Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System infected after system security virus and possibly others


  • This topic is locked This topic is locked
22 replies to this topic

#1 druryman

druryman

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 25 June 2009 - 07:53 PM

A few days ago I believe I was infected with "system security" virus. System crashes, anti-virus software would not run, MBAM would not run. Multiple pop-up screens. Eventually was able to run computer in safe mode and ran MBAM. This improved computer but I am concerned that I was unprotected for some time and may have gotten another infection.

Anyway browsers are being redirected, frequent crashes with blue screen that flashes by and system restarts. I ran MBAM, Super anti-spyware, spybot, adaware. They would find little or nothing, though today MBAM found 50 or so infected files which were just removed. so i think computer may be getting reinfected. Also another computer on my home network just appeared to get infected, so i turned it off. For what it is worth I noticed a program called "podmena" in my windows firewall exceptions and belive that maybe a virus so I unchecked it (though did not delete). I feel like L am getting reimfrcted. anyway the other forum told me to post my HJT/DDS logs. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/235033/browser-hijacked-after-system-security-virus/ ~ OB so here they are. any help would be appreciated.

DDS LOG:

DDS (Ver_09-05-14.01) - NTFSx86
Run by steve at 19:35:33.12 on Thu 06/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.151 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpzrcv01.lnk - c:\program files\hp\temp\{b94428f6-e93c-4d1d-8580-46d70fa07a9d}\setup\hpzstub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232819736514
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5648/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\gdiaznn3.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-17 64160]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2009-1-22 17792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2008-5-28 337280]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2008-5-28 54656]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-30 1956792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-29 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-17 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090624.003\naveng.sys [2009-6-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090624.003\navex15.sys [2009-6-24 876144]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-9-30 116664]

=============== Created Last 30 ================

2009-06-23 17:48 3,208 a------- c:\windows\system32\tmp.reg
2009-06-22 20:48 --d----- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2009-06-21 21:21 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-21 21:21 --d----- c:\program files\SUPERAntiSpyware
2009-06-21 21:20 --d----- c:\program files\common files\Wise Installation Wizard
2009-06-17 21:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-17 21:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-17 15:44 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-17 14:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-17 14:50 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 14:50 --d----- c:\program files\Lavasoft
2009-06-17 12:17 --d----- c:\windows\McAfee.com
2009-06-17 10:27 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-17 10:27 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-17 10:27 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-17 10:27 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-16 20:19 --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-06-15 22:11 a-d----- c:\program files\grc.dat
2009-06-15 22:11 --d----- c:\program files\Documents and Settings
2009-06-15 21:26 --d----- c:\windows\pss
2009-06-15 20:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 20:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 20:30 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 20:30 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-15 20:23 0 a------- C:\LOG5.tmp
2009-06-12 06:44 0 a------- C:\LOG19.tmp

==================== Find3M ====================

2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 19:37:35.12 ===============
ATTACH LOG

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/22/2009 9:49:57 PM
System Uptime: 6/25/2009 7:25:37 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0TC666
Processor: IntelŪ PentiumŪ 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 128 GiB total, 90.45 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_019D1028&REV_02\3&172E68DD&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_019D1028&REV_02\3&172E68DD&0&EF
Service:

==== System Restore Points ===================

RP66: 6/8/2009 10:15:33 PM - Software Distribution Service 3.0
RP67: 6/8/2009 10:15:33 PM - System Checkpoint
RP68: 6/8/2009 10:15:34 PM - System Checkpoint
RP69: 6/8/2009 10:15:34 PM - System Checkpoint
RP70: 6/8/2009 10:15:35 PM - System Checkpoint
RP71: 6/8/2009 10:15:36 PM - Software Distribution Service 3.0
RP72: 6/8/2009 10:15:36 PM - System Checkpoint
RP73: 6/8/2009 10:15:37 PM - System Checkpoint
RP74: 6/8/2009 10:15:38 PM - System Checkpoint
RP75: 6/8/2009 10:15:44 PM - System Checkpoint
RP76: 6/8/2009 10:15:45 PM - System Checkpoint
RP77: 6/8/2009 10:15:46 PM - System Checkpoint
RP78: 6/8/2009 10:15:47 PM - System Checkpoint
RP79: 6/8/2009 10:15:48 PM - System Checkpoint
RP80: 6/8/2009 10:15:48 PM - Installed SOS Online Backup
RP81: 6/8/2009 10:15:49 PM - Installed Microsoft .NET Framework 1.1
RP82: 6/8/2009 10:15:50 PM - System Checkpoint
RP83: 6/8/2009 10:15:51 PM - Software Distribution Service 3.0
RP84: 6/8/2009 10:15:52 PM - Installed Microsoft Office PowerPoint Viewer 2007 (English)
RP85: 6/8/2009 10:15:53 PM - Software Distribution Service 3.0
RP86: 6/8/2009 10:15:54 PM - System Checkpoint
RP87: 6/8/2009 10:15:55 PM - System Checkpoint
RP88: 6/8/2009 10:15:56 PM - System Checkpoint
RP89: 6/8/2009 10:15:57 PM - System Checkpoint
RP90: 6/8/2009 10:15:58 PM - System Checkpoint
RP91: 6/8/2009 10:15:58 PM - System Checkpoint
RP92: 6/8/2009 10:15:59 PM - System Checkpoint
RP93: 6/8/2009 10:16:00 PM - System Checkpoint
RP94: 6/8/2009 10:16:01 PM - System Checkpoint
RP95: 6/8/2009 10:16:02 PM - System Checkpoint
RP96: 6/8/2009 10:16:03 PM - System Checkpoint
RP97: 6/8/2009 10:16:03 PM - System Checkpoint
RP98: 6/8/2009 10:16:04 PM - System Checkpoint
RP99: 6/8/2009 10:16:05 PM - System Checkpoint
RP100: 6/8/2009 10:16:05 PM - System Checkpoint
RP101: 6/8/2009 10:16:06 PM - System Checkpoint
RP102: 6/8/2009 10:16:06 PM - System Checkpoint
RP103: 6/8/2009 10:16:06 PM - System Checkpoint
RP104: 6/8/2009 10:16:07 PM - System Checkpoint
RP105: 6/8/2009 10:16:07 PM - System Checkpoint
RP106: 6/8/2009 10:16:07 PM - Software Distribution Service 3.0
RP107: 6/8/2009 10:16:08 PM - System Checkpoint
RP108: 6/8/2009 10:16:08 PM - System Checkpoint
RP109: 6/8/2009 10:16:08 PM - System Checkpoint
RP110: 6/8/2009 10:16:08 PM - System Checkpoint
RP111: 6/8/2009 10:16:08 PM - System Checkpoint
RP112: 6/8/2009 10:16:09 PM - System Checkpoint
RP113: 6/8/2009 10:16:09 PM - System Checkpoint
RP114: 6/8/2009 10:16:09 PM - System Checkpoint
RP115: 6/8/2009 10:16:09 PM - System Checkpoint
RP116: 6/8/2009 10:16:10 PM - System Checkpoint
RP117: 6/8/2009 10:16:11 PM - System Checkpoint
RP118: 6/8/2009 10:16:13 PM - System Checkpoint
RP119: 6/8/2009 10:16:13 PM - System Checkpoint
RP120: 6/8/2009 10:16:14 PM - System Checkpoint
RP121: 6/8/2009 10:16:15 PM - System Checkpoint
RP122: 6/8/2009 10:16:16 PM - System Checkpoint
RP123: 6/8/2009 10:16:17 PM - System Checkpoint
RP124: 6/8/2009 10:16:18 PM - System Checkpoint
RP125: 6/8/2009 10:16:19 PM - System Checkpoint
RP126: 6/8/2009 10:16:19 PM - System Checkpoint
RP127: 6/8/2009 10:16:20 PM - System Checkpoint
RP128: 6/8/2009 10:16:21 PM - System Checkpoint
RP129: 6/8/2009 10:16:22 PM - System Checkpoint
RP130: 6/8/2009 10:16:22 PM - System Checkpoint
RP131: 6/8/2009 10:16:23 PM - System Checkpoint
RP132: 6/8/2009 10:16:24 PM - Software Distribution Service 3.0
RP133: 6/8/2009 10:16:24 PM - System Checkpoint
RP134: 6/8/2009 10:16:25 PM - System Checkpoint
RP135: 6/8/2009 10:16:26 PM - System Checkpoint
RP136: 6/8/2009 10:16:27 PM - System Checkpoint
RP137: 6/8/2009 10:16:28 PM - System Checkpoint
RP138: 6/8/2009 10:16:28 PM - System Checkpoint
RP139: 6/8/2009 10:16:29 PM - System Checkpoint
RP140: 6/8/2009 10:16:30 PM - System Checkpoint
RP141: 6/8/2009 10:16:31 PM - System Checkpoint
RP142: 6/8/2009 10:16:31 PM - System Checkpoint
RP143: 6/8/2009 10:16:31 PM - System Checkpoint
RP144: 6/8/2009 10:16:32 PM - System Checkpoint
RP145: 6/8/2009 10:16:33 PM - System Checkpoint
RP146: 6/8/2009 10:16:34 PM - System Checkpoint
RP147: 6/8/2009 10:16:34 PM - System Checkpoint
RP148: 6/8/2009 10:16:35 PM - System Checkpoint
RP149: 6/8/2009 10:16:36 PM - System Checkpoint
RP150: 6/8/2009 10:16:37 PM - System Checkpoint
RP151: 6/8/2009 10:16:38 PM - System Checkpoint
RP152: 6/8/2009 10:16:38 PM - System Checkpoint
RP153: 6/8/2009 10:16:38 PM - System Checkpoint
RP154: 6/8/2009 10:16:39 PM - System Checkpoint
RP155: 6/8/2009 10:16:40 PM - Software Distribution Service 3.0
RP156: 6/8/2009 10:16:40 PM - System Checkpoint
RP157: 6/8/2009 10:16:41 PM - System Checkpoint
RP158: 6/8/2009 10:16:42 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player
AIM 6
AIM Toolbar
AnswerWorks 5.0 English Runtime
Backup Dell-Installed Programs
BlackBerry Desktop Software 4.7
Download Updater (AOL LLC)
Gillware File Viewer
Hotfix for Windows XP (KB952287)
hppscan3390
IntelŪ Extreme Graphics 2 Driver
IntelŪ PRO Network Adapters and Drivers
Java™ 6 Update 14
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Small Business
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB954430)
Norton Security Scan
Norton Security Scan (Symantec Corporation)
Quicken 2008
Scan
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SOS Online Backup
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Backup Utility
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

6/25/2009 6:13:03 PM, error: Service Control Manager [7034] - The sopidkc Service service terminated unexpectedly. It has done this 1 time(s).
6/25/2009 2:21:49 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the sdfgaeu4u84w6t42wh3wghswqw80 service to connect.
6/24/2009 8:12:15 AM, error: Dhcp [1002] - The IP address lease 192.168.2.5 for the Network Card with network address 00132075B1E7 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
6/22/2009 7:28:05 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
6/22/2009 7:03:27 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/21/2009 9:29:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/21/2009 9:29:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/21/2009 9:28:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
6/21/2009 9:28:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2009 9:28:36 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2009 9:28:36 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2009 9:28:36 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2009 8:58:46 PM, error: Dhcp [1002] - The IP address lease 192.168.2.10 for the Network Card with network address 00132075B1E7 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
6/18/2009 9:33:39 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service.
6/18/2009 5:08:01 AM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
6/18/2009 5:07:19 AM, error: WinDefend [5008] - Windows Defender engine has been terminated due to an unexpected error. Failure Type: Crash Exception code: 0xc0000005 Resource: folder:C:\WINDOWS\Temp\
6/18/2009 10:00:13 AM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

==== End Of File ===========================

Edited by Orange Blossom, 25 June 2009 - 09:27 PM.


BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:09:21 PM

Posted 30 June 2009 - 12:14 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 druryman

druryman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 30 June 2009 - 09:41 PM

The siuation is unchanged from my initial post. Being redirected to overclick.
Here is DDS file: Attach file attached per instructions. Thanks for any help

DDS (Ver_09-06-26.01) - NTFSx86
Run by steve at 21:33:52.78 on Tue 06/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.38 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Documents and Settings\steve\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpzrcv01.lnk - c:\program files\hp\temp\{b94428f6-e93c-4d1d-8580-46d70fa07a9d}\setup\hpzstub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232819736514
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5648/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\gdiaznn3.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-17 64160]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2009-1-22 17792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2008-5-28 337280]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2008-5-28 54656]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-30 1956792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-29 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-17 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090624.003\naveng.sys [2009-6-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090624.003\navex15.sys [2009-6-24 876144]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-9-30 116664]

=============== Created Last 30 ================

2009-06-23 17:48 3,208 a------- c:\windows\system32\tmp.reg
2009-06-22 20:48 <DIR> --d----- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2009-06-21 21:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-21 21:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-21 21:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-17 21:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-17 21:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-17 15:44 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-17 14:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-17 14:50 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 14:50 <DIR> --d----- c:\program files\Lavasoft
2009-06-17 12:17 <DIR> --d----- c:\windows\McAfee.com
2009-06-17 10:27 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-17 10:27 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-17 10:27 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-17 10:27 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-16 20:19 <DIR> --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-06-15 22:11 <DIR> a-d----- c:\program files\grc.dat
2009-06-15 22:11 <DIR> --d----- c:\program files\Documents and Settings
2009-06-15 21:26 <DIR> --d----- c:\windows\pss
2009-06-15 20:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 20:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 20:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 20:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-15 20:23 0 a------- C:\LOG5.tmp
2009-06-12 06:44 0 a------- C:\LOG19.tmp

==================== Find3M ====================

2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 21:36:40.32 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:21 AM

Posted 02 July 2009 - 08:18 PM

Hi druryman,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 druryman

druryman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 02 July 2009 - 09:52 PM

I am here and would appreciate any help

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:21 AM

Posted 03 July 2009 - 04:24 AM

Hi druryman,

There are some traces of malware in the logs.

Let's check some deeper scans.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Then

We need to create an OTL Report
  • Please download OTL from the mirror:
    [http://oldtimer.geekstogo.com/OTL.exe]This is THE Mirror[/url]
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:[list]
    OTListIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 druryman

druryman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 03 July 2009 - 10:12 PM

OK. here is the stuff. the gmer logs first them them otl stuff. Note I have a home computer network and now it appears that the other computers also are infected (to varying degrees). IS it possible that they are infecting each other? anyway here is the grmer log


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-03 20:38:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 821DA968 ZwAlertResumeThread
SSDT 821DAAB8 ZwAlertThread
SSDT 81EF9110 ZwAllocateVirtualMemory
SSDT 821A6DB0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEE649EB0]
SSDT 821806B0 ZwCreateMutant
SSDT 821823B8 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEE64A690]
SSDT 81FA1698 ZwFreeVirtualMemory
SSDT 821DA208 ZwImpersonateAnonymousToken
SSDT 821DA6C8 ZwImpersonateThread
SSDT 8217E250 ZwMapViewOfSection
SSDT 821DA0B8 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xEE64A440]
SSDT 821E35D8 ZwOpenProcessToken
SSDT 81F6BEA0 ZwOpenThreadToken
SSDT 821E09C8 ZwQueryValueKey
SSDT 821E3DB0 ZwResumeThread
SSDT 821E1008 ZwSetContextThread
SSDT 81EDE1F0 ZwSetInformationProcess
SSDT 821D3668 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEE64A8E0]
SSDT 821D9F10 ZwSuspendProcess
SSDT 821DAB90 ZwSuspendThread
SSDT 821E3760 ZwTerminateProcess
SSDT 821E1E90 ZwTerminateThread
SSDT 821E3440 ZwUnmapViewOfSection
SSDT 822BFBA8 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


HEre is OTL.txt:

OTL logfile created on: 7/3/2009 10:04:22 PM - Run 1
OTL by OldTimer - Version 3.0.6.4 Folder = C:\Documents and Settings\steve\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 62.93 Mb Available Physical Memory | 12.34% Memory free
1.22 Gb Paging File | 0.78 Gb Available in Paging File | 64.17% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 97.01 Gb Free Space | 75.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-27D98NP4
Current User Name: steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 60 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2008/06/24 18:17:38 | 00,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2008/06/24 18:17:36 | 00,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/07/26 19:25:20 | 01,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2009/06/17 14:53:22 | 01,003,344 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/09/30 17:40:56 | 00,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2009/06/17 21:07:50 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/09/30 17:41:04 | 01,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2001/08/18 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2009/02/06 05:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/06/17 14:53:23 | 00,518,488 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2005/09/20 10:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2005/09/20 10:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxpers.exe
PRC - [2008/09/17 16:22:50 | 00,615,696 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2004/10/14 15:42:54 | 01,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2009/02/27 17:10:28 | 00,035,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
PRC - [2008/06/24 18:17:34 | 00,053,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/09/30 17:41:14 | 00,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2009/06/17 21:07:50 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/09/30 17:40:56 | 00,024,504 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DoScan.exe
PRC - [2009/06/23 17:33:41 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/03 22:03:31 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/06/24 18:17:36 | 00,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/06/24 18:17:38 | 00,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/09/30 17:40:56 | 00,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/01/02 18:27:38 | 00,225,280 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Stopped])
SRV - [2009/06/17 21:07:50 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/06/17 14:53:22 | 01,003,344 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2007/09/12 18:27:24 | 02,999,664 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2006/11/08 17:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2008/09/30 17:41:08 | 00,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2008/08/20 15:50:30 | 00,214,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2007/07/26 19:25:20 | 01,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [Auto | Running])
SRV - [2008/09/30 17:41:04 | 01,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2004/02/10 16:49:14 | 00,154,112 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2009/06/16 12:37:06 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/06/16 12:37:06 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2006/04/04 16:20:37 | 00,009,344 | ---- | M] (Hewlett Packard) -- C:\WINDOWS\System32\drivers\hpfxbulk.sys -- (HPFXBULK [On_Demand | Running])
DRV - [2005/10/21 12:58:52 | 00,049,920 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Running])
DRV - [2005/10/21 12:58:58 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Running])
DRV - [2005/10/21 12:52:48 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Running])
DRV - [2005/09/20 11:00:54 | 01,302,332 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2009/06/17 14:53:29 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2009/06/16 12:37:06 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090703.004\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/06/16 12:37:06 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090703.004\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2001/08/18 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/05/20 20:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
DRV - [2007/01/18 11:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\System32\DRIVERS\RimSerial.sys -- (RimVSerPort [On_Demand | Running])
DRV - [2001/08/18 07:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2009/05/26 10:05:54 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/05/26 10:05:56 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/05/26 10:05:52 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2008/05/28 11:31:24 | 00,337,280 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2008/05/28 11:31:24 | 00,054,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
DRV - [2008/04/13 11:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/09/17 10:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
DRV - [2005/01/27 16:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2007/07/26 19:25:18 | 00,400,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
DRV - [2009/06/17 10:27:13 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2008/08/20 15:49:56 | 00,023,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2008/08/20 15:50:02 | 00,188,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\S-1-5-21-746137067-616249376-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/06/17 21:07:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/06/23 17:33:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/23 17:33:48 | 00,000,000 | ---D | M]

[2009/02/01 00:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mozilla\Extensions
[2009/02/01 00:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/01 00:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mozilla\Firefox\Profiles\gdiaznn3.default\extensions
[2009/07/03 09:45:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/23 17:33:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/17 21:08:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/06/23 17:33:41 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/23 17:33:41 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/16 20:17:04 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/06/17 21:07:50 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/09/26 11:40:34 | 00,053,248 | ---- | M] (AOL LLC) -- C:\Program Files\mozilla firefox\plugins\npdnu.dll
[2009/06/23 17:33:43 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2007/04/16 12:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2008/12/02 03:04:40 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/12/02 03:04:40 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/12/02 03:04:40 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/12/02 03:04:40 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/12/02 03:04:40 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/02 03:04:40 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/12/02 03:04:40 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (307172 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10574 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-746137067-616249376-839522115-1004\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-746137067-616249376-839522115-1004..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpzrcv01.LNK = C:\Program Files\HP\Temp\{B94428F6-E93C-4d1d-8580-46D70FA07A9D}\setup\hpzstub.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-746137067-616249376-839522115-1004\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1232819736514 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...648/mcfscan.cab (McFreeScan Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/22 22:48:26 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 60 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2009/07/03 22:06:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Adobe
[2009/07/03 22:03:21 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe
[2009/07/03 09:40:55 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dsus50le.exe
[2009/06/30 21:32:00 | 00,359,929 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dds(2).scr
[2009/06/30 21:31:27 | 00,000,093 | ---- | C] () -- C:\WINDOWS\System32\SKYNETunyrncda.dat
[2009/06/25 19:31:58 | 00,359,893 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dds.scr
[2009/06/23 17:48:40 | 00,003,208 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2009/06/23 17:47:53 | 00,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2009/06/23 17:47:53 | 00,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2009/06/23 17:47:53 | 00,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2009/06/23 17:47:53 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2009/06/23 17:47:53 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2009/06/23 17:47:53 | 00,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2009/06/23 17:47:53 | 00,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2009/06/23 17:47:53 | 00,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2009/06/23 17:47:53 | 00,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2009/06/23 17:47:53 | 00,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/06/23 17:47:53 | 00,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2009/06/23 17:47:53 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2009/06/23 17:47:53 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2009/06/23 17:47:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\SmitfraudFix
[2009/06/23 17:44:52 | 01,884,866 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\SmitfraudFix.exe
[2009/06/23 17:44:33 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\GooredFix(2).exe
[2009/06/23 17:44:21 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\GooredFix.exe
[2009/06/22 20:48:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
[2009/06/22 19:44:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/06/22 19:44:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Sun
[2009/06/22 19:35:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\AIM Toolbar
[2009/06/21 21:21:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/06/21 21:21:03 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/21 21:21:00 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/06/21 21:20:41 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/06/17 21:08:23 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/06/17 21:08:22 | 00,410,984 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/06/17 21:08:22 | 00,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/06/17 21:08:21 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/06/17 21:08:21 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/06/17 21:07:45 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/06/17 21:06:52 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/06/17 21:03:45 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/06/17 15:44:03 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/06/17 14:54:23 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/06/17 14:54:00 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/06/17 14:50:31 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/06/17 14:50:30 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/06/17 14:50:11 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/06/17 14:50:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/06/17 12:17:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\McAfee.com
[2009/06/17 10:27:07 | 00,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/06/17 10:27:07 | 00,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/06/17 10:27:07 | 00,010,671 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/06/17 10:27:07 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/06/16 20:19:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Malwarebytes
[2009/06/16 19:59:59 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\fusioncache.dat
[2009/06/16 19:59:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\ApplicationHistory
[2009/06/15 22:11:49 | 00,000,000 | ---D | C] -- C:\Program Files\grc.dat
[2009/06/15 22:11:49 | 00,000,000 | ---D | C] -- C:\Program Files\Documents and Settings
[2009/06/15 21:26:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/06/15 20:30:57 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/15 20:30:54 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/15 20:30:51 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/15 20:30:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/15 20:30:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/12 13:27:12 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\99819836.ini
[2009/06/09 03:38:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/06/08 22:15:30 | 01,464,575 | ---- | C] () -- C:\WINDOWS\System32\SKYNETtnyufmhs.dat
[2009/05/07 10:32:35 | 00,345,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\localspl.dll
[2009/01/25 21:23:09 | 00,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/01/24 23:06:06 | 00,000,392 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2009/01/24 23:05:44 | 00,001,187 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/01/24 23:04:26 | 00,229,376 | ---- | C] () -- C:\WINDOWS\System32\HPPCPR01.DLL
[2009/01/24 15:06:42 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/24 13:36:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/01/23 23:34:14 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2001/08/18 07:00:00 | 00,000,615 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 07:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 60 Days ==========

[2 C:\*.tmp files]
[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/07/03 22:03:31 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe
[2009/07/03 22:01:39 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/07/03 21:58:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/03 21:58:23 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/03 18:00:02 | 00,000,408 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Owner.job
[2009/07/03 09:40:58 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dsus50le.exe
[2009/06/30 21:33:07 | 00,359,929 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dds(2).scr
[2009/06/30 21:31:27 | 01,464,575 | ---- | M] () -- C:\WINDOWS\System32\SKYNETtnyufmhs.dat
[2009/06/30 21:31:27 | 00,000,093 | ---- | M] () -- C:\WINDOWS\System32\SKYNETunyrncda.dat
[2009/06/30 19:36:13 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/29 14:53:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/06/29 01:33:00 | 00,000,444 | ---- | M] () -- C:\WINDOWS\tasks\SOS Online Backup - stevens744.job
[2009/06/25 19:32:10 | 00,359,893 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dds.scr
[2009/06/23 21:16:22 | 00,307,172 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/06/23 18:13:44 | 00,307,172 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090623-211622.backup
[2009/06/23 17:48:41 | 00,003,208 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2009/06/23 17:45:04 | 01,884,866 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\SmitfraudFix.exe
[2009/06/23 17:44:39 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\GooredFix(2).exe
[2009/06/23 17:44:30 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\GooredFix.exe
[2009/06/22 23:54:00 | 00,000,710 | ---- | M] () -- C:\WINDOWS\tasks\backup.job
[2009/06/21 21:21:03 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/17 21:07:50 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/06/17 21:07:50 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/06/17 21:07:50 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/06/17 21:07:50 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/06/17 21:07:50 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/06/17 14:53:45 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/06/17 14:53:29 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/06/17 14:50:30 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/06/17 11:34:14 | 00,307,172 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090623-181344.backup
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/17 10:27:13 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/06/17 10:27:13 | 00,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/06/17 10:27:13 | 00,010,671 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/06/17 10:27:13 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/06/16 21:34:52 | 05,884,522 | -H-- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\IconCache.db
[2009/06/16 20:04:52 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk
[2009/06/16 20:02:42 | 00,065,912 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/06/16 19:59:59 | 00,000,128 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\fusioncache.dat
[2009/06/15 20:30:57 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/12 13:27:12 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\99819836.ini
[2009/06/10 03:11:33 | 00,256,656 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/10 03:04:59 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/06/02 11:17:27 | 00,075,776 | ---- | M] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/06/01 11:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/26 22:23:02 | 00,306,455 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090617-113414.backup
[2009/05/07 10:32:35 | 00,345,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\localspl.dll
[2009/05/07 10:32:35 | 00,345,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\localspl.dll
< End of report >

Here is extras.txt:

OTL Extras logfile created on: 7/3/2009 10:04:22 PM - Run 1
OTL by OldTimer - Version 3.0.6.4 Folder = C:\Documents and Settings\steve\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 62.93 Mb Available Physical Memory | 12.34% Memory free
1.22 Gb Paging File | 0.78 Gb Available in Paging File | 64.17% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 97.01 Gb Free Space | 75.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-27D98NP4
Current User Name: steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 60 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"8085:TCP" = 8085:TCP:*:Disabled:podmena

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2006/11/03 02:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2008/10/21 12:09:59 | 00,050,472 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM
File not found -- C:\WINDOWS\system32\winlogin.exe:*:Enabled:Explorer
[2008/09/30 17:41:12 | 00,279,992 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPC32.exe:*:Enabled:Symantec AntiVirus


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}" = Backup Dell-Installed Programs
"{33CFA493-A744-4B86-970D-32F478F91D03}" = Gillware File Viewer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8F31A56A-72ED-4D7F-8E02-2A5092B73A10}" = SOS Online Backup
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{94882586-CD3C-4C31-9A84-5636615DC3D7}" = hppscan3390
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD8A1013-4E46-4E02-85C2-3168C3328432}" = Symantec AntiVirus
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C26D7EF1-A5AD-4B46-9F49-535E9255A669}" = BlackBerry Desktop Software 4.7
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AIM Toolbar" = AIM Toolbar
"AIM_6" = AIM 6
"BlackBerry_{C26D7EF1-A5AD-4B46-9F49-535E9255A669}" = BlackBerry Desktop Software 4.7
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSSSetup.{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan (Symantec Corporation)
"PROSet" = Intel® PRO Network Adapters and Drivers
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/3/2009 2:38:41 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711720
Description = Symantec AntiVirus has determined that the virus definitions are missing
on this computer. This computer will remain unprotected from viruses until virus
definitions are downloaded to this computer.

Error - 7/3/2009 3:31:30 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Adware.VirtuMonde in File: Unavailable by:
Invalid : (15) scan. Action: Delete failed. Action Description: The file was
left unchanged.

Error - 7/3/2009 3:31:42 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Adware.VirtuMonde in File: Unavailable by:
Invalid : (15) scan. Action: Delete failed : Leave Alone failed. Action Description:


Error - 7/3/2009 6:27:10 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Adware.VirtuMonde in File: C:\System Volume Information\_restore{C9EF5BA6-74A2-4E76-9546-C1A3B4940B1B}\RP160\A0020550.dll
by: Auto-Protect scan. Action: Pending Side Effects Analysis : Access denied.
Action Description:

Error - 7/3/2009 6:48:46 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Adware.VirtuMonde in File: C:\System Volume
Information\_restore{C9EF5BA6-74A2-4E76-9546-C1A3B4940B1B}\RP160\A0020550.dll by:
Auto-Protect scan. Action: Quarantine failed. Action Description: The file was
left unchanged.

Error - 7/3/2009 6:48:50 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Adware.VirtuMonde in File: c:\system volume information\_restore{c9ef5ba6-74a2-4e76-9546-c1a3b4940b1b}\RP160\A0020550.dll
by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The
file was quarantined successfully.

Error - 7/3/2009 6:50:39 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Adware.VirtuMonde in File: C:\System Volume
Information\_restore{C9EF5BA6-74A2-4E76-9546-C1A3B4940B1B}\RP160\A0020550.dll by:
Auto-Protect scan. Action: Reboot Required. Action Description: The file was
quarantined successfully.

Error - 7/3/2009 9:35:06 PM | Computer Name = OFFICE-27D98NP4 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BB from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 7/3/2009 11:04:55 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Adware.VirtuMonde in File: Unavailable by:
Invalid : (15) scan. Action: Delete failed. Action Description: The file was
left unchanged.

Error - 7/3/2009 11:05:06 PM | Computer Name = OFFICE-27D98NP4 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Adware.VirtuMonde in File: Unavailable by:
Invalid : (15) scan. Action: Delete failed : Leave Alone failed. Action Description:


[ System Events ]
Error - 7/3/2009 8:28:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/3/2009 8:40:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/3/2009 8:52:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/3/2009 9:04:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/3/2009 9:16:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/3/2009 9:28:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/3/2009 9:35:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 7/3/2009 9:37:49 PM | Computer Name = OFFICE-27D98NP4 | Source = SAVRT | ID = 458772
Description = Unable to initialize the virus scanning engine database files.

Error - 7/3/2009 9:40:05 PM | Computer Name = OFFICE-27D98NP4 | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 7/3/2009 9:41:08 PM | Computer Name = OFFICE-27D98NP4 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\system32\NOTEPAD.EXE.
Reference
error message: The operation completed successfully. .


< End of report >

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:21 AM

Posted 04 July 2009 - 05:22 AM

Some files that need to go.

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    C:\WINDOWS\System32\SKYNETunyrncda.dat
    C:\WINDOWS\System32\SKYNETtnyufmhs.dat
    C:\LOG*.tmp
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Please also post new OTL logs.

Let me know how the computer is behaving too.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 druryman

druryman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 04 July 2009 - 10:11 AM

Clearly appears better. I am nervous that my other computers on my home system are infected. can tyhey be infecting each other? Can I run windows update? one of my computers now seems to install porn when the windows update icon says updates to be installed. Also I have Norton, what woul dyou suggest to run? SAS? Sybot? Malwarebytes?

anyway here is log.

All processes killed
========== FILES ==========
C:\WINDOWS\System32\SKYNETunyrncda.dat moved successfully.
C:\WINDOWS\System32\SKYNETtnyufmhs.dat moved successfully.
C:\LOG19.tmp moved successfully.
C:\LOG5.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 152210 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 98438 bytes

User: NetworkService
->Temp folder emptied: 96834 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 1174092 bytes
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 39857453 bytes
->Java cache emptied: 7618262 bytes
->FireFox cache emptied: 38555624 bytes

User: steve
File delete failed. C:\Documents and Settings\steve\Local Settings\Temp\TMP2.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 703779 bytes
->Temporary Internet Files folder emptied: 226514 bytes
->Java cache emptied: 13613011 bytes
->FireFox cache emptied: 35354651 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145664 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\TMP0000000A2FB72B301590CB4E scheduled to be deleted on reboot.
Windows Temp folder emptied: 1335860678 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 1406.25 mb


OTM by OldTimer - Version 3.0.0.3 log created on 07042009_095133

Files moved on Reboot...
File C:\Documents and Settings\steve\Local Settings\Temp\TMP2.tmp not found!
File C:\WINDOWS\temp\TMP0000000A2FB72B301590CB4E not found!

Registry entries deleted on Reboot...

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:21 AM

Posted 04 July 2009 - 04:37 PM

can tyhey be infecting each other?


If they are on a network it is possible. I would suggest that it you have a number of PCs with problems that you attempt to see what infections they have. Try your on-board antiviruses and then try MBAM. This will give you some idea of the malware there is.

If you want to be sure you could post in the Am I Infected forum or in this one.

It's a bit difficult to answer what you should attempt because it depends on the infections.

---------------------------------------------------

It should certainly be better now as all the stray files have now been removed.

We need to check for infected files and other possible problems with a good online scanner.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Then

Post a new DDS log

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 druryman

druryman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 04 July 2009 - 09:32 PM

I ran the gmer application on teh other computer and it said it found rootkits. MBAM and norton find nothing. I cannot update explorer on other computer, when i try it appears that I am loading spyware.

Anyway here is the information on computer you are helping me with. By the way thanks.

I will post the ESET file. it fif find stuff, followed by DDS files.

ESET


C:\Documents and Settings\steve\Desktop\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\steve\Desktop\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\steve\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\WINDOWS\system32\Process.exe Win32/PrcView application cleaned by deleting - quarantined

DDS



DDS (Ver_09-06-26.01) - NTFSx86
Run by steve at 21:20:46.59 on Sat 07/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.168 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Documents and Settings\steve\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpzrcv01.lnk - c:\program files\hp\temp\{b94428f6-e93c-4d1d-8580-46d70fa07a9d}\setup\hpzstub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232819736514
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5648/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\gdiaznn3.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-17 64160]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2009-1-22 17792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2008-5-28 337280]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2008-5-28 54656]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-30 1956792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-29 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-30 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090703.004\naveng.sys [2009-7-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090703.004\navex15.sys [2009-7-3 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2009-1-24 26144]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-9-30 116664]

=============== Created Last 30 ================

2009-07-04 16:59 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-04 16:59 <DIR> --d----- c:\windows\ie8updates
2009-07-04 16:59 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-04 16:59 5,936,128 -------- c:\windows\system32\SETC6.tmp
2009-07-04 16:59 1,207,808 -------- c:\windows\system32\SETC5.tmp
2009-07-04 16:59 915,456 -------- c:\windows\system32\SETC4.tmp
2009-07-04 16:59 25,600 -------- c:\windows\system32\SETC7.tmp
2009-07-04 16:59 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-04 16:59 11,064,832 -------- c:\windows\system32\SETCA.tmp
2009-07-04 16:59 1,985,024 -------- c:\windows\system32\SETC9.tmp
2009-07-04 16:58 873 a------- c:\windows\system32\spupdsvc.inf
2009-07-04 16:55 <DIR> -cd-h--- c:\windows\ie8
2009-07-04 16:53 <DIR> --d----- c:\program files\ESET
2009-07-04 09:51 <DIR> --d----- C:\_OTM
2009-06-23 17:48 3,208 a------- c:\windows\system32\tmp.reg
2009-06-23 17:47 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-06-23 17:47 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-06-23 17:47 135,168 a------- c:\windows\system32\swreg.exe
2009-06-23 17:47 82,944 a------- c:\windows\system32\IEDFix.exe
2009-06-23 17:47 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-06-23 17:47 82,432 a------- c:\windows\system32\404Fix.exe
2009-06-23 17:47 80,384 a------- c:\windows\system32\o4Patch.exe
2009-06-23 17:47 79,360 a------- c:\windows\system32\swxcacls.exe
2009-06-23 17:47 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-06-23 17:47 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-06-23 17:47 51,200 a------- c:\windows\system32\dumphive.exe
2009-06-22 20:48 <DIR> --d----- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2009-06-21 21:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-21 21:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-21 21:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-17 21:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-17 21:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-17 15:44 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-17 14:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-17 14:50 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 14:50 <DIR> --d----- c:\program files\Lavasoft
2009-06-17 12:17 <DIR> --d----- c:\windows\McAfee.com
2009-06-17 10:27 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-17 10:27 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-17 10:27 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-17 10:27 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-16 20:19 <DIR> --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-06-15 22:11 <DIR> a-d----- c:\program files\grc.dat
2009-06-15 22:11 <DIR> --d----- c:\program files\Documents and Settings
2009-06-15 21:26 <DIR> --d----- c:\windows\pss
2009-06-15 20:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 20:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 20:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 20:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 -------- c:\windows\system32\wininet.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 21:21:28.21 ===============

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:21 AM

Posted 05 July 2009 - 05:13 AM

Yes, it found some malware but mainly it deleted a tool which had quarantined malware before.

The process.exe file is a keylogger and we need to make sure that that is completely removed.

Please download RunKeys.vbs to your desktop.
Double click RunKeys.vbs to run the script.
After a moment, a log file will open in notepad. Copy this log into your next post please.

Thanks :thumbup2:

Edited by m0le, 05 July 2009 - 05:14 AM.

Posted Image
m0le is a proud member of UNITE

#13 druryman

druryman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 July 2009 - 08:13 AM

the link for runkeys did not work.
is there another place to get the program?

#14 druryman

druryman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 July 2009 - 08:46 AM

My computer is also running slowly again and I hear the hard drive constantly making noise. i ran another OTL log pasted below. Does the stuff by 127.0.0.1 mean I am reinfected?

OTL logfile created on: 7/5/2009 8:27:29 AM - Run 2
OTL by OldTimer - Version 3.0.6.4 Folder = C:\Documents and Settings\steve\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 191.30 Mb Available Physical Memory | 37.51% Memory free
1.22 Gb Paging File | 0.78 Gb Available in Paging File | 64.33% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 97.91 Gb Free Space | 76.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-27D98NP4
Current User Name: steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 60 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2008/06/24 18:17:38 | 00,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2008/06/24 18:17:36 | 00,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/07/26 19:25:20 | 01,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2009/06/17 14:53:22 | 01,003,344 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/09/30 17:40:56 | 00,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2009/06/17 21:07:50 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/09/30 17:41:04 | 01,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2001/08/18 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2009/02/06 05:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2005/09/20 10:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2005/09/20 10:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxpers.exe
PRC - [2008/09/17 16:22:50 | 00,615,696 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2004/10/14 15:42:54 | 01,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2008/06/24 18:17:34 | 00,053,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/09/30 17:41:14 | 00,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2009/06/17 14:53:23 | 00,518,488 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2009/06/17 21:07:50 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/06/23 17:33:41 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/02/06 05:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/07/03 22:03:31 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/06/24 18:17:36 | 00,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/06/24 18:17:38 | 00,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/09/30 17:40:56 | 00,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/01/02 18:27:38 | 00,225,280 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Stopped])
SRV - [2009/06/17 21:07:50 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/06/17 14:53:22 | 01,003,344 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2007/09/12 18:27:24 | 02,999,664 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2006/11/08 17:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2008/09/30 17:41:08 | 00,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2008/08/20 15:50:30 | 00,214,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2007/07/26 19:25:20 | 01,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [Auto | Running])
SRV - [2008/09/30 17:41:04 | 01,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2004/02/10 16:49:14 | 00,154,112 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2009/06/16 12:37:06 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/06/16 12:37:06 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2006/04/04 16:20:37 | 00,009,344 | ---- | M] (Hewlett Packard) -- C:\WINDOWS\System32\drivers\hpfxbulk.sys -- (HPFXBULK [On_Demand | Running])
DRV - [2005/10/21 12:58:52 | 00,049,920 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Running])
DRV - [2005/10/21 12:58:58 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Running])
DRV - [2005/10/21 12:52:48 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Running])
DRV - [2005/09/20 11:00:54 | 01,302,332 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2009/06/17 14:53:29 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2009/06/16 12:37:06 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090703.004\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/06/16 12:37:06 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090703.004\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2001/08/18 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/05/20 20:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
DRV - [2007/01/18 11:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\System32\DRIVERS\RimSerial.sys -- (RimVSerPort [On_Demand | Running])
DRV - [2001/08/18 07:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2009/05/26 10:05:54 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/05/26 10:05:56 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/05/26 10:05:52 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2008/05/28 11:31:24 | 00,337,280 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2008/05/28 11:31:24 | 00,054,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
DRV - [2008/04/13 11:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/09/17 10:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
DRV - [2005/01/27 16:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2007/07/26 19:25:18 | 00,400,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
DRV - [2009/06/17 10:27:13 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2008/08/20 15:49:56 | 00,023,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2008/08/20 15:50:02 | 00,188,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-746137067-616249376-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-746137067-616249376-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-746137067-616249376-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
IE - HKU\S-1-5-21-746137067-616249376-839522115-1003\S-1-5-21-746137067-616249376-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/defaulta.aspx
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6A B6 E5 A8 19 FD C9 01 [binary data]
IE - HKU\S-1-5-21-746137067-616249376-839522115-1004\S-1-5-21-746137067-616249376-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/06/17 21:07:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/06/23 17:33:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/23 17:33:48 | 00,000,000 | ---D | M]

[2009/02/01 00:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mozilla\Extensions
[2009/02/01 00:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/01 00:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mozilla\Firefox\Profiles\gdiaznn3.default\extensions
[2009/07/04 09:33:11 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/23 17:33:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/17 21:08:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/06/23 17:33:41 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/23 17:33:41 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/16 20:17:04 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/06/17 21:07:50 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/09/26 11:40:34 | 00,053,248 | ---- | M] (AOL LLC) -- C:\Program Files\mozilla firefox\plugins\npdnu.dll
[2009/06/23 17:33:43 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2007/04/16 12:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2008/12/02 03:04:40 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/12/02 03:04:40 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/12/02 03:04:40 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/12/02 03:04:40 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/12/02 03:04:40 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/02 03:04:40 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/12/02 03:04:40 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (307172 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10574 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-746137067-616249376-839522115-1003\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-746137067-616249376-839522115-1004\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-746137067-616249376-839522115-1003..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\S-1-5-21-746137067-616249376-839522115-1003..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-746137067-616249376-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-746137067-616249376-839522115-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-746137067-616249376-839522115-1004..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpzrcv01.LNK = C:\Program Files\HP\Temp\{B94428F6-E93C-4d1d-8580-46D70FA07A9D}\setup\hpzstub.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-616249376-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-616249376-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-746137067-616249376-839522115-1003\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-746137067-616249376-839522115-1004\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1232819736514 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...648/mcfscan.cab (McFreeScan Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/22 22:48:26 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 60 Days ==========

[2009/07/04 16:59:53 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/07/04 16:59:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/07/04 16:59:01 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/07/04 16:59:00 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/07/04 16:55:45 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/07/04 16:53:58 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/07/04 09:51:34 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/07/04 09:49:38 | 00,407,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTM.exe
[2009/07/03 22:06:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Adobe
[2009/07/03 22:03:21 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe
[2009/07/03 09:40:55 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dsus50le.exe
[2009/06/30 21:32:00 | 00,359,929 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dds(2).scr
[2009/06/25 19:31:58 | 00,359,893 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dds.scr
[2009/06/23 17:48:40 | 00,003,208 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2009/06/23 17:47:53 | 00,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2009/06/23 17:47:53 | 00,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2009/06/23 17:47:53 | 00,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2009/06/23 17:47:53 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2009/06/23 17:47:53 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2009/06/23 17:47:53 | 00,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2009/06/23 17:47:53 | 00,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2009/06/23 17:47:53 | 00,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2009/06/23 17:47:53 | 00,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2009/06/23 17:47:53 | 00,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/06/23 17:47:53 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2009/06/23 17:47:53 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2009/06/23 17:47:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\SmitfraudFix
[2009/06/23 17:44:33 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\GooredFix(2).exe
[2009/06/23 17:44:21 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\GooredFix.exe
[2009/06/22 20:48:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
[2009/06/22 19:44:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/06/22 19:44:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Sun
[2009/06/22 19:35:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\AIM Toolbar
[2009/06/21 21:21:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/06/21 21:21:03 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/21 21:21:00 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/06/21 21:20:41 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/06/17 21:08:23 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/06/17 21:08:22 | 00,410,984 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/06/17 21:08:22 | 00,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/06/17 21:08:21 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/06/17 21:08:21 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/06/17 21:07:45 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/06/17 21:06:52 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/06/17 21:03:45 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/06/17 15:44:03 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/06/17 14:54:23 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/06/17 14:54:00 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/06/17 14:50:31 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/06/17 14:50:30 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/06/17 14:50:11 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/06/17 14:50:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/06/17 12:17:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\McAfee.com
[2009/06/17 10:27:07 | 00,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/06/17 10:27:07 | 00,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/06/17 10:27:07 | 00,010,671 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/06/17 10:27:07 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/06/16 20:19:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Malwarebytes
[2009/06/16 19:59:59 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\fusioncache.dat
[2009/06/16 19:59:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\ApplicationHistory
[2009/06/15 22:11:49 | 00,000,000 | ---D | C] -- C:\Program Files\grc.dat
[2009/06/15 22:11:49 | 00,000,000 | ---D | C] -- C:\Program Files\Documents and Settings
[2009/06/15 21:26:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/06/15 20:30:57 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/15 20:30:54 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/15 20:30:51 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/15 20:30:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/15 20:30:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/12 13:27:12 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\99819836.ini
[2009/06/09 03:38:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/05/07 10:32:35 | 00,345,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\localspl.dll
[2009/01/25 21:23:09 | 00,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/01/24 23:06:06 | 00,000,392 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2009/01/24 23:05:44 | 00,001,187 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/01/24 23:04:26 | 00,229,376 | ---- | C] () -- C:\WINDOWS\System32\HPPCPR01.DLL
[2009/01/24 15:06:42 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/24 13:36:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/01/23 23:34:14 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2001/08/18 07:00:00 | 00,000,615 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 07:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 60 Days ==========

[2009/07/05 08:06:50 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/07/05 08:03:39 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/05 08:03:28 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/04 16:59:52 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/07/04 09:49:57 | 00,407,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTM.exe
[2009/07/03 22:03:31 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe
[2009/07/03 18:00:02 | 00,000,408 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Owner.job
[2009/07/03 09:40:58 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dsus50le.exe
[2009/06/30 21:33:07 | 00,359,929 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dds(2).scr
[2009/06/30 19:36:13 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/29 14:53:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/06/29 01:33:00 | 00,000,444 | ---- | M] () -- C:\WINDOWS\tasks\SOS Online Backup - stevens744.job
[2009/06/25 19:32:10 | 00,359,893 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dds.scr
[2009/06/23 21:16:22 | 00,307,172 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/06/23 18:13:44 | 00,307,172 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090623-211622.backup
[2009/06/23 17:48:41 | 00,003,208 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2009/06/23 17:44:39 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\GooredFix(2).exe
[2009/06/23 17:44:30 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\GooredFix.exe
[2009/06/22 23:54:00 | 00,000,710 | ---- | M] () -- C:\WINDOWS\tasks\backup.job
[2009/06/21 21:21:03 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/17 21:07:50 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/06/17 21:07:50 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/06/17 21:07:50 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/06/17 21:07:50 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/06/17 21:07:50 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/06/17 14:53:45 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/06/17 14:53:29 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/06/17 14:50:30 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/06/17 11:34:14 | 00,307,172 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090623-181344.backup
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/17 10:27:13 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/06/17 10:27:13 | 00,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/06/17 10:27:13 | 00,010,671 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/06/17 10:27:13 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/06/16 21:34:52 | 05,884,522 | -H-- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\IconCache.db
[2009/06/16 20:04:52 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk
[2009/06/16 20:02:42 | 00,065,912 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/06/16 19:59:59 | 00,000,128 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\fusioncache.dat
[2009/06/15 20:30:57 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/12 13:27:12 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\99819836.ini
[2009/06/10 03:11:33 | 00,256,656 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/02 11:17:27 | 00,075,776 | ---- | M] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/06/02 05:12:46 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/06/01 11:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/26 22:23:02 | 00,306,455 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090617-113414.backup
[2009/05/13 00:15:55 | 05,936,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/05/13 00:15:55 | 05,936,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/05/13 00:15:55 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wininet.dll
[2009/05/13 00:15:55 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2009/05/07 10:32:35 | 00,345,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\localspl.dll
[2009/05/07 10:32:35 | 00,345,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\localspl.dll
< End of report >

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:21 AM

Posted 05 July 2009 - 01:41 PM

Hi druryman,

The 127.0.0.1 is the default ISP. If you type one of these bad URLs listed after it into your address bar your Hosts file will automatically return to home. It's a safety measure and Spybot often populate this with well-known bad URLs. If you have problems still we need to look elsewhere.

Seems that runkeys has been pulled so we have to do this the hard way.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"process.exe" =-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserData]
"UID" =-

NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

Then

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users