Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Renos.DZ/Google Redirect Problem


  • This topic is locked This topic is locked
11 replies to this topic

#1 Lammy

Lammy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 27 May 2009 - 06:11 AM

I have some kind of malware on my laptop. Initially Windows Defender would inform me of a Trojan.Renos.DZ on start up but Malware Bytes and SUPER Anti Spyware have helped to eliminate that problem. However, I had to make a renamed copy of the Malware Bytes .exe file because the original .exe wouldn't run as if the virus was blocking it somehow. The same happened with the HijackThis.exe causing me to have to make a renamed copy of it. I am noticing on Google that my searches are being redirected, for example, I will type something in on google, click the first result it brings up but I get taken to a different URL to the one I clicked on, for example I have been taken to eBay, Youtube and suspect looking 'anti-spyware' pages. Here is my HJT log. I hope you can help.

Thanks,
Sam



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:34, on 27/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\del\Downloads\HJT.exe
C:\Users\del\del.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [del] C:\Users\del\del.exe /i
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 8547 bytes

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 AM

Posted 08 June 2009 - 09:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Lammy

Lammy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 09 June 2009 - 04:53 PM

Thanks for the reply. I have done what was requested and the log is below. Basically when I search on google and click a result, I
get taken to another web address totally different from the one I clicked on. Plus, in order to get SUPER anti spyware and Malware Bytes to run, I have had to change the names of their .exe files so that the malware didn't block them. Norton also freezes while scanning saying 'items scanned: 0'. Any help would be greatly appreciated.

Thanks
Sam

This is the log



DDS (Ver_09-05-14.01) - NTFSx86
Run by del at 22:48:42.92 on 09/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.879 [GMT 1:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\del\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [del] c:\users\del\del.exe /i
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1241544084429&h=26ae97823486b0dd35757976c33c12ba/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\del\appdata\roaming\mozilla\firefox\profiles\ak1vg57x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-26 64160]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090604.002\IDSvix86.sys [2009-6-9 272432]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c09c50a2\AEstSrv.exe [2009-5-14 73728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-4 101936]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-1-9 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-1-9 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-1-9 7424]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]

=============== Created Last 30 ================

2009-06-04 00:45 <DIR> --d----- c:\users\del\appdata\roaming\Reallusion
2009-06-02 20:05 <DIR> --d----- c:\program files\Delta
2009-06-02 20:04 <DIR> --d--r-- c:\users\del\Games
2009-06-02 20:03 <DIR> --d----- C:\bios
2009-06-02 20:03 <DIR> --d----- C:\docs
2009-06-02 20:03 <DIR> --d----- C:\cheats
2009-06-02 14:23 <DIR> --d----- c:\program files\iPod
2009-06-02 14:23 <DIR> --d----- c:\program files\iTunes
2009-05-31 22:58 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-31 22:58 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-27 16:28 <DIR> --d----- c:\program files\Lame for Audacity
2009-05-27 16:27 <DIR> --d----- c:\program files\Audacity
2009-05-26 20:48 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-26 19:38 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-26 19:31 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-26 19:31 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-26 19:30 <DIR> --d----- c:\programdata\Lavasoft
2009-05-26 19:30 <DIR> --d----- c:\program files\Lavasoft
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-26 15:49 <DIR> --d----- c:\program files\iPod PC Transfer Photo
2009-05-26 13:46 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-05-26 13:46 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-05-26 13:33 137,558,520 a------- c:\windows\MEMORY.DMP
2009-05-26 13:32 <DIR> --d----- c:\users\del\appdata\roaming\SUPERAntiSpyware.com
2009-05-26 13:32 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-26 12:03 <DIR> --d----- c:\users\del\appdata\roaming\Malwarebytes
2009-05-26 11:52 <DIR> --d----- c:\programdata\Malwarebytes
2009-05-26 11:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 11:52 <DIR> --d----- c:\progra~2\Malwarebytes
2009-05-26 00:14 <DIR> --d----- c:\users\del\appdata\roaming\Symantec
2009-05-26 00:10 <DIR> --d----- c:\program files\Norton 360
2009-05-26 00:09 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-26 00:09 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-26 00:09 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-26 00:08 <DIR> --d----- c:\program files\Symantec
2009-05-26 00:07 <DIR> --d----- c:\programdata\Symantec
2009-05-26 00:07 <DIR> --d----- c:\progra~2\Symantec
2009-05-26 00:07 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-05-25 22:44 <DIR> --d----- c:\users\del\appdata\roaming\CopyTransPhoto
2009-05-22 18:09 1,601,536 a------- c:\windows\system32\stlang.dll
2009-05-22 18:09 647,168 a------- c:\windows\system32\aestecap.dll
2009-05-22 18:09 102,400 a------- c:\windows\system32\stacsv.exe
2009-05-22 18:09 73,728 a------- c:\windows\system32\AEstSrv.exe
2009-05-22 18:09 4,947,968 a------- c:\windows\system32\stacgui.cpl
2009-05-22 00:18 <DIR> --d----- c:\users\del\{67cebde6-c5a4-40ce-b344-0d2852ce1b11}
2009-05-21 23:33 76 ---shr-- c:\windows\CT4CET.bin
2009-05-21 23:33 <DIR> --d----- c:\program files\common files\Reallusion
2009-05-21 23:32 5,627,904 a------- c:\windows\system32\LiveCamVirtual.ocx
2009-05-21 23:32 <DIR> --d----- c:\program files\Creative Live! Cam
2009-05-21 23:31 <DIR> --d----- c:\program files\Creative
2009-05-21 22:35 <DIR> --d----- c:\programdata\WildTangent
2009-05-21 22:35 <DIR> --d----- c:\progra~2\WildTangent
2009-05-14 22:25 131,072 a------- c:\windows\system32\aestacap.dll
2009-05-14 22:24 527,872 a------- c:\windows\system32\stapo.dll
2009-05-14 22:24 328,704 a------- c:\windows\system32\stcplx.dll
2009-05-14 22:24 312,320 a------- c:\windows\system32\stapi32.dll
2009-05-14 22:22 330,752 a------- c:\windows\system32\drivers\stwrt.sys
2009-05-14 22:22 150,016 a------- c:\windows\system32\st325866.dll
2009-05-12 17:30 <DIR> --d----- c:\users\del\AFC7E0039CA84F68AAB2155D0CDF5AED.TMP
2009-05-12 17:02 <DIR> --d----- c:\program files\IDM Computer Solutions
2009-05-12 16:32 97,800 a------- c:\windows\system32\infocardapi.dll
2009-05-12 16:32 622,080 a------- c:\windows\system32\icardagt.exe
2009-05-12 16:32 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-05-12 16:32 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-05-12 16:32 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-05-12 16:32 11,264 a------- c:\windows\system32\icardres.dll
2009-05-12 16:32 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-05-12 16:32 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-05-12 16:26 96,760 a------- c:\windows\system32\dfshim.dll
2009-05-12 16:26 282,112 a------- c:\windows\system32\mscoree.dll
2009-05-12 16:26 41,984 a------- c:\windows\system32\netfxperf.dll
2009-05-12 16:26 158,720 a------- c:\windows\system32\mscorier.dll
2009-05-12 16:26 83,968 a------- c:\windows\system32\mscories.dll
2009-05-11 20:12 <DIR> --d----- c:\users\del\appdata\roaming\Red Kawa
2009-05-11 19:56 <DIR> --d----- c:\program files\Regensoft
2009-05-11 19:56 <DIR> --d----- c:\program files\AviSynth 2.5
2009-05-11 19:56 <DIR> --d----- c:\program files\Red Kawa
2009-05-11 19:50 <DIR> --d----- c:\program files\DVD Decrypter
2009-05-11 16:17 <DIR> --d----- c:\programdata\Adobe

==================== Find3M ====================

2009-06-02 14:19 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-02 14:19 86,016 a------- c:\windows\inf\infstor.dat
2009-06-02 14:19 51,200 a------- c:\windows\inf\infpub.dat
2009-05-26 13:32 376,941,822 a------- c:\windows\DUMP4c4b.tmp
2009-05-06 12:56 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-05 18:22 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:50:27.53 ===============

Attached Files


Edited by Lammy, 09 June 2009 - 04:58 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:35 AM

Posted 11 June 2009 - 07:01 PM

Hi Lammy,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will get back to you with your first instructions. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:35 AM

Posted 11 June 2009 - 07:22 PM

Hi lammy,

Nothing is coming up on the logs so let's look a bit deeper.

If any of these tools fail to work then please try again but rename them. Please also let me know if this had to be done.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:35 AM

Posted 14 June 2009 - 03:48 AM

Hi Lammy,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#7 Lammy

Lammy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 14 June 2009 - 06:42 PM

Thanks for your help.
OK I tried installing GMER but every time it scanned it would always close part way through saying the program wasn't responding.

However here is the OTL log:

OTL logfile created on: 15/06/2009 00:30:39 - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Users\del\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.07 Gb Available Physical Memory | 53.68% Memory free
4.00 Gb Paging File | 2.93 Gb Available in Paging File | 73.31% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 295.04 Gb Total Space | 207.26 Gb Free Space | 70.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAM-PC
Current User Name: del
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2007/12/08 15:34:40 | 00,024,064 | ---- | M] () -- C:\Windows\System32\WLTRYSVC.EXE
PRC - [2007/12/08 15:34:10 | 02,506,752 | ---- | M] (Dell Inc.) -- C:\Windows\System32\bcmwltry.exe
PRC - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/10/29 07:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE
PRC - [2008/01/21 03:23:32 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/02/15 10:41:50 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxtray.exe
PRC - [2008/02/15 10:41:34 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/02/15 10:41:44 | 00,133,656 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2007/05/10 02:01:00 | 00,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/12/08 15:34:40 | 03,444,736 | ---- | M] (Dell Inc.) -- C:\Windows\System32\WLTRAY.EXE
PRC - [2007/10/25 14:31:20 | 00,167,936 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/02/15 10:41:46 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\Windows\system32\igfxsrvc.exe
PRC - [2007/11/01 15:39:28 | 00,189,736 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2009/05/05 18:22:28 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/07/27 16:43:34 | 00,118,784 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
PRC - [2008/02/15 18:23:20 | 00,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
PRC - [2009/05/30 12:30:26 | 00,292,136 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/01/21 03:23:29 | 01,233,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Sidebar\sidebar.exe
PRC - [2008/01/21 03:25:33 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2007/09/20 15:31:10 | 00,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
PRC - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/02/15 18:25:34 | 00,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
PRC - [2008/01/21 03:25:33 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
PRC - [2009/05/30 12:30:20 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/02/21 23:02:53 | 00,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2007/05/22 15:18:56 | 00,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2006/09/08 16:10:22 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\HidFind.exe
PRC - [2007/06/06 17:44:44 | 00,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apntex.exe
PRC - [2009/05/26 00:10:41 | 01,245,064 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2009/06/12 00:19:05 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/06/15 00:30:10 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Users\del\Downloads\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/09/20 15:31:10 | 00,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe -- (AESTFilters [Auto | Running])
SRV - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/02/21 23:02:53 | 00,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/27 19:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService [Auto | Running])
SRV - [2007/08/22 09:21:30 | 00,055,640 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost [On_Demand | Stopped])
SRV - [2008/01/21 03:25:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2006/11/02 13:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 13:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2008/06/20 02:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/06/20 02:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/05/30 12:30:20 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/05/26 19:37:26 | 01,005,904 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Stopped])
SRV - [2008/09/05 11:52:32 | 03,220,856 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice [Auto | Running])
SRV - [2008/06/20 02:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2008/02/15 18:25:34 | 00,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe -- (STacSV [Auto | Running])
SRV - [2009/05/26 00:10:41 | 01,245,064 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [On_Demand | Running])
SRV - [2008/01/21 03:23:32 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV - [2007/12/08 15:34:40 | 00,024,064 | ---- | M] () -- C:\Windows\System32\WLTRYSVC.EXE -- (wltrysvc [Auto | Running])
SRV - [2008/01/21 03:25:33 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2008/01/21 03:23:21 | 00,422,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])
DRV - [2008/01/21 03:23:25 | 00,300,600 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])
DRV - [2008/01/21 03:23:26 | 00,101,432 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])
DRV - [2008/01/21 03:23:27 | 00,149,560 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])
DRV - [2006/11/02 10:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])
DRV - [2008/01/21 03:23:00 | 00,017,464 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide [Disabled | Stopped])
DRV - [2007/12/26 21:02:52 | 00,164,400 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Windows\system32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2008/01/21 03:23:23 | 00,079,416 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc [Disabled | Stopped])
DRV - [2008/01/21 03:23:24 | 00,079,928 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])
DRV - [2007/12/06 22:52:42 | 01,044,984 | ---- | M] (Broadcom Corp.) -- C:\Windows\system32\DRIVERS\bcmwl6.sys -- (BCM43XX [On_Demand | Running])
DRV - [2006/11/02 09:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo [On_Demand | Stopped])
DRV - [2006/11/02 09:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp [On_Demand | Stopped])
DRV - [2006/11/02 09:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid [Disabled | Stopped])
DRV - [2006/11/02 09:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm [Disabled | Stopped])
DRV - [2006/11/02 09:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm [Disabled | Stopped])
DRV - [2006/11/02 09:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer [On_Demand | Stopped])
DRV - [2008/01/21 03:23:00 | 00,019,000 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])
DRV - [2008/07/30 17:42:12 | 00,023,888 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\Drivers\COH_Mon.sys -- (COH_Mon [On_Demand | Stopped])
DRV - [2007/08/09 01:39:56 | 00,036,056 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\drivers\CO_Mon.sys -- (CO_Mon [Auto | Running])
DRV - [2008/01/21 03:23:24 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\Windows\system32\DRIVERS\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])
DRV - [2009/05/25 01:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2008/01/21 03:23:22 | 00,342,584 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])
DRV - [2009/05/25 01:00:00 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\Windows\system32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/01/21 03:23:26 | 00,040,504 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs [Disabled | Stopped])
DRV - [2008/01/21 03:23:22 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\system32\DRIVERS\VSTAZL3.SYS -- (HSFHWAZL [On_Demand | Running])
DRV - [2008/01/21 03:23:22 | 00,987,648 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\system32\DRIVERS\VSTDPV3.SYS -- (HSF_DPV [On_Demand | Running])
DRV - [2008/01/21 03:23:23 | 00,235,064 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV [Disabled | Stopped])
DRV - [2009/05/20 00:42:54 | 00,272,432 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\SymcData\ipsdefs\20090610.001\IDSvix86.sys -- (IDSvix86 [System | Running])
DRV - [2008/01/02 17:48:28 | 02,016,256 | ---- | M] (Intel Corporation) -- C:\Windows\system32\DRIVERS\igdkmd32.sys -- (igfx [On_Demand | Running])
DRV - [2006/11/02 10:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])
DRV - [2007/06/07 00:21:32 | 00,111,616 | ---- | M] (Intel® Corporation) -- C:\Windows\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService [On_Demand | Running])
DRV - [2006/11/02 10:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])
DRV - [2006/11/02 10:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])
DRV - [2009/05/26 19:37:49 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2008/01/21 03:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
DRV - [2008/01/21 03:23:25 | 00,089,656 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
DRV - [2008/01/21 03:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
DRV - [2008/01/21 03:23:27 | 00,031,288 | ---- | M] (LSI Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas [Disabled | Stopped])
DRV - [2008/01/21 03:23:27 | 00,386,616 | ---- | M] (LSI Corporation, Inc.) -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR [Disabled | Stopped])
DRV - [2006/11/02 10:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x [Disabled | Stopped])
DRV - [2009/05/25 01:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20090613.023\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/05/25 01:00:00 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20090613.023\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2006/11/02 10:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])
DRV - [2006/11/02 08:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])
DRV - [2008/01/21 03:23:21 | 00,102,968 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])
DRV - [2008/01/21 03:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor [Disabled | Stopped])
DRV - [2007/07/18 02:02:00 | 00,235,520 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\system32\DRIVERS\OEM02Dev.sys -- (OEM02Dev [On_Demand | Running])
DRV - [2007/03/05 19:45:00 | 00,007,424 | ---- | M] (EyePower Games Pte. Ltd.) -- C:\Windows\system32\DRIVERS\OEM02Vfx.sys -- (OEM02Vfx [On_Demand | Running])
DRV - [2008/01/21 03:23:24 | 01,122,360 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])
DRV - [2007/02/24 15:42:22 | 00,039,936 | ---- | M] (REDC) -- C:\Windows\system32\DRIVERS\rimmptsk.sys -- (rimmptsk [Auto | Running])
DRV - [2007/01/23 17:40:20 | 00,042,496 | ---- | M] (REDC) -- C:\Windows\system32\DRIVERS\rimsptsk.sys -- (rimsptsk [Auto | Running])
DRV - [2007/03/21 23:02:04 | 00,037,376 | ---- | M] (REDC) -- C:\Windows\system32\DRIVERS\rixdptsk.sys -- (rismxdp [Auto | Running])
DRV - [2006/11/02 07:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])
DRV - [2008/01/21 03:23:26 | 00,074,808 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
DRV - [2009/03/17 12:56:58 | 00,447,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
DRV - [2008/02/01 02:51:16 | 00,279,088 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SRTSP.SYS -- (SRTSP [On_Demand | Running])
DRV - [2008/02/01 02:51:16 | 00,317,616 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SRTSPL.SYS -- (SRTSPL [On_Demand | Stopped])
DRV - [2008/02/01 02:51:16 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2008/02/15 18:27:02 | 00,330,752 | ---- | M] (IDT, Inc.) -- C:\Windows\system32\drivers\stwrt.sys -- (STHDA [On_Demand | Running])
DRV - [2006/11/02 10:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])
DRV - [2009/02/19 13:31:16 | 00,013,616 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMDNS.SYS -- (SYMDNS [On_Demand | Running])
DRV - [2009/05/29 17:19:51 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2009/02/19 13:31:16 | 00,096,560 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMFW.SYS -- (SYMFW [On_Demand | Running])
DRV - [2009/02/19 13:31:42 | 00,024,112 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\DRIVERS\SymIMv.sys -- (SymIM [System | Running])
DRV - [2009/02/19 13:31:18 | 00,041,008 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMNDISV.SYS -- (SYMNDISV [On_Demand | Running])
DRV - [2009/02/19 13:31:16 | 00,022,320 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2009/02/19 13:31:16 | 00,184,496 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2006/11/02 10:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])
DRV - [2006/11/02 10:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])
DRV - [2008/01/21 03:23:20 | 00,238,648 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])
DRV - [2006/11/02 10:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])
DRV - [2008/01/21 03:23:23 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
DRV - [2009/05/29 13:36:16 | 00,039,424 | ---- | M] (Apple, Inc.) -- C:\Windows\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/01/21 03:23:00 | 00,020,024 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide [Disabled | Stopped])
DRV - [2008/01/21 03:23:23 | 00,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])
DRV - [2008/01/21 03:23:23 | 00,654,336 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\system32\DRIVERS\VSTCNXT3.SYS -- (winachsf [On_Demand | Running])
DRV - [2008/01/21 03:23:22 | 00,521,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\DRIVERS\xnacc.sys -- (xnacc [On_Demand | Stopped])
DRV - [2007/09/17 11:22:00 | 00,278,528 | ---- | M] (Marvell) -- C:\Windows\system32\DRIVERS\yk60x86.sys -- (yukonwlh [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000\S-1-5-21-1099081143-1348963299-4182460324-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000\S-1-5-21-1099081143-1348963299-4182460324-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com"
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: es-es@dictionaries.addons.mozilla.org:1.2.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/05/12 16:35:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/06/12 00:19:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/06/12 00:19:07 | 00,000,000 | ---D | M]

[2009/05/05 18:21:40 | 00,000,000 | ---D | M] -- C:\Users\del\AppData\Roaming\mozilla\Extensions
[2009/05/05 18:21:40 | 00,000,000 | ---D | M] -- C:\Users\del\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/14 18:10:41 | 00,000,000 | ---D | M] -- C:\Users\del\AppData\Roaming\mozilla\Firefox\Profiles\ak1vg57x.default\extensions
[2009/05/12 21:26:01 | 00,000,000 | ---D | M] -- C:\Users\del\AppData\Roaming\mozilla\Firefox\Profiles\ak1vg57x.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2009/05/12 21:26:01 | 00,000,000 | ---D | M] -- C:\Users\del\AppData\Roaming\mozilla\Firefox\Profiles\ak1vg57x.default\extensions\es-es@dictionaries.addons.mozilla.org
[2009/05/05 18:23:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/12 00:19:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/05 18:23:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/06/12 00:19:05 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/12 00:19:05 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/31 22:47:26 | 00,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2008/01/04 16:36:50 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2006/07/05 19:47:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/01/04 16:36:50 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008/03/08 10:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/09/22 20:14:04 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008/04/16 05:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/03/28 19:11:14 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/01/04 16:36:50 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL File not found
O3 - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s (Creative Technology Ltd.)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" (Symantec Corporation)
O4 - HKLM..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" (CyberLink Corp.)
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter File not found
O4 - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000..\Run: [del] C:\Users\del\del.exe /i File not found
O4 - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Microsoft Corporation)
O4 - HKU\S-1-5-21-1099081143-1348963299-4182460324-1000..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - C:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - C:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\system32\igfxdev.dll (Intel Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/12 00:19:08 | 00,000,000 | ---D | M]
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[1 C:\Windows\*.tmp files]
[2009/06/13 23:17:46 | 00,428,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2009/06/13 23:17:46 | 00,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2009/06/13 23:17:46 | 00,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2009/06/13 23:17:45 | 00,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2009/06/13 23:17:45 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2009/06/11 23:05:20 | 02,033,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/06/11 23:05:15 | 00,636,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\localspl.dll
[2009/06/11 23:05:12 | 00,784,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rpcrt4.dll
[2009/06/11 23:05:02 | 03,581,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/06/11 23:05:00 | 06,069,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/06/11 23:04:59 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/06/11 23:04:58 | 00,827,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/06/11 23:04:58 | 00,270,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/06/11 23:04:57 | 00,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/06/11 23:04:57 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/06/11 23:04:56 | 00,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2009/06/11 23:04:56 | 00,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2009/06/11 23:04:56 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/06/11 23:04:56 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/06/11 23:04:55 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/06/11 23:04:55 | 00,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2009/06/11 23:04:55 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/06/11 23:04:54 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/06/09 23:15:23 | 00,000,000 | ---D | C] -- C:\Users\del\Documents\Remote Assistance Logs
[2009/06/09 22:57:54 | 00,001,890 | ---- | C] () -- C:\Users\del\Documents\Attachment.zip
[2009/06/04 00:49:35 | 00,000,000 | ---D | C] -- C:\Users\del\Documents\Dell Webcam Center
[2009/06/04 00:49:29 | 00,000,000 | ---D | C] -- C:\Users\del\AppData\Roaming\Creative
[2009/06/04 00:45:58 | 00,000,000 | ---D | C] -- C:\Users\del\AppData\Roaming\Reallusion
[2009/06/02 20:05:14 | 00,000,000 | ---D | C] -- C:\Program Files\Delta
[2009/06/02 20:03:36 | 00,000,000 | ---D | C] -- C:\bios
[2009/06/02 20:03:35 | 00,000,000 | ---D | C] -- C:\docs
[2009/06/02 20:03:35 | 00,000,000 | ---D | C] -- C:\cheats
[2009/06/02 14:23:21 | 00,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2009/06/02 14:23:06 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/06/02 14:23:00 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/06/02 14:21:34 | 00,001,686 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2009/06/02 14:21:21 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/06/02 14:04:28 | 00,001,854 | ---- | C] () -- C:\Users\Public\Desktop\Safari.lnk
[2009/06/02 14:04:08 | 00,000,000 | ---D | C] -- C:\Program Files\Safari
[2009/05/31 22:58:23 | 00,000,778 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/31 22:58:21 | 00,040,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/05/31 22:58:19 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/05/27 16:28:24 | 00,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2009/05/27 16:27:55 | 00,000,712 | ---- | C] () -- C:\Users\del\Desktop\Audacity.lnk
[2009/05/27 16:27:54 | 00,000,000 | ---D | C] -- C:\Program Files\Audacity
[2009/05/27 16:14:59 | 00,480,056 | ---- | C] () -- C:\Users\del\Documents\bum willy.wav
[2009/05/26 20:48:06 | 00,015,688 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2009/05/26 20:06:08 | 00,001,610 | ---- | C] () -- C:\Users\del\Desktop\CopyPod.lnk
[2009/05/26 19:38:36 | 00,000,472 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/05/26 19:38:27 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2009/05/26 19:31:02 | 00,000,967 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2009/05/26 19:30:53 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/05/26 18:58:13 | 21,349,82656 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/26 15:49:28 | 00,000,837 | ---- | C] () -- C:\Users\Public\Desktop\iPod PC Transfer Photo.lnk
[2009/05/26 15:49:27 | 00,000,000 | ---D | C] -- C:\Program Files\iPod PC Transfer Photo
[2009/05/26 13:36:02 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2009/05/26 13:33:08 | 13,755,8520 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2009/05/26 13:32:16 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/05/26 13:32:16 | 00,000,000 | ---D | C] -- C:\Users\del\AppData\Roaming\SUPERAntiSpyware.com
[2009/05/26 13:32:16 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/05/26 12:03:12 | 00,000,000 | ---D | C] -- C:\Users\del\AppData\Roaming\Malwarebytes
[2009/05/26 11:52:30 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/26 00:14:28 | 00,000,000 | ---D | C] -- C:\Users\del\AppData\Roaming\Symantec
[2009/05/26 00:14:10 | 00,001,714 | ---- | C] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2009/05/26 00:10:50 | 00,000,000 | ---D | C] -- C:\Program Files\Norton 360
[2009/05/26 00:09:13 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2009/05/26 00:09:13 | 00,010,635 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2009/05/26 00:09:13 | 00,000,806 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2009/05/26 00:08:53 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/05/26 00:07:49 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2009/05/25 23:01:51 | 00,013,312 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll
[2009/05/25 22:47:17 | 00,000,000 | ---D | C] -- C:\RECYCLER
[2009/05/25 22:44:13 | 00,000,000 | ---D | C] -- C:\Users\del\AppData\Roaming\CopyTransPhoto
[2009/05/22 18:09:40 | 00,102,400 | ---- | C] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
[2009/05/22 18:09:39 | 04,947,968 | ---- | C] (IDT, Inc.) -- C:\Windows\System32\stacgui.cpl
[2009/05/21 23:33:48 | 00,000,076 | RHS- | C] () -- C:\Windows\CT4CET.bin
[2009/05/21 23:33:31 | 00,000,000 | ---D | C] -- C:\Users\Public\Documents\Reallusion
[2009/05/21 23:33:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Reallusion
[2009/05/21 23:32:46 | 05,627,904 | ---- | C] (Reallusion Inc.) -- C:\Windows\System32\LiveCamVirtual.ocx
[2009/05/21 23:32:18 | 00,000,000 | ---D | C] -- C:\Program Files\Creative Live! Cam
[2009/05/21 23:31:37 | 00,000,000 | ---D | C] -- C:\Program Files\Creative
[2009/01/09 22:28:55 | 00,054,784 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2009/01/09 22:28:45 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2009/01/09 22:26:39 | 01,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2009/01/09 22:26:39 | 01,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2009/01/09 22:26:39 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2009/01/09 22:26:39 | 00,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2009/01/09 22:26:39 | 00,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2006/11/02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 11:23:31 | 00,000,144 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Files - Modified Within 30 Days ==========

[1 C:\Windows\*.tmp files]
[2009/06/15 00:30:30 | 00,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{5D73B2FB-0BDA-4960-90BA-A5841DC72C22}.job
[2009/06/14 23:56:45 | 00,003,840 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/06/14 23:56:45 | 00,003,840 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/06/14 18:14:01 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/06/14 18:14:01 | 00,600,378 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/06/14 18:14:01 | 00,105,852 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/06/14 17:56:43 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/06/14 17:56:39 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/06/14 17:56:18 | 21,349,82656 | -HS- | M] () -- C:\hiberfil.sys
[2009/06/12 12:34:14 | 00,261,288 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/06/09 22:58:08 | 00,001,890 | ---- | M] () -- C:\Users\del\Documents\Attachment.zip
[2009/06/09 19:38:36 | 00,000,472 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/06/05 07:36:12 | 13,755,8520 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/06/02 14:23:21 | 00,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2009/06/02 14:21:34 | 00,001,686 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2009/06/02 14:04:28 | 00,001,854 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2009/06/01 17:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2009/05/31 22:58:23 | 00,000,778 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/29 17:19:51 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2009/05/29 17:19:51 | 00,010,635 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2009/05/29 17:19:51 | 00,000,806 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2009/05/27 16:27:55 | 00,000,712 | ---- | M] () -- C:\Users\del\Desktop\Audacity.lnk
[2009/05/27 16:14:59 | 00,480,056 | ---- | M] () -- C:\Users\del\Documents\bum willy.wav
[2009/05/26 20:06:08 | 00,001,610 | ---- | M] () -- C:\Users\del\Desktop\CopyPod.lnk
[2009/05/26 19:38:15 | 00,015,688 | ---- | M] () -- C:\Windows\System32\lsdelete.exe
[2009/05/26 19:37:49 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2009/05/26 19:31:02 | 00,000,967 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2009/05/26 15:49:28 | 00,000,837 | ---- | M] () -- C:\Users\Public\Desktop\iPod PC Transfer Photo.lnk
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/05/26 00:14:10 | 00,001,714 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2009/05/25 23:01:51 | 00,013,312 | ---- | M] () -- C:\Windows\System32\BASSMOD.dll
[2009/05/21 23:33:48 | 00,000,076 | RHS- | M] () -- C:\Windows\CT4CET.bin
< End of report >


And here is the Extras log:

OTL Extras logfile created on: 15/06/2009 00:30:39 - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Users\del\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.07 Gb Available Physical Memory | 53.68% Memory free
4.00 Gb Paging File | 2.93 Gb Available in Paging File | 73.31% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 295.04 Gb Total Space | 207.26 Gb Free Space | 70.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAM-PC
Current User Name: del
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1099081143-1348963299-4182460324-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
File not found -- Reg Error: Unknown registry data type
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
"EnableFirewall" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
"EnableFirewall" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

{0040BDAD-6350-420E-8772-A3FC98DB167B} = RPORT=1900 | PROTOCOL=17 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=SSDPSRV |
{02B6614C-8B2D-4F75-A1BB-C788BF6B7E23} = RPORT=2177 | PROTOCOL=17 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=QWAVE |
{0579A446-9DCA-4707-BE79-9B4C66129233} = LPORT=445 | PROTOCOL=6 | DIR=IN | APP=SYSTEM |
{0E79779D-20EF-483C-ADC7-9338B39B51BE} = RPORT=10243 | PROTOCOL=6 | DIR=OUT | APP=SYSTEM |
{0F8CFEB1-205D-4797-AF6A-F12FE49B3548} = RPORT=445 | PROTOCOL=6 | DIR=OUT | APP=SYSTEM |
{1C5CA7D3-A6FF-46B4-B223-4B41DC33123C} = LPORT=1900 | PROTOCOL=17 | DIR=IN | APP=SVCHOST.EXE | SVC=SSDPSRV |
{21D43B21-3B20-4950-8796-0A1220058AF1} = LPORT=1900 | PROTOCOL=17 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=SSDPSRV |
{24ED459D-A2BC-4C55-A0B7-88C9728CFE38} = RPORT=2177 | PROTOCOL=6 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=QWAVE |
{304D566E-C895-4A4E-BF48-8BA426EA513E} = RPORT=5355 | PROTOCOL=17 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=DNSCACHE |
{30F52DA4-FE22-4544-9796-FEECE4A3A183} = LPORT=1900 | PROTOCOL=17 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=SSDPSRV |
{399AE822-3C44-4269-85A0-B47D8DECC724} = LPORT=3702 | PROTOCOL=17 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=FDRESPUB |
{4828051D-D164-4B77-A1DA-4E665F744D54} = LPORT=139 | PROTOCOL=6 | DIR=IN | APP=SYSTEM |
{5E839294-8257-4104-AEBD-55788F349836} = LPORT=3702 | PROTOCOL=17 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=FDPHOST |
{62CF1214-20EC-4166-9DC6-7131B6DBDC4F} = LPORT=2177 | PROTOCOL=17 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=QWAVE |
{80A7A9CE-2D1D-4A8C-A4D7-805E1F06207D} = LPORT=5355 | PROTOCOL=17 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=DNSCACHE |
{9251C627-DAE3-4335-B9B7-29D182897335} = RPORT=3702 | PROTOCOL=17 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=FDRESPUB |
{963A1A95-1516-4741-A3F3-26EFC69B6700} = RPORT=138 | PROTOCOL=17 | DIR=OUT | APP=SYSTEM |
{9854082B-124C-43FC-96EB-87242B338B07} = RPORT=139 | PROTOCOL=6 | DIR=OUT | APP=SYSTEM |
{A213025C-D5D3-46B9-8893-8B5FC2F44201} = LPORT=137 | PROTOCOL=17 | DIR=IN | APP=SYSTEM |
{B730F0F4-EE1A-4AF7-BE39-2E7BC1AE729F} = RPORT=137 | PROTOCOL=17 | DIR=OUT | APP=SYSTEM |
{B9C0A264-6CEA-4864-AD33-A36B5D973156} = LPORT=10243 | PROTOCOL=6 | DIR=IN | APP=SYSTEM |
{BBD22746-52AA-4E11-93BA-B7227C0AD5D8} = LPORT=2869 | PROTOCOL=6 | DIR=IN | APP=SYSTEM |
{BC5AEBB8-C9EE-4687-A381-09E9248D39B1} = LPORT=RPC | PROTOCOL=6 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SPOOLSV.EXE | SVC=SPOOLER |
{C409CEA8-B31F-47E4-BDAA-79EDEF02134A} = LPORT=RPC-EPMAP | PROTOCOL=6 | DIR=IN | NAME=@FIREWALLAPI.DLL,-28539 | SVC=RPCSS |
{C5BB9432-5A99-4236-AE53-63E6A4C77A4A} = RPORT=1900 | PROTOCOL=17 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=SSDPSRV |
{D1EC28CE-6E61-4A9F-89EF-BE55F59D532B} = LPORT=138 | PROTOCOL=17 | DIR=IN | APP=SYSTEM |
{DED88603-6656-4EF4-9D96-22AF457D7150} = LPORT=2177 | PROTOCOL=6 | DIR=IN | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=QWAVE |
{E322FD45-0277-4005-B9CA-3FC1D6A308C7} = LPORT=2869 | PROTOCOL=6 | DIR=IN | APP=SYSTEM |
{E933A5E7-38E2-4B52-A119-BEFC8EC0AECE} = RPORT=3702 | PROTOCOL=17 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=FDPHOST |

========== Vista Active Application Exception List ==========

{04665A72-2DAF-4DCC-979D-50AD9C817A4C} = PROTOCOL=17 | DIR=OUT | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPNETWK.EXE |
{0A837C69-6AE9-4910-B855-A28DF0F47E34} = DIR=IN | APP=C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE |
{1309DFEE-0301-4B50-92CF-C5C2B693E49E} = DIR=IN | APP=C:\PROGRAM FILES\DELL\MEDIADIRECT\KERNEL\DMP\CLBROWSERENGINE.EXE |
{1490AA47-8BC7-484D-A0B8-D9499BC6DDB0} = PROTOCOL=1 | DIR=IN | NAME=@FIREWALLAPI.DLL,-28543 |
{1A8E3B79-554D-4E39-A070-9199170FD450} = PROTOCOL=6 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=UPNPHOST |
{1F0D74C6-F0F2-4E6A-BF71-0B521D436647} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\NORTON 360\MAINSTUB.EXE |
{23BE90B0-422E-45B5-944F-5BC3C2D66FC5} = DIR=IN | APP=C:\PROGRAM FILES\DELL\MEDIADIRECT\KERNEL\DMS\CLMSSERVICE.EXE |
{2C2545C3-0DCE-48D5-BC00-DA1C250D2065} = PROTOCOL=6 | DIR=OUT | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPNETWK.EXE |
{2E9FA6FD-78A8-4E37-A3C9-BAF9C4AD7E6B} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUALL.EXE |
{3A48D6EB-7AEA-4731-A933-EAD3D682CA10} = DIR=IN | APP=C:\PROGRAM FILES\DELL\MEDIADIRECT\PCMSERVICE.EXE |
{52CE9648-E723-4E5C-82A3-48334FD6BECC} = DIR=IN | APP=C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\WLCSDK.EXE |
{54707B7D-8C37-471A-BB5A-8DB2B7EB6FB7} = PROTOCOL=58 | DIR=OUT | NAME=@FIREWALLAPI.DLL,-28546 |
{56E1A134-DEA2-41C2-9319-0EAE72CD5BF1} = PROTOCOL=6 | DIR=OUT | APP=%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE | SVC=UPNPHOST |
{5BC9EC9F-CFC4-4BBA-9E5D-809536AC471B} = PROTOCOL=6 | DIR=OUT | APP=SYSTEM |
{5D2272FE-7BE2-4E86-8E3C-9D8328018008} = PROTOCOL=1 | DIR=OUT | NAME=@FIREWALLAPI.DLL,-28544 |
{5D945ED5-F90E-4469-AF68-466F96166EAC} = PROTOCOL=17 | DIR=OUT | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPLAYER.EXE |
{607FFDF5-11D9-4B5D-9971-987FEF6AD7FA} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER_3_4.EXE |
{6644B59D-9B42-4952-9DA2-60B9920FB6B7} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\UTORRENT\UTORRENT.EXE |
{6CA39273-1085-45E7-8D0D-B06A2154DF56} = PROTOCOL=6 | DIR=OUT | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPLAYER.EXE |
{71BA9858-87BB-4BE3-8A37-CAA8CB971E49} = PROTOCOL=17 | DIR=IN | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPLAYER.EXE |
{732010B0-51BD-45DD-AB2E-4A776BBC68AC} = PROTOCOL=58 | DIR=IN | NAME=@FIREWALLAPI.DLL,-28545 |
{79F1FDC9-9EED-4AA8-8EE5-161507F6866D} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\NORTON 360\MAINSTUB.EXE |
{80D5CED1-DB27-4011-92BB-D3EC842EDB9E} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE12\ONENOTE.EXE |
{814FE9E8-0159-481E-B19D-893672995738} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\UTORRENT\UTORRENT.EXE |
{83CC0AC9-8A2B-4630-A9AF-57C255B99DE7} = PROTOCOL=17 | DIR=IN | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPLAYER.EXE |
{84672A06-D29D-4A3C-A41B-578D21F9C7CB} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\ITUNES\ITUNES.EXE |
{88041DB4-4B96-4107-8B46-B1F1B85DDB00} = PROTOCOL=17 | DIR=OUT | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPLAYER.EXE |
{949D5AA8-F32D-4DC5-A620-7CBB21F8E485} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE |
{977F2BE0-EB3B-4DA0-BEC6-C2E8E3D09318} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE |
{A3D1B564-E359-45FC-9E66-E211223FED01} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\ITUNES\ITUNES.EXE |
{A404CE81-16C5-4F08-8CCE-A6C99AFA9209} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE |
{B99B780F-FAFE-49F7-8464-ED3A70E47981} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUALL.EXE |
{CCF13523-6B4F-4919-9C81-C2E30FDF5265} = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER_3_4.EXE |
{CF2361AC-356C-4312-AFE7-49D57CF66153} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE |
{DC62FDF6-515B-4AEE-AE01-0320A6A4317F} = PROTOCOL=6 | DIR=OUT | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPLAYER.EXE |
{DD3A08EE-0570-4607-B79A-57956D3BBC9D} = PROTOCOL=6 | DIR=IN | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPNETWK.EXE |
{E61E3739-E823-4418-AFE2-57F7CDC9B45E} = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE12\ONENOTE.EXE |
{EF6E55E1-20CA-4433-B9B9-136DF69ACEA5} = DIR=IN | APP=C:\PROGRAM FILES\DELL\MEDIADIRECT\MEDIADIRECT.EXE |
{FC1E5752-1ECD-47CE-B430-E7C7AF880003} = PROTOCOL=17 | DIR=IN | APP=%PROGRAMFILES%\WINDOWS MEDIA PLAYER\WMPNETWK.EXE |
TCP Query User{945550A8-137B-4D06-B27A-6B9A6121370C}C:\users\del\appdata\local\temp\ms1243288228.exe = PROTOCOL=6 | DIR=IN | APP=C:\USERS\DEL\APPDATA\LOCAL\TEMP\MS1243288228.EXE |
TCP Query User{E13B92E5-D5BB-478D-AEC6-85D2BDBF22A0}C:\users\del\downloads\keygen.copytrans.suite.1.29.exe = PROTOCOL=6 | DIR=IN | APP=C:\USERS\DEL\DOWNLOADS\KEYGEN.COPYTRANS.SUITE.1.29.EXE |
TCP Query User{F858A8C0-74F0-465E-ACAE-11D064AEB9FB}C:\program files\itunes\itunes.exe = PROTOCOL=6 | DIR=IN | APP=C:\PROGRAM FILES\ITUNES\ITUNES.EXE |
UDP Query User{5C326452-014F-4FCB-B9C9-D50F1A1C3958}C:\users\del\downloads\keygen.copytrans.suite.1.29.exe = PROTOCOL=17 | DIR=IN | APP=C:\USERS\DEL\DOWNLOADS\KEYGEN.COPYTRANS.SUITE.1.29.EXE |
UDP Query User{76143CF0-83FF-4125-920D-07FA8D1855E2}C:\users\del\appdata\local\temp\ms1243288228.exe = PROTOCOL=17 | DIR=IN | APP=C:\USERS\DEL\APPDATA\LOCAL\TEMP\MS1243288228.EXE |
UDP Query User{794055CE-7967-4780-AC37-C6354835E2B2}C:\program files\itunes\itunes.exe = PROTOCOL=17 | DIR=IN | APP=C:\PROGRAM FILES\ITUNES\ITUNES.EXE |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0BDD3FAD-61CD-4BF3-B9C4-4CEFD43F53F8}" = Norton 360 HTMLHelp
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{21829177-4DED-4209-AD08-490B3AC9C01A}" = Norton 360
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24DF7221-644B-4C3A-A478-459502D40522}" = Backup
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2D617065-1C52-4240-B5BC-C0AE12157777}" = Norton 360
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{40DA9A54-48CA-4A2C-AEAF-F67715BB046E}" = Norton 360
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45690715-80A6-4445-B61D-ADEC5888E8CD}" = Symantec Technical Support Controls
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{4E5386F5-C0F6-4532-A54A-374865AEAB71}" = Cisco PEAP Module
"{55A6283C-638A-4EE0-B491-51118554BDA2}" = Norton Confidential Core
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{659B48CD-0608-4ED5-94C0-0B6C87114F10}" = Apple Mobile Device Support
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76F9CF97-FC4B-4E20-B363-D127C888448F}" = Cisco LEAP Module
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}" = Safari
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AFC7E003-9CA8-4F68-AAB2-155D0CDF5AED}" = UltraEdit 15.00
"{B24E05CC-46FF-4787-BBB8-5CD516AFB118}" = ccCommon
"{BB8EB81B-6763-4673-9969-155126245EC9}" = SymNet
"{BF53252E-4AB2-4C7F-A0FD-6100755745E3}" = Cisco EAP-FAST Module
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}" = iTunes
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}" = Symantec Real Time Storage Protection Component
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F413B69D-4AD6-42AB-AEA5-0548989FAD50}" = Norton 360
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"Audacity_is1" = Audacity 1.2.6
"AviSynth" = AviSynth 2.5
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CopyPod" = CopyPod (remove only)
"Creative OEM002" = Laptop Integrated Webcam Driver (1.03.02.0719)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"DVD Decrypter" = DVD Decrypter (Remove Only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"iPod PC Transfer Photo_is1" = iPod PC Transfer Photo 2.1
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"SymSetup.{2D617065-1C52-4240-B5BC-C0AE12157777}" = Norton 360 (Symantec Corporation)
"Videora iPod classic Converter" = Videora iPod classic Converter 4.07
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"YouTube Downloader App" = YouTube Downloader App 1.02

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1099081143-1348963299-4182460324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 13/06/2009 02:59:52 | Computer Name = Sam-PC | Source = WinMgmt | ID = 10
Description =

Error - 13/06/2009 03:28:59 | Computer Name = Sam-PC | Source = EventSystem | ID = 4621
Description =

Error - 13/06/2009 18:10:20 | Computer Name = Sam-PC | Source = WinMgmt | ID = 10
Description =

Error - 14/06/2009 12:57:03 | Computer Name = Sam-PC | Source = WinMgmt | ID = 10
Description =

Error - 14/06/2009 13:01:23 | Computer Name = Sam-PC | Source = SPP | ID = 16387
Description =

Error - 14/06/2009 13:01:23 | Computer Name = Sam-PC | Source = System Restore | ID = 8193
Description =

Error - 14/06/2009 13:01:45 | Computer Name = Sam-PC | Source = SPP | ID = 16387
Description =

Error - 14/06/2009 13:01:46 | Computer Name = Sam-PC | Source = System Restore | ID = 8193
Description =

Error - 14/06/2009 19:27:36 | Computer Name = Sam-PC | Source = Application Error | ID = 1000
Description = Faulting application 2oi2wcn9.exe, version 1.0.15.14972, time stamp
0x49f73740, faulting module 2oi2wcn9.exe, version 1.0.15.14972, time stamp 0x49f73740,
exception code 0xc0000005, fault offset 0x0000c4b1, process id 0x1368, application
start time 0x01c9ed475839246b.

Error - 14/06/2009 19:29:33 | Computer Name = Sam-PC | Source = Application Error | ID = 1000
Description = Faulting application 2oi2wcn9.exe, version 1.0.15.14972, time stamp
0x49f73740, faulting module 2oi2wcn9.exe, version 1.0.15.14972, time stamp 0x49f73740,
exception code 0xc0000005, fault offset 0x0000c4b1, process id 0x1364, application
start time 0x01c9ed47bf3d848b.

[ System Events ]
Error - 13/06/2009 18:10:20 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/06/2009 12:56:47 | Computer Name = Sam-PC | Source = HTTP | ID = 15016
Description =

Error - 14/06/2009 12:57:04 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 14/06/2009 12:57:04 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 14/06/2009 12:57:04 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/06/2009 12:57:04 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 14/06/2009 12:57:05 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/06/2009 12:57:06 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/06/2009 12:57:08 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 14/06/2009 12:57:08 | Computer Name = Sam-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:35 AM

Posted 14 June 2009 - 07:10 PM

Thanks for the logs Lammy.

When downloading and saving Gmer did you rename the file?

If not please delete the file and redownload it using gamers.exe instead of gmer.exe.

If you are still unable to scan then let me know.

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 Lammy

Lammy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 15 June 2009 - 07:01 AM

Thanks for the help again
I renamed GMER to gamer and it worked.
Here is the log it gave me

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-15 12:59:38
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT 8777B9E8 ZwAlertResumeThread
SSDT 8777BAC8 ZwAlertThread
SSDT 877AE658 ZwAllocateVirtualMemory
SSDT 85FCC008 ZwAlpcConnectPort
SSDT 8777B738 ZwCreateMutant
SSDT 85FDA968 ZwCreateThread
SSDT 8777B3B8 ZwDebugActiveProcess
SSDT 877780A0 ZwFreeVirtualMemory
SSDT 8777B828 ZwImpersonateAnonymousToken
SSDT 8777B908 ZwImpersonateThread
SSDT 87779830 ZwMapViewOfSection
SSDT 8777B658 ZwOpenEvent
SSDT 877AE2F8 ZwOpenProcessToken
SSDT 8777B498 ZwOpenSection
SSDT 8777BF80 ZwOpenThreadToken
SSDT 85FCE538 ZwResumeThread
SSDT 8777BEC0 ZwSetContextThread
SSDT 877796D8 ZwSetInformationProcess
SSDT 8777BDD0 ZwSetInformationThread
SSDT 8777B578 ZwSuspendProcess
SSDT 8777BC10 ZwSuspendThread
SSDT 85FEFDA8 ZwTerminateProcess
SSDT 8777BCF0 ZwTerminateThread
SSDT 87778828 ZwUnmapViewOfSection
SSDT 87778170 ZwWriteVirtualMemory

Code 85B8B378 ZwEnumerateKey
Code 85FA7518 ZwFlushInstructionCache
Code 85FB2355 IofCallDriver
Code 85FA34AE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81E45FE2 5 Bytes JMP 85FA34B3
.text ntkrnlpa.exe!KeSetTimerEx + 350 81EC4914 8 Bytes CALL 4A73C0D2
.text ntkrnlpa.exe!KeSetTimerEx + 364 81EC4928 4 Bytes [58, E6, 7A, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 370 81EC4934 4 Bytes [08, C0, FC, 85]
.text ntkrnlpa.exe!KeSetTimerEx + 428 81EC49EC 4 Bytes [38, B7, 77, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 454 81EC4A18 4 Bytes [68, A9, FD, 85]
.text ...
.text ntkrnlpa.exe!IofCallDriver 81EC7F6F 5 Bytes JMP 85FB235A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81FBE30B 5 Bytes JMP 85FA751C
PAGE ntkrnlpa.exe!ZwEnumerateKey 82013BA2 5 Bytes JMP 85B8B37C

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office\Office12\EXCEL.EXE[4864] kernel32.dll!SetUnhandledExceptionFilter 77446E2D 5 Bytes JMP 613A531D C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [860] 0x10000000
Library \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [6084] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\gxvxcxpjnvspltnccpuroqegmmurvcmxtivml.sys 47616 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\gxvxccount 4 bytes
File C:\Windows\System32\gxvxcokqxotqyegiqjpcuqswqteeusrqrtvhh.dll 28673 bytes executable
File C:\Windows\System32\gxvxcsxwmiheebeikxomrsnerqxapqpgvjwfx.dll 22529 bytes executable

---- EOF - GMER 1.0.15 ----

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:35 AM

Posted 15 June 2009 - 09:08 AM

Yes, Lammy, it's a rootkit that's known for attempting to stop scanners. Ironically by doing that it gives itself away...

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:35 AM

Posted 18 June 2009 - 11:43 AM

Hi Lammy,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:35 AM

Posted 19 June 2009 - 04:51 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users