Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD, Google redirect, USB ports dead, and more...


  • Please log in to reply
23 replies to this topic

#1 snowdude

snowdude

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 11 May 2009 - 04:23 PM

I am a some what a novice around computers, but Illl try to give you the best info i cant, if you need more just ask. I have a 2004 dell dimension E310, 512 ram, Windows XP media center edition.

My computer over the past few days has been reduced to a very slow internet surfing slug. I cant sync my ipod, cant use my printer, and cant upload pictures and videos of my camera, and cant save anything to flash drives.

It also has a Google redirect Virus only on internet explore and Firefox (Im using safari with no problems other then its slow). A freecorder toolbar was installed on those two browsers, it has since been deleted but i still have problems.

When i plug in a ipod it just shows "safely remove usb mass storage device". my printer dose not respond when i try to print.

I have had several BSOD's All saying the driver that crashed was " DRIVER_IRQL_NOT_LESS_OR_EQUAL "

I run, windows defender, Microsoft Auto updates, Trend micro pc-illion security 12, and use malwarebytes anti malware for scaning also.

After scanning in safe mode, each come up with a few virus and i delete them.

Heres the Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:44 PM, on 5/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Icecast2 Win32\icecastService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\iTunes\iTunes.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Ben Gorecki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runescape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2903424687-413595299-928397023-1005\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'Scott Gorecki')
O4 - HKUS\S-1-5-21-2903424687-413595299-928397023-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Scott Gorecki')
O4 - HKUS\S-1-5-21-2903424687-413595299-928397023-1005\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User 'Scott Gorecki')
O4 - HKUS\S-1-5-21-2903424687-413595299-928397023-1005\..\Run: [Diagnostic Manager] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\3093983762.exe (User 'Scott Gorecki')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?USB

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 12 May 2009 - 05:50 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 snowdude

snowdude
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 17 May 2009 - 10:19 PM

OTListIt logfile created on: 5/17/2009 10:13:26 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\DOCUME~1\BENGOR~1\LOCALS~1\Temp\Saf10.tmp
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 145.23 Mb Available Physical Memory | 28.93% Memory free
1.20 Gb Paging File | 0.72 Gb Available in Paging File | 60.31% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.82 Gb Total Space | 29.10 Gb Free Space | 41.68% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DD21PZ81
Current User Name: Ben
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2009/04/27 20:12:15 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2005/08/30 17:30:26 | 00,823,362 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
PRC - [2009/04/02 16:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2005/06/10 11:44:02 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2003/09/03 21:12:44 | 00,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PRC - [2008/08/13 18:32:40 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2006/04/11 19:39:22 | 00,176,201 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
PRC - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/10/11 09:40:32 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2005/08/05 14:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2005/11/30 11:38:10 | 00,393,216 | ---- | M] () -- C:\Program Files\Icecast2 Win32\icecastService.exe
PRC - [2009/04/27 20:12:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2006/09/04 20:54:44 | 00,880,722 | ---- | M] (Trend Micro Incorporated.) -- C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
PRC - [2008/08/13 18:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2005/08/30 17:30:32 | 00,290,889 | ---- | M] (Trend Micro Incorporated.) -- C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
PRC - [2005/08/30 17:30:34 | 00,262,215 | ---- | M] (Trend Micro Inc.) -- C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
PRC - [2005/08/05 14:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2005/08/30 17:30:34 | 00,585,792 | ---- | M] (Trend Micro Inc.) -- C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
PRC - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/04/02 16:10:58 | 13,646,632 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2007/11/01 14:57:24 | 02,756,096 | ---- | M] (mIRC Co. Ltd.) -- C:\Program Files\mIRC\mirc.exe
PRC - File not found -- \?\globalroot\C:\WINDOWS\system32\rundll32.exe
PRC - [2009/01/29 14:08:38 | 03,583,272 | ---- | M] (Apple Inc.) -- C:\Program Files\Safari\Safari.exe
PRC - [2009/05/17 22:13:20 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\BENGOR~1\LOCALS~1\Temp\Saf10.tmp\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2005/06/21 09:19:38 | 00,491,520 | ---- | M] () -- C:\WINDOWS\system32\dlcccoms.exe -- (dlcc_device [Disabled | Stopped])
SRV - [2007/03/07 15:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
SRV - [2005/10/11 09:40:32 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005/08/05 14:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/11/30 11:38:10 | 00,393,216 | ---- | M] () -- C:\Program Files\Icecast2 Win32\icecastService.exe -- (Icecast [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/04/27 20:12:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2005/08/05 14:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2004/08/10 05:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2004/11/19 12:26:40 | 00,147,456 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc [On_Demand | Stopped])
SRV - [2006/09/04 20:54:44 | 00,880,722 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe -- (PcCtlCom [Auto | Running])
SRV - [2008/08/13 18:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter [Auto | Running])
SRV - [2005/08/30 17:30:32 | 00,290,889 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe -- (Tmntsrv [Auto | Running])
SRV - [2005/08/30 17:30:34 | 00,585,792 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe -- (TmPfw [Auto | Running])
SRV - [2005/08/30 17:30:34 | 00,262,215 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe -- (tmproxy [Auto | Running])
SRV - [2005/08/03 20:05:55 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2004/12/01 04:22:00 | 00,087,488 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2004/11/23 03:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
DRV - [2006/10/05 16:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct [On_Demand | Stopped])
DRV - [2007/02/25 12:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\DRIVERS\dsunidrv.sys -- (dsunidrv [Auto | Running])
DRV - [2004/10/14 09:30:46 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/07/20 00:34:22 | 01,049,180 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2004/03/06 05:14:42 | 01,233,525 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Running])
DRV - [2004/03/06 05:15:34 | 00,647,929 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Running])
DRV - [2004/06/16 04:52:40 | 00,061,157 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Running])
DRV - [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2004/03/06 05:13:38 | 00,037,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Running])
DRV - [2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2004/08/10 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/10/29 15:32:15 | 00,036,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2007/08/24 11:30:34 | 00,038,656 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\System32\Drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
DRV - [2004/07/14 12:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
DRV - [2004/07/14 12:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln [System | Running])
DRV - [2005/08/17 07:41:08 | 01,022,040 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2004/12/06 02:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,086,586 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
DRV - [2007/07/26 15:48:30 | 00,076,560 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
DRV - [2008/11/26 18:42:42 | 00,205,328 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\TmXPFlt.sys -- (Tmfilter [Auto | Running])
DRV - [2008/11/26 18:42:40 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\Tmpreflt.sys -- (Tmpreflt [Auto | Running])
DRV - [2005/08/30 17:30:38 | 00,038,528 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\Drivers\tmtdi.sys -- (tmtdi [System | Running])
DRV - [2005/08/30 17:30:38 | 01,884,585 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\Drivers\tm_cfw.sys -- (tm_cfw [Auto | Running])
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2009/03/26 15:23:46 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/11/26 18:39:56 | 01,195,384 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\Vsapint.sys -- (Vsapint [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.runescape.com/
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Search,AutoSearch = http://ie.search.msn.com/{SUB_RFC1766}/src...autosearch.aspx
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\S-1-5-21-2903424687-413595299-928397023-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2903424687-413595299-928397023-1006\S-1-5-21-2903424687-413595299-928397023-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en&btnG=Google+Search&source=iglk"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {3E3D2A56-D722-44D3-A6EE-BD127472B416}:1.0
FF - prefs.js..extensions.enabledItems: {24342D20-5E1D-485B-BB4E-8E1BC0DDA562}:1.0
FF - prefs.js..extensions.enabledItems: {31CFD498-3354-49F1-9A33-000F9DF16519}:1.0
FF - prefs.js..extensions.enabledItems: {D2436355-8404-4064-A5C5-E38A7A6D10E2}:1.0
FF - prefs.js..extensions.enabledItems: {8E06E784-982E-4745-BB58-F4E4FC87E1E9}:1.0
FF - prefs.js..extensions.enabledItems: {2BAE87D6-E067-405E-A7F9-4F048213AF26}:1.0
FF - prefs.js..extensions.enabledItems: {646978B9-817A-4D43-A24D-BF4A171D0F7C}:1.0
FF - prefs.js..extensions.enabledItems: {61B0AD53-E63D-40DE-853F-7A1E682E85C3}:1.0
FF - prefs.js..extensions.enabledItems: {BDE62BBD-8B56-4161-9259-3F29893299A0}:1.0
FF - prefs.js..extensions.enabledItems: {32770CC6-E49D-4050-A3DC-6CE06E0971EA}:1.0
FF - prefs.js..extensions.enabledItems: {027C3794-D375-460D-8999-BF2B926EFD21}:1.0
FF - prefs.js..extensions.enabledItems: {2A6C8E43-9311-4CC3-B332-08C76AC82701}:1.0
FF - prefs.js..extensions.enabledItems: {7DC041A9-D903-4CCC-B2DB-04523AF0A019}:1.0
FF - prefs.js..extensions.enabledItems: {BCB5D61B-DB33-4232-9E3C-73F8F3B9E30C}:1.0
FF - prefs.js..extensions.enabledItems: {BE756790-69B5-40A2-AAB8-8D7F23C6BD9B}:1.0
FF - prefs.js..extensions.enabledItems: {A3C2AB93-C900-4BF5-B736-4BCEEB934492}:1.0
FF - prefs.js..extensions.enabledItems: {95BCC7BC-0561-42AC-A54C-0F0D218B7F25}:1.0
FF - prefs.js..extensions.enabledItems: {1BAA9CC8-A9E3-485D-B902-2B6E4722C4D0}:1.0
FF - prefs.js..extensions.enabledItems: {1E05EA4B-D012-48BF-876B-48DD0E164F20}:1.0
FF - prefs.js..extensions.enabledItems: {4B855F9A-1905-4EB7-9802-DD2CB0D4EE46}:1.0
FF - prefs.js..extensions.enabledItems: {E2F693E9-2D47-461D-96FD-D216065733A7}:1.0
FF - prefs.js..extensions.enabledItems: {FC37D187-8E58-497E-8365-E032A625FB4A}:1.0
FF - prefs.js..extensions.enabledItems: {285C151F-5E13-4971-9722-AC35702BAEBC}:1.0
FF - prefs.js..extensions.enabledItems: {2CB43BB8-D3B2-41AD-B887-C8B657FE3AA3}:1.0
FF - prefs.js..extensions.enabledItems: {2D0FC415-463A-400B-8484-ACFDD4BAA668}:1.0
FF - prefs.js..extensions.enabledItems: {4A6B546F-8812-485E-B72F-918ED601C6ED}:1.0
FF - prefs.js..extensions.enabledItems: {951037DB-334A-4133-A49E-457B7FC816D2}:1.0
FF - prefs.js..extensions.enabledItems: {36C5AA66-9396-4FC6-832C-65C6250A63E2}:1.0
FF - prefs.js..extensions.enabledItems: {E9A1DEE0-C623-4439-8932-001E7D17607D}:2.1.0.7
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/17 11:58:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/10 18:59:39 | 00,000,000 | ---D | M]

[2008/08/30 23:16:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben Gorecki\Application Data\mozilla\Extensions
[2008/08/30 23:16:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben Gorecki\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/17 22:05:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben Gorecki\Application Data\mozilla\Firefox\Profiles\g2zemlti.default\extensions
[2009/05/17 22:03:18 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/08 11:51:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{027C3794-D375-460D-8999-BF2B926EFD21}
[2009/05/11 22:27:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{1BAA9CC8-A9E3-485D-B902-2B6E4722C4D0}
[2009/05/11 19:18:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{1E05EA4B-D012-48BF-876B-48DD0E164F20}
[2009/04/28 22:28:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{24342D20-5E1D-485B-BB4E-8E1BC0DDA562}
[2009/05/15 18:49:59 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{285C151F-5E13-4971-9722-AC35702BAEBC}
[2009/05/08 12:23:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{2A6C8E43-9311-4CC3-B332-08C76AC82701}
[2009/05/02 21:05:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{2BAE87D6-E067-405E-A7F9-4F048213AF26}
[2009/05/15 07:33:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{2CB43BB8-D3B2-41AD-B887-C8B657FE3AA3}
[2009/05/14 15:50:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{2D0FC415-463A-400B-8484-ACFDD4BAA668}
[2009/04/29 13:47:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{31CFD498-3354-49F1-9A33-000F9DF16519}
[2009/05/05 23:19:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{32770CC6-E49D-4050-A3DC-6CE06E0971EA}
[2009/05/15 23:25:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{36C5AA66-9396-4FC6-832C-65C6250A63E2}
[2009/04/26 19:43:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3E3D2A56-D722-44D3-A6EE-BD127472B416}
[2009/05/14 11:59:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{4A6B546F-8812-485E-B72F-918ED601C6ED}
[2009/05/13 13:52:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{4B855F9A-1905-4EB7-9802-DD2CB0D4EE46}
[2008/03/12 20:55:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{4f8c2ab4-ec14-446f-aa39-24ed99cd1bdf}
[2009/05/04 14:19:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{61B0AD53-E63D-40DE-853F-7A1E682E85C3}
[2009/05/01 21:26:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{646978B9-817A-4D43-A24D-BF4A171D0F7C}
[2009/05/08 12:40:13 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{7DC041A9-D903-4CCC-B2DB-04523AF0A019}
[2009/04/30 18:28:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{8E06E784-982E-4745-BB58-F4E4FC87E1E9}
[2009/05/14 22:51:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{951037DB-334A-4133-A49E-457B7FC816D2}
[2009/05/11 14:17:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{95BCC7BC-0561-42AC-A54C-0F0D218B7F25}
[2008/03/12 20:55:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{9623a6ff-1210-4d2b-952b-24c2e9d568d7}
[2009/04/29 21:44:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/09 12:01:46 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{A3C2AB93-C900-4BF5-B736-4BCEEB934492}
[2009/05/08 13:05:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{BCB5D61B-DB33-4232-9E3C-73F8F3B9E30C}
[2009/05/04 07:13:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{BDE62BBD-8B56-4161-9259-3F29893299A0}
[2009/05/08 12:18:18 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{BE756790-69B5-40A2-AAB8-8D7F23C6BD9B}
[2008/03/24 10:43:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/25 13:22:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/04/27 20:12:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/29 17:50:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{D2436355-8404-4064-A5C5-E38A7A6D10E2}
[2009/05/13 09:43:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E2F693E9-2D47-461D-96FD-D216065733A7}
[2009/05/12 22:46:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{FC37D187-8E58-497E-8365-E032A625FB4A}
[2009/04/29 21:44:18 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/29 21:44:18 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/07/02 11:31:38 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/07/02 11:31:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/07/02 11:31:38 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/13 19:11:26 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/07/02 11:31:38 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/07/02 11:31:38 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O3 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\..\Toolbar\WebBrowser: (no name) - {3E9D340B-D614-4854-AE06-4218201F6AAE} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\..\Toolbar\WebBrowser: (no name) - {F4D76F09-7896-458A-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL File not found
O4 - HKLM..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16 ( )
O4 - HKLM..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter (SupportSoft, Inc.)
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" (Trend Micro Incorporated.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
O4 - HKU\.DEFAULT..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 ( )
O4 - HKU\.DEFAULT..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\232353616.exe ()
O4 - HKU\.DEFAULT..\Run: [SYS32DLL] SYS32DLL File not found
O4 - HKU\.DEFAULT..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
O4 - HKU\S-1-5-18..\Run: [] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
O4 - HKU\S-1-5-18..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 ( )
O4 - HKU\S-1-5-18..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\232353616.exe ()
O4 - HKU\S-1-5-18..\Run: [SYS32DLL] SYS32DLL File not found
O4 - HKU\S-1-5-18..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
O4 - HKU\S-1-5-21-2903424687-413595299-928397023-1006..\Run: [autochk] rundll32.exe C:\DOCUME~1\BENGOR~1\protect.dll,_IWMPEvents@16 ( )
O4 - HKU\S-1-5-21-2903424687-413595299-928397023-1006..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll ( )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 1
O7 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKLM\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} http://simcity.ea.com/update/EARTPX.cab (EARTPatchX Class)
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} http://simcity3000unlimited.ea.com/telepor...mCity3TeleX.cab (MaxisSimCity3TeleX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab (MaxisSimsFamilyTeleX Control)
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} http://simcity.ea.com/play/classic/SimCityX.cab (SimCityX Control)
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (MaxisSimCity4PatcherX Control)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/17 18:37:11 | 00,023,552 | -HS- | C] ( ) -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll
[2009/05/17 18:37:11 | 00,000,655 | -HS- | C] () -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk
[2009/05/17 18:37:10 | 00,028,672 | ---- | C] ( ) -- C:\WINDOWS\System32\lmn_setup.exe
[2009/05/17 18:37:10 | 00,023,552 | -HS- | C] ( ) -- C:\WINDOWS\System32\autochk.dll
[2009/05/17 11:57:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\Ask & Record Toolbar
[2009/05/12 18:52:43 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/12 18:51:32 | 24,699,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/07 22:24:13 | 00,162,336 | ---- | C] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Newest021.jpg
[2009/05/03 21:24:40 | 00,000,104 | ---- | C] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Shortcut to Recycle Bin.lnk
[2009/04/28 22:22:50 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\userinit.exe
[2009/04/27 23:27:41 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/04/27 19:08:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/04/27 09:56:15 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/19 15:14:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ben Gorecki\Application Data\acccore
[2009/04/19 15:14:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/04/09 09:14:05 | 01,408,048 | -HS- | C] () -- C:\WINDOWS\System32\ubebogub.ini
[2009/04/08 21:14:00 | 01,406,156 | -HS- | C] () -- C:\WINDOWS\System32\anerawaj.ini
[2008/06/22 12:59:59 | 00,000,020 | ---- | C] () -- C:\WINDOWS\AllLakeSaver.ini
[2008/04/30 22:28:49 | 00,000,171 | ---- | C] () -- C:\WINDOWS\icecast2.ini
[2008/01/05 17:52:30 | 00,000,399 | ---- | C] () -- C:\WINDOWS\asr.INI
[2007/11/28 19:49:00 | 00,000,168 | ---- | C] () -- C:\WINDOWS\psr.INI
[2006/08/31 20:57:44 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/01/11 17:57:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Textart.INI
[2005/12/25 16:18:01 | 00,004,184 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/12/25 16:18:01 | 00,000,104 | RHS- | C] () -- C:\WINDOWS\System32\1490F3F7DA.sys
[2005/12/10 14:28:50 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/10 14:19:59 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/12/10 13:51:02 | 01,183,744 | ---- | C] () -- C:\WINDOWS\System32\dlccserv.dll
[2005/12/10 13:51:02 | 01,134,592 | ---- | C] () -- C:\WINDOWS\System32\dlccusb1.dll
[2005/12/10 13:51:02 | 00,638,976 | ---- | C] () -- C:\WINDOWS\System32\dlccpmui.dll
[2005/12/10 13:51:02 | 00,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2005/12/10 13:51:02 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccprox.dll
[2005/12/10 13:51:02 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2005/12/10 13:51:02 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\dlccpplc.dll
[2005/12/10 13:51:02 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2005/12/10 13:51:02 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2005/12/10 13:51:02 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2005/12/10 13:51:00 | 00,770,048 | ---- | C] () -- C:\WINDOWS\System32\dlcchbn3.dll
[2005/12/10 13:51:00 | 00,704,512 | ---- | C] () -- C:\WINDOWS\System32\dlcccomc.dll
[2005/12/10 13:51:00 | 00,483,328 | ---- | C] () -- C:\WINDOWS\System32\dlcclmpm.dll
[2005/12/10 13:51:00 | 00,413,696 | ---- | C] () -- C:\WINDOWS\System32\dlcccomm.dll
[2005/12/10 13:51:00 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2005/12/10 13:51:00 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2005/12/10 13:51:00 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2005/12/10 13:51:00 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2005/12/10 13:50:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2005/12/10 13:50:00 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/16 05:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 05:18:43 | 00,000,550 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/08/16 05:18:41 | 00,000,256 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/08/05 15:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/02 15:00:16 | 00,000,611 | ---- | C] () -- C:\WINDOWS\System32\dlccplc.ini
[2005/04/09 18:04:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/02/27 17:50:00 | 00,197,120 | ---- | C] () -- C:\WINDOWS\System32\patchw32.dll
[2000/01/28 01:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/17 22:15:00 | 00,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{461DEAF6-0A8F-4BD1-902F-084F1C17583B}.job
[2009/05/17 22:04:12 | 00,028,672 | ---- | M] ( ) -- C:\WINDOWS\System32\lmn_setup.exe
[2009/05/17 21:52:23 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/05/17 21:51:38 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/17 21:49:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/17 21:49:16 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Ben Gorecki\Local Settings\desktop.ini
[2009/05/17 21:49:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/17 21:40:35 | 00,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2903424687-413595299-928397023-1006.job
[2009/05/17 21:39:47 | 00,023,552 | -HS- | M] ( ) -- C:\WINDOWS\System32\autochk.dll
[2009/05/17 18:37:12 | 00,000,655 | -HS- | M] () -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk
[2009/05/17 18:37:11 | 00,023,552 | -HS- | M] ( ) -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll
[2009/05/16 23:52:17 | 00,004,184 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/05/16 23:52:08 | 00,000,104 | RHS- | M] () -- C:\WINDOWS\System32\1490F3F7DA.sys
[2009/05/16 23:08:49 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\null
[2009/05/16 20:35:49 | 00,000,550 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/16 20:35:49 | 00,000,256 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/16 20:35:49 | 00,000,209 | RHS- | M] () -- C:\boot.ini
[2009/05/12 18:52:43 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/09 08:17:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/05/07 22:24:13 | 00,162,336 | ---- | M] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Newest021.jpg
[2009/05/07 00:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/03 21:22:53 | 00,000,104 | ---- | M] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Shortcut to Recycle Bin.lnk
[2009/04/27 09:56:15 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/26 22:44:56 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\winadase
[2009/04/19 15:14:31 | 00,001,903 | -H-- | M] () -- C:\IPH.PH

========== Alternate Data Streams ==========

@Alternate Data Stream - 456 bytes -> C:\WINDOWS\System32\drivers\zehvhatf.sys:changelist
@Alternate Data Stream - 356 bytes -> C:\WINDOWS\System32\drivers\okhfehgu.sys:changelist
@Alternate Data Stream - 356 bytes -> C:\WINDOWS\System32\drivers\cqkmrsoj.sys:changelist
< End of report >




------------------------------------------------------------------------

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-17 22:18:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 82D74260 ZwEnumerateKey
Code 82759B70 ZwFlushInstructionCache
Code 8275EE16 IofCallDriver
Code 8276C9BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8275EE1B
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8276C9C3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 82759B74
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 82D74264

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \FileSystem\Fastfat \Fat A7985D20

AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-17 22:18:00
Windows 5.1.2600 Service Pack 3

Edited by snowdude, 17 May 2009 - 10:21 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 18 May 2009 - 11:48 AM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O3 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\..\Toolbar\WebBrowser: (no name) - {3E9D340B-D614-4854-AE06-4218201F6AAE} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-2903424687-413595299-928397023-1006\..\Toolbar\WebBrowser: (no name) - {F4D76F09-7896-458A-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL File not found
    O4 - HKLM..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16 ( )
    O4 - HKU\.DEFAULT..\Run: [] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
    O4 - HKU\.DEFAULT..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 ( )
    O4 - HKU\.DEFAULT..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\232353616.exe ()
    O4 - HKU\.DEFAULT..\Run: [SYS32DLL] SYS32DLL File not found
    O4 - HKU\.DEFAULT..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
    O4 - HKU\S-1-5-18..\Run: [] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
    O4 - HKU\S-1-5-18..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 ( )
    O4 - HKU\S-1-5-18..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\232353616.exe ()
    O4 - HKU\S-1-5-18..\Run: [SYS32DLL] SYS32DLL File not found
    O4 - HKU\S-1-5-18..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ycdxg0qamh.exe ()
    O4 - HKU\S-1-5-21-2903424687-413595299-928397023-1006..\Run: [autochk] rundll32.exe C:\DOCUME~1\BENGOR~1\protect.dll,_IWMPEvents@16 ( )
    O4 - Startup: C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll ( )
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-...indows-i586.cab (Java Plug-in 1.4.2_03)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
    O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
    O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
    O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
    O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
    O33 - MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found
    
    :Files
    :\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll
    C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk
    C:\WINDOWS\System32\lmn_setup.exe
    C:\WINDOWS\System32\autochk.dll
    C:\WINDOWS\System32\ubebogub.ini
    C:\WINDOWS\System32\anerawaj.ini
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

==================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


================


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 snowdude

snowdude
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 18 May 2009 - 04:57 PM

========== OTLISTIT ==========
Process explorer.exe killed successfully!
Registry value HKEY_USERS\S-1-5-21-2903424687-413595299-928397023-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3E9D340B-D614-4854-AE06-4218201F6AAE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E9D340B-D614-4854-AE06-4218201F6AAE}\ not found.
Registry value HKEY_USERS\S-1-5-21-2903424687-413595299-928397023-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2903424687-413595299-928397023-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F4D76F09-7896-458A-890F-E1F05C46069F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4D76F09-7896-458A-890F-E1F05C46069F}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\autochk deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\autochk.DLL
C:\WINDOWS\system32\autochk.DLL NOT unregistered.
C:\WINDOWS\system32\autochk.DLL moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\WINDOWS\TEMP\ycdxg0qamh.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\autochk deleted successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\LocalService\protect.dll
C:\Documents and Settings\LocalService\protect.dll NOT unregistered.
C:\Documents and Settings\LocalService\protect.dll moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Diagnostic Manager deleted successfully.
C:\WINDOWS\TEMP\232353616.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\SYS32DLL deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\uidenhiufgsduiazghs deleted successfully.
File C:\WINDOWS\TEMP\ycdxg0qamh.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
File C:\WINDOWS\TEMP\ycdxg0qamh.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\autochk not found.
File rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Diagnostic Manager not found.
File C:\WINDOWS\TEMP\232353616.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\SYS32DLL not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\uidenhiufgsduiazghs not found.
File C:\WINDOWS\TEMP\ycdxg0qamh.exe not found.
Registry value HKEY_USERS\S-1-5-21-2903424687-413595299-928397023-1006\Software\Microsoft\Windows\CurrentVersion\Run\\autochk deleted successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Ben Gorecki\protect.dll
C:\Documents and Settings\Ben Gorecki\protect.dll NOT unregistered.
C:\Documents and Settings\Ben Gorecki\protect.dll moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll
C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll NOT unregistered.
C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll moved successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
File E:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ not found.
File F:\Autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ not found.
File F:\Autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ not found.
File F:\Autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4d823d9-a8fb-11dc-b6dd-0013209ce94f}\ not found.
File F:\Autorun.exe not found.
========== FILES ==========
Error: Unable to interpret <:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk> in the current context!
Error: Unable to interpret <C:\WINDOWS\System32\lmn_setup.exe> in the current context!
Error: Unable to interpret <C:\WINDOWS\System32\autochk.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\System32\ubebogub.ini> in the current context!
Error: Unable to interpret <C:\WINDOWS\System32\anerawaj.ini> in the current context!
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Ben Gorecki\Local Settings\Temp\SafEC.tmp\OTListIt2.exe scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Ben Gorecki\Local Settings\Temp\nsrbgxod.bak scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\msb.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\nsrbgxod.bak scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_574.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 05182009_155334

Files moved on Reboot...
C:\Documents and Settings\Ben Gorecki\Local Settings\Temp\SafEC.tmp\OTListIt2.exe moved successfully.
C:\Documents and Settings\Ben Gorecki\Local Settings\Temp\nsrbgxod.bak moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\temp\msb.dll
C:\WINDOWS\temp\msb.dll NOT unregistered.
C:\WINDOWS\temp\msb.dll moved successfully.



----------------------------------------------------------------------------------------------------------------------------

GooredFix v1.92 by jpshortstuff
Log created at 16:56 on 18/05/2009 running Option #1 (Ben Gorecki)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{FC37D187-8E58-497E-8365-E032A625FB4A}

C:\Program Files\Mozilla Firefox\extensions\{E2F693E9-2D47-461D-96FD-D216065733A7}

C:\Program Files\Mozilla Firefox\extensions\{D2436355-8404-4064-A5C5-E38A7A6D10E2}

C:\Program Files\Mozilla Firefox\extensions\{BE756790-69B5-40A2-AAB8-8D7F23C6BD9B}

C:\Program Files\Mozilla Firefox\extensions\{BDE62BBD-8B56-4161-9259-3F29893299A0}

C:\Program Files\Mozilla Firefox\extensions\{BCB5D61B-DB33-4232-9E3C-73F8F3B9E30C}

C:\Program Files\Mozilla Firefox\extensions\{A3C2AB93-C900-4BF5-B736-4BCEEB934492}

C:\Program Files\Mozilla Firefox\extensions\{95BCC7BC-0561-42AC-A54C-0F0D218B7F25}

C:\Program Files\Mozilla Firefox\extensions\{951037DB-334A-4133-A49E-457B7FC816D2}

C:\Program Files\Mozilla Firefox\extensions\{8E06E784-982E-4745-BB58-F4E4FC87E1E9}

C:\Program Files\Mozilla Firefox\extensions\{7DC041A9-D903-4CCC-B2DB-04523AF0A019}

C:\Program Files\Mozilla Firefox\extensions\{7839FDFB-CEA0-427B-A1E6-F028CBA15155}

C:\Program Files\Mozilla Firefox\extensions\{646978B9-817A-4D43-A24D-BF4A171D0F7C}

C:\Program Files\Mozilla Firefox\extensions\{61B0AD53-E63D-40DE-853F-7A1E682E85C3}

C:\Program Files\Mozilla Firefox\extensions\{4B855F9A-1905-4EB7-9802-DD2CB0D4EE46}

C:\Program Files\Mozilla Firefox\extensions\{4A6B546F-8812-485E-B72F-918ED601C6ED}

C:\Program Files\Mozilla Firefox\extensions\{3E3D2A56-D722-44D3-A6EE-BD127472B416}

C:\Program Files\Mozilla Firefox\extensions\{36C5AA66-9396-4FC6-832C-65C6250A63E2}

C:\Program Files\Mozilla Firefox\extensions\{32770CC6-E49D-4050-A3DC-6CE06E0971EA}

C:\Program Files\Mozilla Firefox\extensions\{31CFD498-3354-49F1-9A33-000F9DF16519}

C:\Program Files\Mozilla Firefox\extensions\{2D0FC415-463A-400B-8484-ACFDD4BAA668}

C:\Program Files\Mozilla Firefox\extensions\{2CB43BB8-D3B2-41AD-B887-C8B657FE3AA3}

C:\Program Files\Mozilla Firefox\extensions\{2BAE87D6-E067-405E-A7F9-4F048213AF26}

C:\Program Files\Mozilla Firefox\extensions\{2A6C8E43-9311-4CC3-B332-08C76AC82701}

C:\Program Files\Mozilla Firefox\extensions\{285C151F-5E13-4971-9722-AC35702BAEBC}

C:\Program Files\Mozilla Firefox\extensions\{24342D20-5E1D-485B-BB4E-8E1BC0DDA562}

C:\Program Files\Mozilla Firefox\extensions\{1E05EA4B-D012-48BF-876B-48DD0E164F20}

C:\Program Files\Mozilla Firefox\extensions\{1BAA9CC8-A9E3-485D-B902-2B6E4722C4D0}

C:\Program Files\Mozilla Firefox\extensions\{027C3794-D375-460D-8999-BF2B926EFD21}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 18 May 2009 - 05:08 PM

Please post the log from Malwarebytes also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 snowdude

snowdude
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 19 May 2009 - 02:51 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2149
Windows 5.1.2600 Service Pack 3

5/19/2009 2:48:35 PM
mbam-log-2009-05-19 (14-48-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 206208
Time elapsed: 38 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\msb.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PERS5IV\nfr[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ODEFGH67\pp.06[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\_OTListIt\MovedFiles\05182009_155334\WINDOWS\TEMP\ycdxg0qamh.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Ben Gorecki\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Scott Gorecki\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben Gorecki\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\msb.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 19 May 2009 - 04:12 PM

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt)


Also post a new log from OTListIt.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 snowdude

snowdude
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 20 May 2009 - 02:56 PM

GooredFix v1.92 by jpshortstuff
Log created at 14:55 on 20/05/2009 running Option #2 (Ben Gorecki)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{FC37D187-8E58-497E-8365-E032A625FB4A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{E2F693E9-2D47-461D-96FD-D216065733A7}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{D2436355-8404-4064-A5C5-E38A7A6D10E2}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{BE756790-69B5-40A2-AAB8-8D7F23C6BD9B}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{BDE62BBD-8B56-4161-9259-3F29893299A0}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{BCB5D61B-DB33-4232-9E3C-73F8F3B9E30C}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{ACD8DDB1-E2A4-41C9-9E8E-DBA0A53F2015}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{A3C2AB93-C900-4BF5-B736-4BCEEB934492}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{95BCC7BC-0561-42AC-A54C-0F0D218B7F25}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{951037DB-334A-4133-A49E-457B7FC816D2}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{8E06E784-982E-4745-BB58-F4E4FC87E1E9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{7F0EE086-0C73-4100-AF03-8A8BDBC9E335}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{7DC041A9-D903-4CCC-B2DB-04523AF0A019}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{7839FDFB-CEA0-427B-A1E6-F028CBA15155}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{646978B9-817A-4D43-A24D-BF4A171D0F7C}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{61B0AD53-E63D-40DE-853F-7A1E682E85C3}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{4BF9AED8-94C2-4AB7-A307-770CF56ACF14}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{4B855F9A-1905-4EB7-9802-DD2CB0D4EE46}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{4A6B546F-8812-485E-B72F-918ED601C6ED}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{3E3D2A56-D722-44D3-A6EE-BD127472B416}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{36C5AA66-9396-4FC6-832C-65C6250A63E2}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{32770CC6-E49D-4050-A3DC-6CE06E0971EA}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{31CFD498-3354-49F1-9A33-000F9DF16519}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{2D0FC415-463A-400B-8484-ACFDD4BAA668}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{2CB43BB8-D3B2-41AD-B887-C8B657FE3AA3}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{2BAE87D6-E067-405E-A7F9-4F048213AF26}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{2A6C8E43-9311-4CC3-B332-08C76AC82701}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{285C151F-5E13-4971-9722-AC35702BAEBC}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{24342D20-5E1D-485B-BB4E-8E1BC0DDA562}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{1E05EA4B-D012-48BF-876B-48DD0E164F20}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{1BAA9CC8-A9E3-485D-B902-2B6E4722C4D0}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{027C3794-D375-460D-8999-BF2B926EFD21}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 20 May 2009 - 03:40 PM

Also post a new log from OTListIt.

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 snowdude

snowdude
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 20 May 2009 - 03:53 PM

I Have a Fake " Malware Doctor program " popping up up now to.I still have a google redirect in Firefox and Internet Explore, Safari is fine. :thumbup2:


OTListIt logfile created on: 5/20/2009 3:51:02 PM - Run 3
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\DOCUME~1\BENGOR~1\LOCALS~1\Temp\Saf80.tmp
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 90.10 Mb Available Physical Memory | 17.95% Memory free
1.20 Gb Paging File | 0.53 Gb Available in Paging File | 44.32% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.82 Gb Total Space | 31.53 Gb Free Space | 45.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DD21PZ81
Current User Name: Ben Gorecki
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/19 15:08:21 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\AshEvtSvc.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/10/11 09:40:32 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2005/08/05 14:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2005/11/30 11:38:10 | 00,393,216 | ---- | M] () -- C:\Program Files\Icecast2 Win32\icecastService.exe
PRC - [2009/04/27 20:12:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2006/09/04 20:54:44 | 00,880,722 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe
PRC - [2008/08/13 18:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2005/08/30 17:30:32 | 00,290,889 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe
PRC - [2005/08/30 17:30:34 | 00,262,215 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe
PRC - [2005/08/05 14:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2005/08/30 17:30:34 | 00,585,792 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2009/04/27 20:12:15 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2005/08/30 17:30:26 | 00,823,362 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
PRC - [2009/04/02 16:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2005/06/10 11:44:02 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2003/09/03 21:12:44 | 00,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PRC - [2008/08/13 18:32:40 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - File not found -- C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\3093983762.exe
PRC - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - File not found -- \?\globalroot\C:\WINDOWS\system32\rundll32.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2009/04/27 20:12:15 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2005/08/30 17:30:26 | 00,823,362 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
PRC - [2009/04/02 16:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2005/06/10 11:44:02 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2008/08/13 18:32:40 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2006/04/11 19:39:22 | 00,176,201 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
PRC - [2009/01/29 14:08:38 | 03,583,272 | ---- | M] (Apple Inc.) -- C:\Program Files\Safari\Safari.exe
PRC - [2009/04/02 16:10:58 | 13,646,632 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2007/11/01 14:57:24 | 02,756,096 | ---- | M] (mIRC Co. Ltd.) -- C:\Program Files\mIRC\mirc.exe
PRC - [2009/05/20 15:50:57 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben Gorecki\Local Settings\Temp\Saf80.tmp\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/05/19 15:08:21 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\AshEvtSvc.exe -- (AshEvtSvc [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2005/06/21 09:19:38 | 00,491,520 | ---- | M] () -- C:\WINDOWS\system32\dlcccoms.exe -- (dlcc_device [Disabled | Stopped])
SRV - [2007/03/07 15:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
SRV - [2005/10/11 09:40:32 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005/08/05 14:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/11/30 11:38:10 | 00,393,216 | ---- | M] () -- C:\Program Files\Icecast2 Win32\icecastService.exe -- (Icecast [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/04/27 20:12:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2005/08/05 14:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2004/08/10 05:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2004/11/19 12:26:40 | 00,147,456 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc [On_Demand | Stopped])
SRV - [2006/09/04 20:54:44 | 00,880,722 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe -- (PcCtlCom [Auto | Running])
SRV - [2008/08/13 18:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter [Auto | Running])
SRV - [2005/08/30 17:30:32 | 00,290,889 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe -- (Tmntsrv [Auto | Running])
SRV - [2005/08/30 17:30:34 | 00,585,792 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe -- (TmPfw [Auto | Running])
SRV - [2005/08/30 17:30:34 | 00,262,215 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe -- (tmproxy [Auto | Running])
SRV - [2005/08/03 20:05:55 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2009/05/18 17:45:14 | 00,004,736 | ---- | M] () -- C:\Documents and Settings\Ben Gorecki\Local Settings\Temp\DellBIOS.Sys -- (DellBIOS [On_Demand | Stopped])
DRV - [2004/12/01 04:22:00 | 00,087,488 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2004/11/23 03:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
DRV - [2006/10/05 16:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct [On_Demand | Stopped])
DRV - [2007/02/25 12:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\DRIVERS\dsunidrv.sys -- (dsunidrv [Auto | Running])
DRV - [2004/10/14 09:30:46 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/07/20 00:34:22 | 01,049,180 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2004/03/06 05:14:42 | 01,233,525 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Running])
DRV - [2004/03/06 05:15:34 | 00,647,929 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Running])
DRV - [2004/06/16 04:52:40 | 00,061,157 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Running])
DRV - [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2004/03/06 05:13:38 | 00,037,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Running])
DRV - [2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2004/08/10 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/10/29 15:32:15 | 00,036,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2007/08/24 11:30:34 | 00,038,656 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\System32\Drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
DRV - [2004/07/14 12:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
DRV - [2004/07/14 12:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln [System | Running])
DRV - [2005/11/16 15:36:00 | 01,047,816 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2004/12/06 02:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,086,586 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
DRV - [2004/12/06 02:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
DRV - [2007/07/26 15:48:30 | 00,076,560 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
DRV - [2008/11/26 18:42:42 | 00,205,328 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\TmXPFlt.sys -- (Tmfilter [Auto | Running])
DRV - [2008/11/26 18:42:40 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\Tmpreflt.sys -- (Tmpreflt [Auto | Running])
DRV - [2005/08/30 17:30:38 | 00,038,528 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\Drivers\tmtdi.sys -- (tmtdi [System | Running])
DRV - [2005/08/30 17:30:38 | 01,884,585 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\Drivers\tm_cfw.sys -- (tm_cfw [Auto | Running])
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2009/03/26 15:23:46 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/11/26 18:39:56 | 01,195,384 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\Vsapint.sys -- (Vsapint [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.runescape.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,AutoSearch = http://ie.search.msn.com/{SUB_RFC1766}/src...autosearch.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en&btnG=Google+Search&source=iglk"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/17 11:58:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/10 18:59:39 | 00,000,000 | ---D | M]

[2008/08/30 23:16:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben Gorecki\Application Data\mozilla\Extensions
[2008/08/30 23:16:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben Gorecki\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/18 16:52:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben Gorecki\Application Data\mozilla\Firefox\Profiles\g2zemlti.default\extensions
[2009/05/20 15:45:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/03/12 20:55:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{4f8c2ab4-ec14-446f-aa39-24ed99cd1bdf}
[2008/03/12 20:55:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{9623a6ff-1210-4d2b-952b-24c2e9d568d7}
[2009/04/29 21:44:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/03/24 10:43:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/25 13:22:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/04/27 20:12:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/29 21:44:18 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/29 21:44:18 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/07/02 11:31:38 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/07/02 11:31:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/07/02 11:31:38 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/13 19:11:26 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/07/02 11:31:38 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/07/02 11:31:38 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (Microsoft copyright) - {56BB6D01-7BD5-4458-A4AE-F03DF643D6EE} - C:\WINDOWS\system32\stfa.dll ()
O4 - HKLM..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16 ( )
O4 - HKLM..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter (SupportSoft, Inc.)
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" (Trend Micro Incorporated.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)
O4 - HKCU..\Run: [autochk] rundll32.exe C:\DOCUME~1\BENGOR~1\protect.dll,_IWMPEvents@16 ( )
O4 - HKCU..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll ( )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKLM\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} http://simcity.ea.com/update/EARTPX.cab (EARTPatchX Class)
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} http://simcity3000unlimited.ea.com/telepor...mCity3TeleX.cab (MaxisSimCity3TeleX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab (MaxisSimsFamilyTeleX Control)
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} http://simcity.ea.com/play/classic/SimCityX.cab (SimCityX Control)
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (MaxisSimCity4PatcherX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/20 14:55:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ben Gorecki\Desktop\GooredFixBackups
[2009/05/20 14:55:23 | 00,094,208 | ---- | C] () -- C:\Program Files\GooredFix.exe
[2009/05/20 13:49:27 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\service-466.exe
[2009/05/19 16:16:19 | 00,095,198 | ---- | C] () -- C:\WINDOWS\System32\drivers\3eed7607.sys
[2009/05/19 16:16:08 | 00,000,004 | ---- | C] () -- C:\WINDOWS\System32\lt.res
[2009/05/19 15:23:23 | 00,023,552 | -HS- | C] ( ) -- C:\WINDOWS\System32\autochk.dll
[2009/05/19 15:23:23 | 00,023,552 | -HS- | C] ( ) -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll
[2009/05/19 15:23:23 | 00,000,655 | -HS- | C] () -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk
[2009/05/19 15:23:22 | 00,028,672 | ---- | C] ( ) -- C:\WINDOWS\System32\lmn_setup.exe
[2009/05/19 15:08:59 | 00,000,398 | ---- | C] () -- C:\WINDOWS\System32\sft.res
[2009/05/19 15:08:58 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\stfa.dll
[2009/05/19 15:08:22 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\AshEvtSvc.exe
[2009/05/18 15:53:34 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/05/17 11:57:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\Ask & Record Toolbar
[2009/05/12 18:52:43 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/12 18:51:32 | 24,699,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/07 22:24:13 | 00,162,336 | ---- | C] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Newest021.jpg
[2009/05/03 21:24:40 | 00,000,104 | ---- | C] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Shortcut to Recycle Bin.lnk
[2009/04/28 22:22:50 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\userinit.exe
[2009/04/27 23:27:41 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/04/27 19:08:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/04/27 09:56:15 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/09 09:14:05 | 01,408,048 | -HS- | C] () -- C:\WINDOWS\System32\ubebogub.ini
[2009/04/08 21:14:00 | 01,406,156 | -HS- | C] () -- C:\WINDOWS\System32\anerawaj.ini
[2008/06/22 12:59:59 | 00,000,020 | ---- | C] () -- C:\WINDOWS\AllLakeSaver.ini
[2008/04/30 22:28:49 | 00,000,171 | ---- | C] () -- C:\WINDOWS\icecast2.ini
[2008/01/05 17:52:30 | 00,000,399 | ---- | C] () -- C:\WINDOWS\asr.INI
[2007/11/28 19:49:00 | 00,000,168 | ---- | C] () -- C:\WINDOWS\psr.INI
[2006/08/31 20:57:44 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/01/11 17:57:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Textart.INI
[2005/12/25 16:18:01 | 00,004,184 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/12/25 16:18:01 | 00,000,104 | RHS- | C] () -- C:\WINDOWS\System32\1490F3F7DA.sys
[2005/12/10 14:28:50 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/10 14:19:59 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/12/10 13:51:02 | 01,183,744 | ---- | C] () -- C:\WINDOWS\System32\dlccserv.dll
[2005/12/10 13:51:02 | 01,134,592 | ---- | C] () -- C:\WINDOWS\System32\dlccusb1.dll
[2005/12/10 13:51:02 | 00,638,976 | ---- | C] () -- C:\WINDOWS\System32\dlccpmui.dll
[2005/12/10 13:51:02 | 00,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2005/12/10 13:51:02 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccprox.dll
[2005/12/10 13:51:02 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2005/12/10 13:51:02 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\dlccpplc.dll
[2005/12/10 13:51:02 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2005/12/10 13:51:02 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2005/12/10 13:51:02 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2005/12/10 13:51:00 | 00,770,048 | ---- | C] () -- C:\WINDOWS\System32\dlcchbn3.dll
[2005/12/10 13:51:00 | 00,704,512 | ---- | C] () -- C:\WINDOWS\System32\dlcccomc.dll
[2005/12/10 13:51:00 | 00,483,328 | ---- | C] () -- C:\WINDOWS\System32\dlcclmpm.dll
[2005/12/10 13:51:00 | 00,413,696 | ---- | C] () -- C:\WINDOWS\System32\dlcccomm.dll
[2005/12/10 13:51:00 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2005/12/10 13:51:00 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2005/12/10 13:51:00 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2005/12/10 13:51:00 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2005/12/10 13:50:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2005/12/10 13:50:00 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/16 05:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 05:18:43 | 00,000,550 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/08/16 05:18:41 | 00,000,256 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/08/05 15:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/02 15:00:16 | 00,000,611 | ---- | C] () -- C:\WINDOWS\System32\dlccplc.ini
[2005/04/09 18:04:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/02/27 17:50:00 | 00,197,120 | ---- | C] () -- C:\WINDOWS\System32\patchw32.dll
[2000/01/28 01:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/20 15:52:25 | 00,095,198 | ---- | M] () -- C:\WINDOWS\System32\drivers\3eed7607.sys
[2009/05/20 14:59:32 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\null
[2009/05/20 14:50:23 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/20 14:50:18 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Ben Gorecki\Local Settings\desktop.ini
[2009/05/20 14:29:25 | 00,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2903424687-413595299-928397023-1006.job
[2009/05/20 14:19:29 | 00,028,672 | ---- | M] ( ) -- C:\WINDOWS\System32\lmn_setup.exe
[2009/05/20 13:52:07 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/05/20 13:51:34 | 00,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{461DEAF6-0A8F-4BD1-902F-084F1C17583B}.job
[2009/05/20 13:49:27 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\service-466.exe
[2009/05/20 13:49:07 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/20 13:49:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/20 08:18:13 | 00,004,184 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/05/20 08:18:13 | 00,000,104 | RHS- | M] () -- C:\WINDOWS\System32\1490F3F7DA.sys
[2009/05/19 22:32:33 | 00,023,552 | -HS- | M] ( ) -- C:\WINDOWS\System32\autochk.dll
[2009/05/19 20:55:54 | 00,000,398 | ---- | M] () -- C:\WINDOWS\System32\sft.res
[2009/05/19 16:16:08 | 00,000,004 | ---- | M] () -- C:\WINDOWS\System32\lt.res
[2009/05/19 15:23:23 | 00,023,552 | -HS- | M] ( ) -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll
[2009/05/19 15:23:23 | 00,000,655 | -HS- | M] () -- C:\Documents and Settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk
[2009/05/19 15:08:58 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\stfa.dll
[2009/05/19 15:08:21 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\AshEvtSvc.exe
[2009/05/16 20:35:49 | 00,000,550 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/16 20:35:49 | 00,000,256 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/16 20:35:49 | 00,000,209 | RHS- | M] () -- C:\boot.ini
[2009/05/12 18:52:43 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/09 08:17:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/05/07 22:24:13 | 00,162,336 | ---- | M] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Newest021.jpg
[2009/05/07 00:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/03 21:22:53 | 00,000,104 | ---- | M] () -- C:\Documents and Settings\Ben Gorecki\My Documents\Shortcut to Recycle Bin.lnk
[2009/04/27 09:56:15 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/26 22:44:56 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\winadase

========== Alternate Data Streams ==========

@Alternate Data Stream - 456 bytes -> C:\WINDOWS\System32\drivers\zehvhatf.sys:changelist
@Alternate Data Stream - 356 bytes -> C:\WINDOWS\System32\drivers\okhfehgu.sys:changelist
@Alternate Data Stream - 356 bytes -> C:\WINDOWS\System32\drivers\cqkmrsoj.sys:changelist
< End of report >

Edited by snowdude, 20 May 2009 - 03:57 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 20 May 2009 - 04:13 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 snowdude

snowdude
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 20 May 2009 - 05:00 PM

ComboFix 09-05-20.05 - Ben Gorecki 05/20/2009 16:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.502.195 [GMT -5:00]
Running from: c:\docume~1\BENGOR~1\LOCALS~1\Temp\Saf9.tmp\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ben Gorecki\protect.dll
c:\documents and settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Ben Gorecki\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\Application Data\916653139.exe
c:\documents and settings\LocalService\protect.dll
c:\windows\system32\anerawaj.ini
c:\windows\system32\AshEvtSvc.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthseuwnirrfwaborhqttlrmlxrntotyqbb.sys
c:\windows\system32\gofax.dll
c:\windows\system32\lmn_setup.exe
c:\windows\system32\ovfsthgknlshoqauyrqixuriogndsnbpeejxld.dat
c:\windows\system32\ovfsthxhnbitvymqwhwojksojkbbeeysvtuxgr.dll
c:\windows\system32\ovfsthxjvteetelcdrmaysurmoxuhrgahyfwdj.dll
c:\windows\system32\ovfsthxkkfumfxjyftamyamllxyrmyxxdmwhsk.dat
c:\windows\system32\ovfsthyqbuvupllqnvoemwpcavtnodwsbhxwwi.dll
c:\windows\system32\sft.res
c:\windows\system32\stfa.dll
c:\windows\system32\ubebogub.ini
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASHEVTSVC
-------\Service_AshEvtSvc
-------\Service_Ias
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 19:55 . 2009-05-20 19:55 94208 ----a-w c:\program files\GooredFix.exe
2009-05-20 18:49 . 2009-05-20 18:49 32768 ----a-w c:\windows\system32\service-466.exe
2009-05-19 21:16 . 2009-05-20 21:53 95198 ----a-w c:\windows\system32\drivers\3eed7607.sys
2009-05-18 20:53 . 2009-05-18 20:53 -------- d-----w C:\_OTListIt
2009-05-17 16:57 . 2009-05-17 16:57 -------- d-----w c:\documents and settings\Ben Gorecki\Local Settings\Application Data\FLVService
2009-05-17 16:57 . 2009-05-17 16:57 -------- d-----w c:\windows\Ask & Record Toolbar
2009-04-29 03:22 . 2008-04-14 00:12 26112 ----a-w c:\windows\system32\dllcache\userinit.exe
2009-04-28 04:27 . 2009-04-28 04:27 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-28 01:12 . 2009-04-28 01:12 410984 ----a-w c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 19:57 . 2008-04-02 01:31 -------- d-----w c:\program files\mIRC
2009-05-20 13:18 . 2005-12-25 21:18 4184 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-05-20 13:18 . 2005-12-25 21:18 104 --sh--r c:\windows\system32\1490F3F7DA.sys
2009-05-18 22:41 . 2005-12-10 19:15 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-10 00:21 . 2008-07-01 20:51 34 ----a-w c:\documents and settings\Ben Gorecki\jagex_runescape_preferences.dat
2009-04-28 01:12 . 2005-12-10 19:11 -------- d-----w c:\program files\Java
2009-04-14 00:08 . 2009-04-14 00:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 16:53 . 2005-12-10 19:25 -------- d-----w c:\program files\Trend Micro
2009-04-12 03:15 . 2005-12-25 21:18 43944 -c--a-w c:\documents and settings\Ben Gorecki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 22:08 . 2009-04-11 22:08 28320 ----a-w c:\windows\system32\drivers\cqkmrsoj.sys
2009-04-11 22:08 . 2009-04-11 22:08 28320 ----a-w c:\windows\system32\drivers\okhfehgu.sys
2009-04-11 22:08 . 2009-04-11 22:08 28320 ----a-w c:\windows\system32\drivers\zehvhatf.sys
2009-04-11 17:13 . 2009-04-11 17:13 -------- d-----w c:\program files\Windows Defender
2009-04-11 17:07 . 2007-10-13 20:08 -------- d-----w c:\program files\iTunes
2009-04-11 17:07 . 2009-04-11 17:07 -------- d-----w c:\program files\iPod
2009-04-11 17:06 . 2007-10-13 20:03 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 17:02 . 2009-04-11 16:59 -------- d-----w c:\program files\QuickTime
2009-04-11 16:47 . 2009-02-06 21:22 -------- d-----w c:\program files\Safari
2009-04-11 16:46 . 2009-04-11 16:46 -------- d-----w c:\program files\Bonjour
2009-04-11 04:37 . 2009-04-11 05:12 122080 ----a-w c:\windows\system32\EConfickerRemover.exe
2009-04-11 04:19 . 2009-04-11 04:19 -------- d-----w c:\program files\prcview
2009-04-06 20:32 . 2009-04-14 00:08 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-04-14 00:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 20:23 . 2009-04-11 16:53 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-26 20:23 . 2007-10-13 20:03 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 21:32 . 2006-09-19 19:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-01-28 04:32 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-28 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Icecast;Icecast Media Server;c:\program files\Icecast2 Win32\icecastService.exe [4/30/2008 9:27 PM 393216]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:30 PM 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:30 PM 36368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 bozjui;bozjui;c:\windows\system32\drivers\cfaghtjq.sys --> c:\windows\system32\drivers\cfaghtjq.sys [?]
S1 grgwtrqc;grgwtrqc;\??\c:\windows\system32\drivers\grgwtrqc.sys --> c:\windows\system32\drivers\grgwtrqc.sys [?]
S1 nedrmidu;nedrmidu;\??\c:\windows\system32\drivers\nedrmidu.sys --> c:\windows\system32\drivers\nedrmidu.sys [?]
S1 splbwhmv;splbwhmv;\??\c:\windows\system32\drivers\splbwhmv.sys --> c:\windows\system32\drivers\splbwhmv.sys [?]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:30 PM 290889]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:30 PM 585792]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:30 PM 262215]
S3 DellBIOS;DellBIOS;\??\c:\docume~1\BENGOR~1\LOCALS~1\Temp\DellBIOS.Sys --> c:\docume~1\BENGOR~1\LOCALS~1\Temp\DellBIOS.Sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-05-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2903424687-413595299-928397023-1006.job
- c:\documents and settings\Ben Gorecki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 20:24]

2009-05-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{461DEAF6-0A8F-4BD1-902F-084F1C17583B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.runescape.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Search
Trusted Zone: musicmatch.com\online
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} - hxxp://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
FF - ProfilePath - c:\documents and settings\Ben Gorecki\Application Data\Mozilla\Firefox\Profiles\g2zemlti.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&btnG=Google+Search&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\Ben Gorecki\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 16:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\3eed7607]
"ImagePath"="\SystemRoot\System32\drivers\3eed7607.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-20 16:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 21:56

Pre-Run: 33,778,573,312 bytes free
Post-Run: 33,831,804,928 bytes free

189 --- E O F --- 2009-05-18 20:00

#14 snowdude

snowdude
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 20 May 2009 - 05:09 PM

The USB ports still do not work. I think the Redirect is fixed.

Edited by snowdude, 20 May 2009 - 05:10 PM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 20 May 2009 - 07:08 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
3eed7607
bozjui
grgwtrqc
nedrmidu
splbwhmv

Rootkit::
3eed7607

File::
c:\windows\system32\drivers\cqkmrsoj.sys
c:\windows\system32\drivers\okhfehgu.sys
c:\windows\system32\drivers\zehvhatf.sys
c:\windows\system32\service-466.exe
c:\windows\system32\drivers\3eed7607.sys
c:\windows\system32\drivers\cfaghtjq.sys 
c:\windows\system32\drivers\grgwtrqc.sys 
c:\windows\system32\drivers\nedrmidu.sys 
c:\windows\system32\drivers\splbwhmv.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"=0
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users