Within 30 Days ==========

[25 C:\WINDOWS\System32\*.tmp files]
[10 C:\WINDOWS\*.tmp files]
[2009/05/03 21:43:51 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/05/03 21:40:53 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/05/03 02:00:04 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2009/05/02 22:00:00 | 00,000,330 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2009/05/02 18:36:03 | 00,000,306 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/05/02 12:20:33 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/02 12:17:14 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/02 12:17:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/02 12:16:54 | 53,587,5584 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/02 11:41:52 | 00,002,728 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/05/01 18:12:29 | 00,000,580 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\My Sharing Folders.lnk
[2009/04/30 20:00:08 | 00,001,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2009/04/30 19:53:04 | 00,305,826 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2009/04/30 19:52:30 | 00,305,826 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090430-195304.backup
[2009/04/30 07:24:33 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Word.lnk
[2009/04/30 07:21:00 | 00,635,996 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\Cat.DB
[2009/04/29 22:40:00 | 42,154,848 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\20090429-023-v5i32.exe
[2009/04/29 22:10:53 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/04/29 22:10:53 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/04/29 22:10:53 | 00,007,386 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/04/29 22:10:53 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/04/29 22:10:42 | 00,001,909 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton 360.LNK
[2009/04/29 22:10:40 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.sys
[2009/04/29 22:10:40 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.sys
[2009/04/29 22:10:40 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symtdi.sys
[2009/04/29 22:10:40 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symfw.sys
[2009/04/29 22:10:40 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.sys
[2009/04/29 22:10:40 | 00,039,984 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndisv.sys
[2009/04/29 22:10:40 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndis.sys
[2009/04/29 22:10:40 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symids.sys
[2009/04/29 22:10:39 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.sys
[2009/04/29 22:10:16 | 00,003,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.inf
[2009/04/29 22:10:16 | 00,001,528 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.inf
[2009/04/29 22:10:16 | 00,001,389 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.inf
[2009/04/29 22:10:16 | 00,001,383 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.inf
[2009/04/29 22:10:16 | 00,000,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.inf
[2009/04/29 22:10:16 | 00,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\isolate.ini
[2009/04/29 22:09:56 | 00,009,423 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.cat
[2009/04/29 22:09:56 | 00,007,410 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.cat
[2009/04/29 22:09:56 | 00,007,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.cat
[2009/04/29 22:09:56 | 00,007,364 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.CAT
[2009/04/29 22:09:56 | 00,007,355 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.cat
[2009/04/29 19:29:28 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Granddad's bday 2009.doc
[2009/04/27 22:04:23 | 00,001,503 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/27 20:00:00 | 00,000,622 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Owner.job
[2009/04/26 21:34:25 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/04/25 21:38:04 | 00,310,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/25 13:33:37 | 00,000,082 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\cc_20090425_133303.reg
[2009/04/24 19:21:34 | 63,752,952 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stf_en_85_287a1483.exe
[2009/04/23 23:53:58 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/04/22 19:30:06 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Wedding-Reception Expenses.doc
[2009/04/22 19:30:06 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$dding-Reception Expenses.doc
[2009/04/22 07:13:55 | 00,012,376 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2009/04/21 21:43:26 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Wedding Guest List.wdb
[2009/04/21 21:23:04 | 00,083,696 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/04/16 19:59:04 | 00,000,949 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\InteractivePuzzleTemporaryFile1.html
[2009/04/16 18:04:53 | 00,312,946 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/16 18:04:53 | 00,040,664 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/16 18:04:52 | 00,358,370 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/14 18:35:44 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Missing Letter.doc
[2009/04/14 18:24:43 | 00,049,152 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Jaliya's word search.doc
[2009/04/07 20:12:32 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Write each word 3 times.doc
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:00 PM

Posted 04 May 2009 - 03:50 AM

Hi Urbrefstinx,

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Posted Image
m0le is a proud member of UNITE

#6 urbrefstinx

urbrefstinx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 04 May 2009 - 07:11 PM

I performed the GMER scan as requested, the log is as follows:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-04 20:09:25
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 82ED04E0 ZwAlertResumeThread
SSDT 82EE0BC8 ZwAlertThread
SSDT 82EC3DA8 ZwAllocateVirtualMemory
SSDT 82E959A0 ZwAssignProcessToJobObject
SSDT 82BB59E0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF4BFE040]
SSDT 82B650E8 ZwCreateMutant
SSDT 82C5E910 ZwCreateSymbolicLinkObject
SSDT 82DADDE8 ZwCreateThread
SSDT 82EC46A8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF4BFE2C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF4BFE820]
SSDT 82D78EB8 ZwDuplicateObject
SSDT 82CB0588 ZwFreeVirtualMemory
SSDT 82E9C6C8 ZwImpersonateAnonymousToken
SSDT 82EC4CC8 ZwImpersonateThread
SSDT 82C6C6A8 ZwLoadDriver
SSDT 82CB1138 ZwMapViewOfSection
SSDT 82ED64B0 ZwOpenEvent
SSDT 82EE2608 ZwOpenProcess
SSDT 82C49240 ZwOpenProcessToken
SSDT 82EE2AD8 ZwOpenSection
SSDT 82E97EA8 ZwOpenThread
SSDT 82E5E008 ZwProtectVirtualMemory
SSDT 82F811A0 ZwResumeThread
SSDT 82C41318 ZwSetContextThread
SSDT 82B5D108 ZwSetInformationProcess
SSDT 82EE2F60 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF4BFEA70]
SSDT 82E9C2B0 ZwSuspendProcess
SSDT 82EA6238 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4AFEDF0]
SSDT 82EB2E00 ZwTerminateThread
SSDT 82D54B28 ZwUnmapViewOfSection
SSDT 82EDB9B0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F8 804E2754 4 Bytes CALL CBD0DDA9
.text ntoskrnl.exe!_abnormal_termination + 11C 804E2778 8 Bytes JMP 5E36AA42
.text ntoskrnl.exe!_abnormal_termination + 150 804E27AC 4 Bytes CALL 70081C70
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 8 Bytes JMP 6AB06323
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1628] kernel32.dll!VirtualProtect + 1C 7C801AF0 7 Bytes JMP 04660034
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 046600B8
.text C:\Program Files\Internet Explorer\iexplore.exe[1628] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 0466013F
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3424] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\gxvxceutubkltfmqxdorgomykmpulqjbixelq.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxceutubkltfmqxdorgomykmpulqjbixelq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxceutubkltfmqxdorgomykmpulqjbixelq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcrqjewqvpktartlobqpmuvlchhleynsxm.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxceutubkltfmqxdorgomykmpulqjbixelq.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxceutubkltfmqxdorgomykmpulqjbixelq.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcrqjewqvpktartlobqpmuvlchhleynsxm.dll

---- EOF - GMER 1.0.15 ----

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:00 PM

Posted 05 May 2009 - 01:11 PM

Hi Urbrefstinx,

Now I've found something nasty. Please read the next bit carefully as it will explain how this malware got into your PC.

Your logs show that you have an online poker program installed on your computer. I know that you may use these this game on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs, search for the poker game and remove it.

If you are unsure of anything, please dont hesitate to ask.

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Okay, on with the cleaning

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 urbrefstinx

urbrefstinx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 05 May 2009 - 06:05 PM

My ComboFix Log is attached, however, I didn't know what "online poker" game you were speaking of. I did see GameTap, but I've had that for over a year now. Can you tell me specifically what program I need to delete? Thanks.
Attached File  combofixlog.txt   19.56KB   12 downloads

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:00 PM

Posted 06 May 2009 - 06:48 AM

Hey Urbrefstinx,

Use Windows Explorer to find and delete this file:

c:\program files\PurePlayPokerSetup.exe

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



We need to check for Rootkits again with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


I see you have MBAM already.

Please start the program
  • MBAM will start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Post the log (do not attach it) in your next reply. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 urbrefstinx

urbrefstinx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 07 May 2009 - 06:17 AM

I did find the pureplay application and deleted it, thank you! Here is my GMER log:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-06 19:31:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 82C26710 ZwAlertResumeThread
SSDT 82C28438 ZwAlertThread
SSDT 82DE6878 ZwAllocateVirtualMemory
SSDT 82C1F998 ZwAssignProcessToJobObject
SSDT 82C421A8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF406E040]
SSDT 82B6CA18 ZwCreateMutant
SSDT 82B55828 ZwCreateSymbolicLinkObject
SSDT 82E3FF88 ZwCreateThread
SSDT 82C1FA70 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF406E2C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF406E820]
SSDT 82C60B28 ZwDuplicateObject
SSDT 82CB9CF0 ZwFreeVirtualMemory
SSDT 82C24FD0 ZwImpersonateAnonymousToken
SSDT 82C25EC8 ZwImpersonateThread
SSDT 82931340 ZwLoadDriver
SSDT 82E00F20 ZwMapViewOfSection
SSDT 82C24180 ZwOpenEvent
SSDT 82C2CDE0 ZwOpenProcess
SSDT 82E260F0 ZwOpenProcessToken
SSDT 82C1E860 ZwOpenSection
SSDT 82BA5A40 ZwOpenThread
SSDT 82E58B18 ZwProtectVirtualMemory
SSDT 82E0DC90 ZwResumeThread
SSDT 82C2D520 ZwSetContextThread
SSDT 82BB70C8 ZwSetInformationProcess
SSDT 82C1FB48 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF406EA70]
SSDT 82C1EF30 ZwSuspendProcess
SSDT 82C29838 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3F46DF0]
SSDT 82C2D0C0 ZwTerminateThread
SSDT 82C2F510 ZwUnmapViewOfSection
SSDT 82D60C90 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 150 804E27AC 4 Bytes CALL 70081BB7
.text ntoskrnl.exe!_abnormal_termination + 240 804E289C 4 Bytes CALL 7023AB62
? SYMEFA.SYS The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[3052] kernel32.dll!VirtualProtect + 1C 7C801AF0 7 Bytes JMP 04920034
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3052] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 049200B8
.text C:\Program Files\internet explorer\iexplore.exe[3052] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 0492013F
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3464] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


The following is my MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/7/2009 7:01:09 AM
mbam-log-2009-05-07 (07-01-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 181885
Time elapsed: 1 hour(s), 32 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:00 PM

Posted 09 May 2009 - 04:51 AM

Hi Urbrefstinx,

Looks like MBAM has shifted the rootkit and that means...

Your log is clean. Good stuff! :thumbup2:

Let's firstly do some housekeeping

Make sure you have internet connection.
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes
Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Please download OTCleanIt and save it to Desktop.


Here's a list of ways you can avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#12 urbrefstinx

urbrefstinx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 10 May 2009 - 11:37 PM

M0le, your help was soooo appreciated! Thank you for taking the time to help me. You and the rest of the HJT Team are true philanthropists and people like me that get junk on their cpu's, are forever grateful.
I ran a MBAM full scan and nothing showed up. I followed your instructions above, and so far so good!
Take Care,
Urb

:) :thumbup2:


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:00 PM

Posted 11 May 2009 - 02:52 AM

You're welcome Urbrefstinx :thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 14 May 2009 - 06:59 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users