Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect in IE / Session Hijack


  • This topic is locked This topic is locked
8 replies to this topic

#1 1st_infection

1st_infection

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 19 May 2009 - 01:59 AM

Love this site! Hope you can help me solve two malware issues.

1. Google Redirection: After downloading a number of open source applications for video encoding/transcoding, I picked up a Google Redirect virus in IE. A google search returns normal-looking results that show valid links when you mouse-over them. When you click a link, it starts to load and then redirects to an Ad page.

ACTIONS TAKEN:
* Uninstalled several of the video applications.
* Deleted 4 registry entries that hijacked the DNS.
* Deleted suspicsius IE plugins that looked like very suspicious.
* Installed several anti-virus and anti-spyware programs including:
- Malwarebytes: Only installed after renaming installer, but won't run
- SuperAntiSpyware: Only the alternate installer worked, but it cleaned trojans on multiple reboots.
- ATF-Cleaner: woldn't install
- Adaware: Installed, but wouldn't update. Found nothing
- Comodo AV: Installed, but wouldn't update. Downloaded updates manually, but it did not find anything.
- AVG: Installed, but wouldn't update. Found nothing
* Uninstalled Comodo

2. Session Hijacked (Remote Control): Someone took control of my PC while I was watching. They moved the mouse and clicked on various items. I tried to launch wireshirk while they were connected, but they moved the mouse and clicked everytime I went for the icon. I shut down the PC to end the event. This happened within hours of installing a Joomla demo site on a local web sever and MySQL database, and resetting the admin password in the DB.

ACTIONS TAKEN:
* Checked Remote Admin logs to confirm they didn't crack my password. There were no unknown sessions logged. This is the only pin-hole in my firewall, so I assume the connection was originated from a malware process on my PC.
* Scanned computer again with SuperAntiSpyware. Nothing new
* Scanned computer with McAffee Stinger: it removed autorun.inf files from the root of all three hard drives

CLEARLY, I should've asked you for help before trying to resolve this on my own. Any idea where to go from here?


DDS (Ver_09-05-14.01) - NTFSx86
Run by USER at 2:29:36.53 on Tue 05/19/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.443 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
svchost.exe
D:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
d:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Damon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DynDNS Updater] "d:\program files\dyndns updater\DynDNS.exe"
uRun: [d:\program files\1&1\1&1 easylogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\d97af585-a38e-4ef1-9130-a01f7f20ac4e.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [CTCheck] d:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] c:\program files\common files\real\update_ob\realsched.exe -osboot
mRun: [RemoteControl] c:\program files\roxio\roxio dvdmax player\PDVDServ.exe
mRun: [OpwareSE2] "d:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [HPHUPD05] d:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [GUpload] c:\documents and settings\all users\application data\microsoft\network\connections\cm\gras301\GUpload.exe
StartupFolder: c:\docume~1\damon\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1119748428750
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\damon\applic~1\mozilla\firefox\profiles\ow1lysqg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: d:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13
============= SERVICES / DRIVERS ===============

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2005-6-25 70528]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2006-9-9 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2009-4-6 724992]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe --> c:\program files\netropa\multimedia keyboard\nhksrv.exe [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]

=============== Created Last 30 ================

2009-05-06 11:26 <DIR> --d----- c:\docume~1\damon\applic~1\Malwarebytes
2009-05-06 11:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-06 11:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 11:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-06 11:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-04 04:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-04 04:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-04 04:20 <DIR> --d----- c:\docume~1\damon\applic~1\SUPERAntiSpyware.com
2009-05-04 04:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-04 03:19 <DIR> --d----- C:\!KillBox
2009-05-03 13:02 253,688 a------- c:\windows\system32\cssdll32.dll
2009-05-03 13:02 <DIR> --d----- c:\program files\COMODO
2009-05-03 13:01 <DIR> --d----- C:\comodo2
2009-05-02 15:31 87,608 a------- c:\docume~1\damon\applic~1\inst.exe
2009-05-02 15:31 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-05-02 15:31 47,360 a------- c:\docume~1\damon\applic~1\pcouffin.sys
2009-05-02 01:47 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-05-02 01:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-04-29 20:26 <DIR> --d----- c:\program files\Microsoft
2009-04-22 22:01 <DIR> --d----- C:\drvrtmp

==================== Find3M ====================

2009-04-11 11:09 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-06 07:53 724,992 a------- c:\windows\system32\r_server.exe
2009-03-31 11:31 54,696 a------- c:\docume~1\damon\applic~1\GDIPFONTCACHEV1.DAT
2009-03-31 00:04 29,728 a------- c:\windows\system32\raddrv.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 2:29:50.86 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:35 PM

Posted 20 May 2009 - 11:55 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 1st_infection

1st_infection
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 22 May 2009 - 08:15 AM

Sam,

Thanks for responding to my inquiry! After reading several other posts on this site involving Google redirects, I ran combofix, followed by MB. ComboFix worked like a charm to remove the malicious rootkit that was preventing A/V software installations and updates. The Google redirect issue is now resolved, but I don't know if the remote control issue is gone.

Can you ensure that the malware is gone, and people can't take control of my PC again?

I ran the programs that you suggested and attached the logs. OTListIt2 (see attached log) ran fine, but GMER killed the computer when it started to scan my third hard drive. I started getting delayed-write failures and there was no memory to run anything. The computer wouldn't even shut down normally. GMER did output some results on the main drive, that I will post.

Thanks for the help!

Attached Files



#4 1st_infection

1st_infection
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 22 May 2009 - 08:18 AM

The OTList isn't that long, so I'll post it.

OTListIt logfile created on: 5/21/2009 10:26:44 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.46 Mb Total Physical Memory | 589.70 Mb Available Physical Memory | 57.62% Memory free
1.66 Gb Paging File | 1.24 Gb Available in Paging File | 74.99% Paging File free
Paging file location(s): D:\pagefile.sys 768 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.77 Gb Total Space | 1.71 Gb Free Space | 17.46% Space Free | Partition Type: NTFS
Drive D: | 102.01 Gb Total Space | 27.12 Gb Free Space | 26.58% Space Free | Partition Type: NTFS
Drive E: | 74.53 Gb Total Space | 8.83 Gb Free Space | 11.84% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USERPC
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/02/21 21:39:16 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2006/02/21 21:39:16 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2002/03/17 07:39:30 | 00,151,552 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
PRC - [2007/11/06 11:08:10 | 00,397,312 | ---- | M] (Creative Technology Ltd) -- D:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
PRC - [2001/11/14 03:03:12 | 00,090,112 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Onscreen Display\OSD.exe
PRC - [2003/10/27 03:04:34 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
PRC - [2003/05/08 12:00:58 | 00,049,152 | ---- | M] (ScanSoft, Inc.) -- D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
PRC - [2004/05/05 10:47:06 | 00,491,520 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon05.exe
PRC - [2003/12/22 08:38:42 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2009/05/19 10:26:57 | 01,947,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2005/04/16 14:25:34 | 00,020,541 | ---- | M] (Apache Software Foundation) -- D:\Program Files\Apache Group\Apache2\bin\Apache.exe
PRC - [2009/05/19 10:26:55 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- d:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [1999/12/12 13:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe
PRC - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2005/08/18 14:14:10 | 03,604,480 | ---- | M] () -- D:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
PRC - [2008/10/20 21:18:26 | 00,071,096 | ---- | M] () -- d:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2004/12/20 12:47:32 | 00,724,992 | ---- | M] () -- C:\WINDOWS\system32\r_server.exe
PRC - [2009/05/19 10:26:57 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- d:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/19 10:26:56 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- d:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/05/19 10:26:57 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- d:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2006/03/30 10:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/04/16 14:25:34 | 00,020,541 | ---- | M] (Apache Software Foundation) -- D:\Program Files\Apache Group\Apache2\bin\Apache.exe
PRC - [2009/05/19 10:26:57 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- d:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/05/21 10:20:51 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/04/16 14:25:34 | 00,020,541 | ---- | M] (Apache Software Foundation) -- D:\Program Files\Apache Group\Apache2\bin\Apache.exe -- (Apache2 [Auto | Running])
SRV - [2007/10/24 02:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/02/21 21:39:16 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2009/05/19 10:26:56 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- d:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/05/19 10:26:55 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- d:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2007/06/15 13:57:42 | 00,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe -- (bgsvcgen [Disabled | Stopped])
SRV - [2006/03/30 10:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2007/10/24 02:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [1999/12/12 13:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Auto | Running])
SRV - [2009/05/02 01:47:48 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Running])
SRV - [2005/08/18 14:14:10 | 03,604,480 | ---- | M] () -- D:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe -- (MySQL [Auto | Running])
SRV - File not found -- -- (nhksrv [Auto | Stopped])
SRV - [2008/10/20 21:18:26 | 00,071,096 | ---- | M] () -- d:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU [Auto | Running])
SRV - [2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Running])
SRV - [2007/11/06 16:22:26 | 00,092,792 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])
SRV - [2004/12/20 12:47:32 | 00,724,992 | ---- | M] () -- C:\WINDOWS\system32\r_server.exe -- (r_server [Auto | Running])
SRV - [2006/10/18 22:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/08/14 07:57:42 | 00,074,720 | ---- | M] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs [Auto | Running])
DRV - [2006/10/20 13:42:41 | 00,020,096 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\System32\Drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])
DRV - [2002/07/17 09:05:10 | 00,016,512 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (ASPI32 [Auto | Running])
DRV - [2006/02/21 21:46:26 | 01,505,792 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2009/05/19 10:26:55 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/19 10:27:06 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/19 10:26:56 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2006/02/20 20:17:40 | 00,033,408 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv [System | Running])
DRV - [2002/11/18 15:51:40 | 00,377,358 | ---- | M] (C-Media Inc) -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci [On_Demand | Running])
DRV - [2007/07/09 19:40:52 | 00,128,144 | R--- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys -- (DNE [Disabled | Stopped])
DRV - [2002/02/25 07:54:04 | 00,139,776 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2006/04/21 21:44:39 | 00,008,064 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Running])
DRV - [2005/04/12 04:41:20 | 00,004,608 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\Drivers\ElbyDelay.sys -- (ElbyDelay [On_Demand | Running])
DRV - [2001/11/22 15:08:06 | 00,070,528 | R--- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\fasttrak.sys -- (fasttrak [Boot | Running])
DRV - [2006/05/18 09:48:50 | 00,047,249 | ---- | M] (FTDI Ltd.) -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS [On_Demand | Stopped])
DRV - [2006/05/18 09:49:02 | 00,061,067 | ---- | M] (FTDI Ltd.) -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K [On_Demand | Stopped])
DRV - [2008/04/13 14:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2008/04/13 14:36:38 | 00,020,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\HidBatt.sys -- (HidBatt [On_Demand | Stopped])
DRV - [2004/03/18 16:52:42 | 00,051,088 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2004/03/18 16:52:44 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2004/03/18 16:51:02 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2001/12/20 08:02:12 | 00,006,656 | ---- | M] (Netropa Corporation) -- C:\WINDOWS\System32\DRIVERS\msikbd2k.sys -- (msikbd2k [System | Running])
DRV - [2008/04/13 14:53:09 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\NMnt.sys -- (nm [On_Demand | Stopped])
DRV - [2007/11/06 16:22:06 | 00,034,064 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
DRV - [2002/03/19 11:29:16 | 00,014,165 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\system32\drivers\pclepci.sys -- (PCLEPCI [System | Running])
DRV - [2009/05/02 15:31:52 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2006/11/04 06:02:04 | 00,022,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\point32.sys -- (Point32 [On_Demand | Running])
DRV - [2001/08/18 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/10/31 13:06:51 | 00,067,456 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\GA311ND5.SYS -- (RTL8023 [On_Demand | Running])
DRV - [2009/04/28 11:33:42 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/04/28 11:33:44 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/04/28 11:33:40 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\S-1-5-21-1715567821-1614895754-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: D:\PROGRAM FILES\FIREFOX\COMPONENTS [2009/05/07 13:01:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: D:\PROGRAM FILES\FIREFOX\PLUGINS [2009/05/07 13:01:28 | 00,000,000 | ---D | M]

[2009/01/21 14:13:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Extensions
[2009/01/21 14:13:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/03 16:18:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Firefox\Profiles\ow1lysqg.default\extensions

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup File not found
O4 - HKLM..\Run: [CTCheck] d:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD05] d:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe ()
O4 - HKLM..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe (Netropa Corp.)
O4 - HKLM..\Run: [OpwareSE2] "D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" ()
O4 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003..\Run: [d:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE File not found
O4 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003..\Run: [DynDNS Updater] "d:\Program Files\DynDNS Updater\DynDNS.exe" (Kana Solution)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1715567821-1614895754-682003330-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5co...b?1119748428750 (WUWebControl Class)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://office.caryfbc.org/Remote/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/25 20:18:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/05/18 22:13:08 | 00,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/21 10:26:01 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/05/21 10:26:01 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTListIt2.exe
[2009/05/21 10:26:01 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\User\Desktop\s3s937cw.exe
[2009/05/19 11:07:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Radmin
[2009/05/19 10:27:08 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/19 10:27:08 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/19 10:27:06 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/19 10:26:59 | 36,309,322 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/19 10:26:59 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/19 10:26:59 | 00,434,673 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/19 10:26:59 | 00,058,917 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/19 10:26:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/05/19 10:26:56 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/19 10:26:55 | 00,325,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/19 08:05:45 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/05/19 07:47:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\temp
[2009/05/19 04:56:16 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/05/19 04:56:12 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/19 04:56:09 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/05/19 04:54:50 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/05/19 04:54:50 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/05/19 04:54:50 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/05/19 04:54:50 | 00,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/19 04:54:50 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/19 04:54:50 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/19 04:54:50 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/19 04:54:50 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/05/19 04:54:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/05/19 04:54:33 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/05/19 04:21:45 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/19 04:21:45 | 00,000,607 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/19 04:21:43 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/19 02:17:10 | 00,359,883 | ---- | C] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2009/05/13 22:21:19 | 00,048,328 | ---- | C] () -- C:\Documents and Settings\User\Desktop\dr_report.pdf
[2009/05/06 11:26:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2009/05/06 11:25:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/06 11:25:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/05 23:11:47 | 00,282,042 | ---- | C] () -- D:\User\cc_20090505_231144.reg
[2009/05/05 22:26:48 | 00,001,891 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/05/04 04:20:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/05/04 04:20:50 | 00,000,825 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/04 04:20:48 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/05/04 04:20:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
[2009/05/04 04:20:36 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/05/04 02:01:26 | 00,000,853 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HijackThis.lnk
[2009/05/03 16:30:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/05/03 16:29:09 | 00,001,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/05/03 16:20:33 | 37,452,296 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\User\Desktop\Ad-AwareAE.exe
[2009/05/03 13:02:00 | 00,253,688 | ---- | C] (COMODO) -- C:\WINDOWS\System32\cssdll32.dll
[2009/05/03 13:02:00 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2009/05/03 12:34:55 | 00,000,699 | ---- | C] () -- C:\Documents and Settings\User\Desktop\CCleaner.lnk
[2009/05/02 23:48:03 | 35,559,404 | ---- | C] () -- C:\Documents and Settings\User\Desktop\UserGuide.pdf
[2009/05/02 22:16:13 | 00,065,117 | ---- | C] () -- D:\User\A Sterling and Gold fundraiser.pdf
[2009/05/02 15:38:51 | 00,000,000 | ---D | C] -- D:\User\DVDFab
[2009/05/02 15:31:52 | 00,047,360 | ---- | C] (VSO Software) -- C:\WINDOWS\System32\drivers\pcouffin.sys
[2009/05/02 15:31:52 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\User\Application Data\pcouffin.sys
[2009/05/02 15:31:52 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\User\Application Data\pcouffin.cat
[2009/05/02 15:31:52 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\User\Application Data\pcouffin.inf
[2009/05/02 15:31:51 | 00,000,000 | ---D | C] -- D:\User\PcSetup
[2009/05/02 15:31:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Vso
[2009/05/02 15:31:44 | 00,000,561 | ---- | C] () -- C:\Documents and Settings\User\Desktop\DVDFab 5.lnk
[2009/05/02 09:22:14 | 00,000,000 | ---D | C] -- D:\User\Adobe
[2009/05/02 09:14:41 | 00,281,574 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ame message.bmp
[2009/05/02 09:07:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/05/02 02:01:42 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player
[2009/05/02 01:47:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2009/05/02 01:03:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo
[2009/04/29 20:26:10 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/04/24 14:37:11 | 00,003,237 | ---- | C] () -- C:\Documents and Settings\User\Desktop\sts.htm
[2009/04/22 22:01:02 | 00,000,000 | ---D | C] -- C:\drvrtmp
[2009/03/31 00:04:01 | 00,029,728 | ---- | C] () -- C:\WINDOWS\System32\raddrv.dll
[2009/01/16 15:36:10 | 00,000,057 | ---- | C] () -- C:\WINDOWS\wiseftp.ini
[2008/04/10 00:15:26 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/04/10 00:15:26 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/11/06 16:19:28 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/10/18 09:32:03 | 00,005,113 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/06/05 07:37:56 | 00,000,066 | ---- | C] () -- C:\WINDOWS\LiveLoad.INI
[2006/09/09 10:54:22 | 00,000,245 | ---- | C] () -- C:\WINDOWS\Msiosd.ini
[2006/09/09 10:54:21 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\msiosd32.dll
[2006/05/19 11:04:21 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\nnr.dll
[2005/10/14 10:22:30 | 00,000,101 | ---- | C] () -- C:\WINDOWS\CMMIXER.INI
[2005/09/22 16:18:33 | 00,045,843 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2005/08/06 19:08:57 | 00,001,028 | ---- | C] () -- C:\WINDOWS\CDMaster.ini
[2005/08/01 21:11:57 | 00,000,047 | ---- | C] () -- C:\WINDOWS\3D Text Factory.INI
[2005/07/31 15:59:32 | 00,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2005/07/31 15:58:25 | 00,000,021 | ---- | C] () -- C:\WINDOWS\PS_setup.ini
[2005/07/16 11:09:38 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\custmon2k.dll
[2005/06/27 00:08:54 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/25 21:41:23 | 00,000,060 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/06/25 21:23:14 | 00,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2005/02/03 20:59:44 | 02,129,920 | ---- | C] () -- C:\WINDOWS\System32\myodbc3S.dll
[2004/03/18 09:44:29 | 01,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2003/04/10 15:00:06 | 00,000,133 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2001/08/18 08:00:00 | 00,000,867 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 08:00:00 | 00,000,284 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/05/21 10:21:50 | 36,309,322 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/21 10:21:29 | 00,058,917 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/21 10:21:13 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\User\Desktop\s3s937cw.exe
[2009/05/21 10:20:51 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTListIt2.exe
[2009/05/21 10:20:14 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/21 10:18:28 | 00,000,245 | ---- | M] () -- C:\WINDOWS\Msiosd.ini
[2009/05/21 10:18:22 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/21 10:18:21 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\desktop.ini
[2009/05/21 10:18:18 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/21 10:18:16 | 10,732,46208 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/20 11:15:00 | 00,000,342 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2009/05/19 10:27:08 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/19 10:27:08 | 00,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/19 10:27:06 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/19 10:26:59 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/19 10:26:59 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/19 10:26:56 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/19 10:26:55 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/19 07:45:17 | 00,000,284 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/19 07:43:30 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/19 04:56:16 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/05/19 04:21:45 | 00,000,607 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/19 02:10:50 | 00,359,883 | ---- | M] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2009/05/18 23:46:34 | 00,000,074 | -HS- | M] () -- C:\Documents and Settings\User\Application Data\.zreglib
[2009/05/14 17:50:08 | 00,117,248 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/05/07 03:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/06 19:55:51 | 00,000,867 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/06 19:55:51 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/05/05 23:11:58 | 00,282,042 | ---- | M] () -- D:\User\cc_20090505_231144.reg
[2009/05/05 22:26:57 | 00,001,891 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/05/04 04:20:50 | 00,000,825 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/04 02:01:26 | 00,000,853 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HijackThis.lnk
[2009/05/03 16:29:09 | 00,001,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/05/03 16:27:08 | 37,452,296 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\User\Desktop\Ad-AwareAE.exe
[2009/05/03 13:02:00 | 00,253,688 | ---- | M] (COMODO) -- C:\WINDOWS\System32\cssdll32.dll
[2009/05/03 12:34:55 | 00,000,699 | ---- | M] () -- C:\Documents and Settings\User\Desktop\CCleaner.lnk
[2009/05/02 23:48:05 | 35,559,404 | ---- | M] () -- C:\Documents and Settings\User\Desktop\UserGuide.pdf
[2009/05/02 15:31:52 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\drivers\pcouffin.sys
[2009/05/02 15:31:52 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\User\Application Data\pcouffin.sys
[2009/05/02 15:31:52 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\User\Application Data\pcouffin.cat
[2009/05/02 15:31:52 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\User\Application Data\pcouffin.inf
[2009/05/02 15:31:44 | 00,000,561 | ---- | M] () -- C:\Documents and Settings\User\Desktop\DVDFab 5.lnk
[2009/05/02 09:14:41 | 00,281,574 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ame message.bmp
[2009/04/29 09:55:22 | 00,200,936 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/29 04:05:35 | 00,344,867 | ---- | M] () -- C:\Documents and Settings\User\Desktop\font.zip
[2009/04/24 14:37:11 | 00,003,237 | ---- | M] () -- C:\Documents and Settings\User\Desktop\sts.htm
[2009/04/24 14:22:46 | 00,005,113 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
< End of report >

#5 1st_infection

1st_infection
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 22 May 2009 - 08:24 AM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-22 09:24:10
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:35 PM

Posted 22 May 2009 - 04:08 PM

This fix will remove the Remote Administrator application from your computer.


Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - [2004/12/20 12:47:32 | 00,724,992 | ---- | M] () -- C:\WINDOWS\system32\r_server.exe
    SRV - [2004/12/20 12:47:32 | 00,724,992 | ---- | M] () -- C:\WINDOWS\system32\r_server.exe -- (r_server [Auto | Running])
    
    :Files
    C:\Documents and Settings\User\Application Data\Radmin
    C:\Program Files\Radmin
    
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL2 log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 1st_infection

1st_infection
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 22 May 2009 - 04:58 PM

Sam,

I apologize for not being clear. Remote Admin is a program that I installed and use to connect remotely. If you refer back to my original post, I described an instance where someone took control of my machine while I was using it locally. I do not believe it was Remote Admin since nothing showed up in the logs. The only sessions reporting in the logs were my own. For this reason, I believe a trojan created a back-door for someone to take control. Other than remote admin, do you see remaining malware or anything that would allow someone to control the PC remotely?

If you do not seeing anything bad, you are welcome to close the ticket.

Thanks for helping!

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:35 PM

Posted 23 May 2009 - 01:28 PM

I don't see any indication of active malware in your logs. If your computer seems to be running normally you should be ok.


Run OTListIt and click on the CleanUp button.
Reboot when prompted to.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 1st_infection

1st_infection
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 23 May 2009 - 02:56 PM

Thanks!

You are welcome to close the thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users