Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple IE process, related to search result redirect virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 Red Mage Joe

Red Mage Joe

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 08 July 2009 - 01:33 AM

Alright, so I'm suffering the pre-cursor to the search result redirect spyware virus, as I have seen this before, but last time I had a backup of my computer to rollback to. Sadly, this was not the case for my latest backup, and I now need aid removing the virus from my computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:33 AM, on 7/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238997800703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239001445703
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F7F2970-4521-48BC-87E2-6BD5F904A68F}: NameServer = 192.168.1.1,192.168.1.0
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6903 bytes



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 PM

Posted 16 July 2009 - 08:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Red Mage Joe

Red Mage Joe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 17 July 2009 - 11:08 PM

DDS Log

DDS (Ver_09-06-26.01) - NTFSx86
Run by Admin Joe at 23:55:19.71 on Fri 07/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2561 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: youtube.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238997800703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239001445703
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {8F7F2970-4521-48BC-87E2-6BD5F904A68F} = 192.168.1.1,192.168.1.0
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-7-8 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-7-8 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-7-8 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090715.003\IDSXpx86.sys [2009-7-17 276344]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 MySQL5;MySQL5;"c:\program files\mysql\mysql server 5.1\bin\mysqld" --defaults-file="c:\program files\mysql\mysql server 5.1\my.ini" mysql5 --> c:\program files\mysql\mysql server 5.1\bin\mysqld [?]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-7-8 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-6 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-9 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090717.032\NAVENG.SYS [2009-7-17 87888]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090717.032\NAVEX15.SYS [2009-7-17 875728]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]

=============== Created Last 30 ================

2009-07-16 14:22 <DIR> --d----- c:\program files\Fraps
2009-07-16 13:35 107,864 a------- c:\windows\system32\tsccvid.dll
2009-07-16 13:35 <DIR> --d----- c:\windows\system32\QuickTime
2009-07-14 17:28 754 a------- c:\windows\WORDPAD.INI
2009-07-13 11:52 3,176 a------- c:\windows\system32\gafilter.sti
2009-07-13 11:52 4,808 a------- c:\windows\system32\gaeffect.sti
2009-07-13 11:51 427 a------- c:\windows\ULEAD32.INI
2009-07-13 11:51 1,056,768 a------- c:\windows\system32\ROBOEX32.DLL
2009-07-13 11:51 49,152 a------- c:\windows\system32\INETWH32.dll
2009-07-13 11:51 <DIR> --d----- c:\program files\Ulead Systems
2009-07-10 03:02 4,096 a--sh--- C:\VSNAP.IDX
2009-07-08 22:03 <DIR> --dsh--- c:\documents and settings\admin joe\IECompatCache
2009-07-08 20:33 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-07-08 20:33 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-08 20:33 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-08 20:33 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-08 20:33 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-08 20:33 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-07-08 20:33 <DIR> --d----- c:\program files\Norton AntiVirus
2009-07-08 19:06 201,963 a------- C:\Grf90.tmp
2009-07-08 12:02 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 12:02 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 12:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 12:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-08 12:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-08 01:42 <DIR> --d----- c:\program files\Trend Micro
2009-07-08 01:17 <DIR> --d----- c:\docume~1\adminj~1\applic~1\Malwarebytes
2009-07-08 01:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-30 12:37 482,861 a------- C:\Grf18C.tmp
2009-06-30 11:47 25,800,143 a------- C:\GrfBE.tmp
2009-06-30 11:45 25,814,390 a------- C:\GrfBC.tmp
2009-06-26 00:48 1,062 a------- c:\windows\AZPR3.INI
2009-06-26 00:41 <DIR> --d----- c:\program files\AZPR
2009-06-23 23:00 1,548,272 a------- C:\Grf187.tmp
2009-06-22 11:20 <DIR> --dsh--- c:\documents and settings\admin joe\PrivacIE
2009-06-22 11:19 <DIR> --dsh--- c:\documents and settings\admin joe\IETldCache
2009-06-22 11:13 <DIR> --d----- c:\windows\ie8updates
2009-06-22 11:10 <DIR> -cd-h--- c:\windows\ie8
2009-06-22 11:09 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-22 11:09 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-22 11:08 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 12:50 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2009-04-09 15:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040920090410\index.dat

============= FINISH: 23:55:41.32 ===============


My IE still opens multiple windows, though it seems like I was able to remove other parts of the problem and my machine is not behaving strangely or sending data without my knowledge. Still, the fact that one symptom remains bothers me.

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:33 AM

Posted 18 July 2009 - 07:28 PM

Hi Red Mage Joe,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back soon with the first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:33 AM

Posted 18 July 2009 - 07:35 PM

Hi Red Mage Joe,

There are some strange temp files floating around. Before we remove them we need to see if there's anything else lurking around.

First though a couple of warnings.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Also

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Now to the fix

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Then

We need to create an OTL Report
  • Please download OTL from the mirror:
    [http://oldtimer.geekstogo.com/OTL.exe]This is THE Mirror[/url]
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:[list]
    OTListIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 Red Mage Joe

Red Mage Joe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 July 2009 - 07:53 PM

GMER Log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-19 20:46:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT 8A7C2410 ZwOpenEvent
SSDT 8A7F60A8 ZwDebugActiveProcess
SSDT 8A81E0A8 ZwAssignProcessToJobObject
SSDT 8A84B2C8 ZwOpenThread
SSDT 8A84B398 ZwOpenProcess
SSDT 8A84D620 ZwCreateMutant
SSDT 8A84DAA8 ZwSetInformationProcess
SSDT 8A84DC88 ZwFreeVirtualMemory
SSDT 8A84DD58 ZwWriteVirtualMemory
SSDT 8A84DE28 ZwAllocateVirtualMemory
SSDT 8A84DF80 ZwDuplicateObject
SSDT 8A84EEB0 ZwCreateSymbolicLinkObject
SSDT 8A84EF80 ZwProtectVirtualMemory
SSDT 8A9A10D8 ZwCreateThread
SSDT 8AA52A88 ZwImpersonateAnonymousToken
SSDT 8AAC24A0 ZwLoadDriver
SSDT 8AB0D268 ZwOpenSection
SSDT 8AC46710 ZwSuspendProcess
SSDT 8AC67890 ZwOpenProcessToken
SSDT 8AC6E740 ZwUnmapViewOfSection
SSDT 8AC9BBF0 ZwMapViewOfSection
SSDT 8ACAD0C8 ZwConnectPort
SSDT 8ACC0160 ZwResumeThread
SSDT 8AD49108 ZwSuspendThread
SSDT 8AD5EAC8 ZwSetSystemInformation
SSDT 8AD85008 ZwSetContextThread
SSDT 8AD93C08 ZwAlertResumeThread
SSDT 8AD94C50 ZwAlertThread
SSDT 8AD94E30 ZwTerminateProcess
SSDT 8AD97660 ZwImpersonateThread
SSDT 8AD9EA70 ZwTerminateThread

INT 0x63 ? 8AF8ABF8
INT 0x63 ? 8AF8ABF8
INT 0x63 ? 8AF8ABF8
INT 0x63 ? 8AF8ABF8
INT 0x63 ? 8AD2CF00
INT 0x83 ? 8AF8ABF8
INT 0x83 ? 8AF8ABF8
INT 0x83 ? 8AD2CF00
INT 0x83 ? 8AF8ABF8
INT 0x84 ? 8AD2CF00
INT 0xA4 ? 8AD2CF00
INT 0xA4 ? 8AD2CF00
INT 0xA4 ? 8AD2CF00
INT 0xA4 ? 8AD2CF00
INT 0xB4 ? 8AD2CF00

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6366040]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB63662C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6366820]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6366A70]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AF8A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 8AF8A1F8
Device \Driver\atapi \Device\Ide\IdePort0 8AF8A1F8
Device \Driver\atapi \Device\Ide\IdePort1 8AF8A1F8
Device \Driver\atapi \Device\Ide\IdePort2 8AF8A1F8
Device \Driver\atapi \Device\Ide\IdePort3 8AF8A1F8
Device \Driver\atapi \Device\Ide\IdePort4 8AF8A1F8
Device \Driver\atapi \Device\Ide\IdePort5 8AF8A1F8
Device \Driver\Cdrom \Device\CdRom0 8ACDB1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AF1A1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AF1A1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF1A1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AF1A1F8
Device \Driver\Ftdisk \Device\FtControl 8AF8B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF8B1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8AF8B1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\NetBT \Device\NetbiosSmb 8A92D500
Device \Driver\NetBT \Device\NetBT_Tcpip_{8F7F2970-4521-48BC-87E2-6BD5F904A68F} 8A92D500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A92D500

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbehci \Device\USBFDO-3 8AD901F8
Device \Driver\usbehci \Device\USBFDO-7 8AD901F8
Device \Driver\usbehci \Device\USBPDO-3 8AD901F8
Device \Driver\usbehci \Device\USBPDO-7 8AD901F8
Device \Driver\USBSTOR \Device\0000008d 8AAEE1F8
Device \Driver\USBSTOR \Device\0000008e 8AAEE1F8
Device \Driver\USBSTOR \Device\0000008f 8AAEE1F8
Device \Driver\USBSTOR \Device\00000092 8AAEE1F8
Device \Driver\usbuhci \Device\USBFDO-0 8AD5C1F8
Device \Driver\usbuhci \Device\USBFDO-1 8AD5C1F8
Device \Driver\usbuhci \Device\USBFDO-2 8AD5C1F8
Device \Driver\usbuhci \Device\USBFDO-4 8AD5C1F8
Device \Driver\usbuhci \Device\USBFDO-5 8AD5C1F8
Device \Driver\usbuhci \Device\USBFDO-6 8AD5C1F8
Device \Driver\usbuhci \Device\USBPDO-0 8AD5C1F8
Device \Driver\usbuhci \Device\USBPDO-1 8AD5C1F8
Device \Driver\usbuhci \Device\USBPDO-2 8AD5C1F8
Device \Driver\usbuhci \Device\USBPDO-4 8AD5C1F8
Device \Driver\usbuhci \Device\USBPDO-5 8AD5C1F8
Device \Driver\usbuhci \Device\USBPDO-6 8AD5C1F8
Device \FileSystem\Cdfs \Cdfs 898601F8
Device \FileSystem\Fastfat \Fat 898E41F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fastfat \FatCdrom 898E41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A96A500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A96A500
Device \FileSystem\Ntfs \Ntfs 8AF181F8

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spvp.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spvp.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spvp.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spvp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spvp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spvp.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcmxeyabuwlonvkfhxenalxmpffqvdqgrq.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxckvtrpaeofvrcebbiohumujgdmuyjpdjx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcltodevewewmghqodoyxtqsniqlqlhhbi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcmxeyabuwlonvkfhxenalxmpffqvdqgrq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80503D20 4 Bytes JMP 0E268AD5

SSDT spvp.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spvp.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spvp.sys ZwOpenKey [0xB9EA80C0]
SSDT spvp.sys ZwQueryKey [0xB9EC7108]
SSDT spvp.sys ZwQueryValueKey [0xB9EC6F88]

---- Kernel code sections - GMER 1.0.15 ----

? spvp.sys The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B8E5362C 5 Bytes JMP 8AD2C4E0

---- EOF - GMER 1.0.15 ----


OTL Log:

OTL logfile created on: 7/19/2009 8:47:38 PM - Run 1
OTL by OldTimer - Version 3.0.9.2 Folder = C:\Documents and Settings\Admin Joe\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 103.75 Gb Free Space | 69.61% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 298.09 Gb Total Space | 165.65 Gb Free Space | 55.57% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 111.55 Gb Total Space | 106.16 Gb Free Space | 95.17% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: JKENDALL
Current User Name: Admin Joe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/09/12 18:27:24 | 00,554,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
PRC - [2009/03/21 13:10:30 | 00,610,816 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/07/08 12:00:45 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/16 13:29:28 | 06,562,432 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
PRC - [2009/07/08 12:00:45 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/04/06 03:10:00 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/07/08 20:33:36 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
PRC - [2008/11/12 16:01:14 | 03,425,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe
PRC - [2009/03/27 10:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/07/08 20:33:36 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
PRC - [2009/07/19 10:12:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin Joe\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/09/12 18:27:24 | 00,554,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2004/08/04 03:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/05/30 12:30:20 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/07/08 12:00:45 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/09/12 18:27:24 | 02,999,664 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2009/03/16 13:29:28 | 06,562,432 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe -- (MySQL5 [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2009/07/08 20:33:36 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe -- (Norton AntiVirus [Auto | Running])
SRV - [2008/11/12 16:01:14 | 03,425,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost [Auto | Running])
SRV - [2009/02/17 09:39:00 | 02,736,890 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - [2009/03/27 10:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2005/08/02 17:18:49 | 00,086,016 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])
SRV - [2004/08/04 03:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (uploadmgr [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/05/19 12:50:00 | 00,021,035 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2002/08/28 22:59:12 | 00,036,224 | ---- | M] (ADMtek Incorporated.) -- C:\WINDOWS\System32\DRIVERS\AN983.sys -- (AN983 [On_Demand | Running])
DRV - [2009/07/08 20:33:37 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.sys -- (BHDrvx86 [System | Running])
DRV - [2009/07/08 20:33:37 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\ccHPx86.sys -- (ccHP [System | Running])
DRV - [2007/10/09 13:13:00 | 00,038,144 | ---- | M] (Realtek) -- C:\WINDOWS\System32\DRIVERS\EAPPkt.sys -- (EAPPkt [Auto | Running])
DRV - [2009/07/08 20:33:37 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/07/08 20:33:37 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2007/03/28 20:12:18 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2009/07/11 15:34:12 | 00,276,344 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090715.003\IDSxpx86.sys -- (IDSxpx86 [System | Running])
DRV - [2008/07/03 17:03:00 | 04,745,216 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2009/03/10 14:57:01 | 00,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50 [On_Demand | Stopped])
DRV - [2009/03/10 14:56:52 | 00,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50 [On_Demand | Stopped])
DRV - [2009/07/13 04:00:00 | 00,087,888 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.024\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/07/13 04:00:00 | 00,875,728 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.024\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2004/08/04 01:59:50 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\NMnt.sys -- (nm [On_Demand | Stopped])
DRV - [2005/08/02 17:10:13 | 00,032,512 | ---- | M] (CACE Technologies) -- C:\WINDOWS\System32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
DRV - [2009/03/27 10:03:00 | 06,280,416 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2007/07/19 23:44:54 | 00,110,120 | ---- | M] (Silicon Image, Inc) -- C:\WINDOWS\system32\DRIVERS\pnp680r.sys -- (Pnp680r [Boot | Running])
DRV - [2001/08/23 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/12/28 15:02:12 | 00,287,232 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\wg111v3.sys -- (RTL8187B [On_Demand | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/04/06 04:54:03 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2009/07/08 20:33:38 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2009/07/08 20:33:38 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2009/07/08 20:33:38 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMEFA.SYS -- (SymEFA [Boot | Running])
DRV - [2009/07/08 20:33:43 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2009/07/08 20:33:38 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMFW.SYS -- (SYMFW [On_Demand | Running])
DRV - [2009/07/08 20:33:38 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMIDS.SYS -- (SYMIDS [On_Demand | Running])
DRV - [2009/07/08 20:33:38 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIM [On_Demand | Stopped])
DRV - [2009/07/08 20:33:38 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIMMP [On_Demand | Running])
DRV - [2009/07/08 20:33:38 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMNDIS.SYS -- (SYMNDIS [On_Demand | Running])
DRV - [2008/11/12 15:49:22 | 00,138,080 | ---- | M] (StorageCraft) -- C:\WINDOWS\system32\DRIVERS\symsnap.sys -- (symsnap [Boot | Running])
DRV - [2009/07/08 20:33:38 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2009/05/29 13:36:16 | 00,039,424 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Running])
DRV - [2007/03/28 20:29:10 | 00,037,864 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\v2imount.sys -- (v2imount [Auto | Running])
DRV - [2007/07/31 17:22:16 | 00,014,072 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\vproeventmonitor.sys -- (VProEventMonitor [On_Demand | Stopped])
DRV - [2007/03/28 20:49:42 | 00,128,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\wimfltr.sys -- (WimFltr [On_Demand | Stopped])
DRV - [2005/04/12 19:21:28 | 00,010,144 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\WmBEnum.sys -- (WmBEnum [On_Demand | Running])
DRV - [2005/04/12 19:21:32 | 00,022,240 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\WmFilter.sys -- (WmFilter [On_Demand | Running])
DRV - [2005/04/12 19:21:28 | 00,005,600 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\WmVirHid.sys -- (WmVirHid [On_Demand | Stopped])
DRV - [2005/04/12 19:21:26 | 00,045,504 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\WmXlCore.sys -- (WmXlCore [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\S-1-5-21-1801674531-1979792683-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\S-1-5-21-1801674531-1979792683-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/04/07 02:23:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/07/08 12:00:48 | 00,000,000 | ---D | M]


O1 HOSTS File: (19 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1801674531-1979792683-839522115-1003..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\S-1-5-21-1801674531-1979792683-839522115-1003..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-1801674531-1979792683-839522115-1003..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\..Trusted Domains: youtube.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1801674531-1979792683-839522115-1003\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1238997800703 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1239001445703 (MUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/05 20:20:43 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/07/19 10:12:09 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin Joe\Desktop\OTL.exe
[2009/07/16 14:22:27 | 00,000,000 | ---D | C] -- C:\Program Files\Fraps
[2009/07/16 14:20:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/07/16 13:39:56 | 00,000,000 | ---D | C] -- F:\Documents\Camtasia Studio
[2009/07/16 13:35:27 | 00,107,864 | ---- | C] (TechSmith Corporation) -- C:\WINDOWS\System32\tsccvid.dll
[2009/07/16 13:35:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\QuickTime
[2009/07/14 17:28:54 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/07/13 11:52:16 | 00,003,176 | ---- | C] () -- C:\WINDOWS\System32\gafilter.sti
[2009/07/13 11:52:15 | 00,004,808 | ---- | C] () -- C:\WINDOWS\System32\gaeffect.sti
[2009/07/13 11:51:19 | 00,000,427 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2009/07/13 11:51:17 | 01,056,768 | ---- | C] (Blue Sky Software Corporation.) -- C:\WINDOWS\System32\ROBOEX32.DLL
[2009/07/13 11:51:17 | 00,049,152 | ---- | C] (Blue Sky Software Corporation.) -- C:\WINDOWS\System32\INETWH32.dll
[2009/07/13 11:51:17 | 00,000,000 | ---D | C] -- C:\Program Files\Ulead Systems
[2009/07/10 03:02:03 | 00,004,096 | -HS- | C] () -- C:\VSNAP.IDX
[2009/07/08 20:33:54 | 01,179,870 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\Cat.DB
[2009/07/08 20:33:45 | 00,036,400 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/07/08 20:33:43 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/07/08 20:33:43 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/07/08 20:33:43 | 00,007,386 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/07/08 20:33:43 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/07/08 20:33:38 | 00,310,320 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymEFA.sys
[2009/07/08 20:33:38 | 00,307,760 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtsp.sys
[2009/07/08 20:33:38 | 00,217,392 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symtdi.sys
[2009/07/08 20:33:38 | 00,089,776 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symfw.sys
[2009/07/08 20:33:38 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtspx.sys
[2009/07/08 20:33:38 | 00,039,984 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symndisv.sys
[2009/07/08 20:33:38 | 00,037,296 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symndis.sys
[2009/07/08 20:33:38 | 00,034,736 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symids.sys
[2009/07/08 20:33:37 | 00,482,352 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\cchpx86.sys
[2009/07/08 20:33:37 | 00,258,608 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.sys
[2009/07/08 20:33:27 | 00,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymEFA.inf
[2009/07/08 20:33:27 | 00,001,753 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\ccHPx86.inf
[2009/07/08 20:33:27 | 00,001,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymNet.inf
[2009/07/08 20:33:27 | 00,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtspx.inf
[2009/07/08 20:33:27 | 00,001,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtsp.inf
[2009/07/08 20:33:27 | 00,000,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.inf
[2009/07/08 20:33:27 | 00,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\isolate.ini
[2009/07/08 20:33:21 | 00,009,423 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymNet.cat
[2009/07/08 20:33:21 | 00,007,410 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymEFA.cat
[2009/07/08 20:33:21 | 00,007,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtspx.cat
[2009/07/08 20:33:21 | 00,007,364 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.CAT
[2009/07/08 20:33:21 | 00,007,355 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtsp.cat
[2009/07/08 20:33:21 | 00,007,347 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\ccHPx86.cat
[2009/07/08 20:33:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1005000.086
[2009/07/08 20:33:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2009/07/08 20:33:20 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2009/07/08 20:33:20 | 00,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2009/07/08 12:02:24 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/08 12:02:23 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/08 12:02:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/08 12:01:02 | 00,410,984 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/07/08 12:01:02 | 00,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/07/08 12:01:02 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/07/08 12:01:02 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/07/08 12:01:01 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/07/08 12:00:40 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/07/08 12:00:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Admin Joe\Application Data\Sun
[2009/07/08 01:42:25 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/07/08 01:28:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/07/08 01:17:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Admin Joe\Application Data\Malwarebytes
[2009/07/08 01:16:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/08 01:07:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Admin Joe\Desktop\EuphRO Dev bleep
[2009/06/26 00:48:30 | 00,001,062 | ---- | C] () -- C:\WINDOWS\AZPR3.INI
[2009/06/26 00:41:10 | 00,000,000 | ---D | C] -- C:\Program Files\AZPR
[2009/06/24 02:05:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/06/22 15:22:50 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Admin Joe\Desktop\Touhou Project
[2009/06/22 11:13:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/06/22 11:10:18 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/06/22 11:09:11 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/06/22 11:09:11 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/06/22 11:08:58 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/05/25 23:13:10 | 00,215,144 | R--- | C] () -- C:\WINDOWS\patchw32.dll
[2009/05/25 23:12:19 | 00,215,144 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2009/05/18 02:16:52 | 00,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2009/05/12 20:47:07 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/05/12 20:47:07 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/06 04:54:03 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/04/06 02:28:24 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/04/06 01:54:32 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/03/27 10:03:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/27 10:03:00 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/27 10:03:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/27 10:03:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/10/07 09:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/09/17 23:55:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/08/02 17:24:01 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/10/07 08:50:50 | 00,072,704 | ---- | C] () -- C:\WINDOWS\System32\zlibmax.dll
[2001/08/23 08:00:00 | 00,000,837 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 08:00:00 | 00,000,327 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/06/01 13:57:22 | 00,002,560 | ---- | C] () -- C:\WINDOWS\System32\swfmaxps.dll

========== Files - Modified Within 30 Days ==========

[5 C:\*.tmp files]
[3 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/07/19 19:33:36 | 01,179,870 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\Cat.DB
[2009/07/19 10:12:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin Joe\Desktop\OTL.exe
[2009/07/19 09:40:48 | 00,203,684 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/07/19 09:40:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/19 09:40:32 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/19 03:07:52 | 00,825,366 | -H-- | M] () -- C:\Documents and Settings\Admin Joe\Local Settings\Application Data\IconCache.db
[2009/07/17 16:37:35 | 00,004,096 | -HS- | M] () -- C:\VSNAP.IDX
[2009/07/16 22:15:53 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Admin Joe\Application Data\winscp.rnd
[2009/07/16 14:17:59 | 00,032,768 | ---- | M] () -- C:\Documents and Settings\Admin Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/16 12:09:11 | 00,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/15 00:01:59 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/07/14 17:28:54 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2009/07/14 17:27:30 | 00,029,240 | ---- | M] () -- C:\Documents and Settings\Admin Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/07/14 17:15:10 | 00,000,427 | ---- | M] () -- C:\WINDOWS\ULEAD32.INI
[2009/07/13 23:50:28 | 00,152,384 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/13 11:52:16 | 00,003,176 | ---- | M] () -- C:\WINDOWS\System32\gafilter.sti
[2009/07/13 11:52:15 | 00,004,808 | ---- | M] () -- C:\WINDOWS\System32\gaeffect.sti
[2009/07/13 09:36:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/07/08 20:33:43 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/07/08 20:33:43 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/07/08 20:33:43 | 00,007,386 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/07/08 20:33:43 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/07/08 20:33:38 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymEFA.sys
[2009/07/08 20:33:38 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtsp.sys
[2009/07/08 20:33:38 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symtdi.sys
[2009/07/08 20:33:38 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symfw.sys
[2009/07/08 20:33:38 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtspx.sys
[2009/07/08 20:33:38 | 00,039,984 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symndisv.sys
[2009/07/08 20:33:38 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symndis.sys
[2009/07/08 20:33:38 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/07/08 20:33:38 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\symids.sys
[2009/07/08 20:33:37 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\cchpx86.sys
[2009/07/08 20:33:37 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.sys
[2009/07/08 20:33:27 | 00,003,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymEFA.inf
[2009/07/08 20:33:27 | 00,001,753 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\ccHPx86.inf
[2009/07/08 20:33:27 | 00,001,528 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymNet.inf
[2009/07/08 20:33:27 | 00,001,389 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtspx.inf
[2009/07/08 20:33:27 | 00,001,383 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtsp.inf
[2009/07/08 20:33:27 | 00,000,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.inf
[2009/07/08 20:33:27 | 00,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\isolate.ini
[2009/07/08 20:33:21 | 00,009,423 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymNet.cat
[2009/07/08 20:33:21 | 00,007,410 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SymEFA.cat
[2009/07/08 20:33:21 | 00,007,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtspx.cat
[2009/07/08 20:33:21 | 00,007,364 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.CAT
[2009/07/08 20:33:21 | 00,007,355 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\srtsp.cat
[2009/07/08 20:33:21 | 00,007,347 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\ccHPx86.cat
[2009/07/08 12:00:44 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/07/08 12:00:44 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/07/08 12:00:44 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/07/08 12:00:44 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/07/08 12:00:44 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/07/08 05:04:06 | 00,000,210 | -HS- | M] () -- C:\boot.ini
[2009/07/07 11:10:56 | 24,539,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/06/26 00:53:21 | 00,001,062 | ---- | M] () -- C:\WINDOWS\AZPR3.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
< End of report >


Extra Log:

OTL Extras logfile created on: 7/19/2009 8:47:38 PM - Run 1
OTL by OldTimer - Version 3.0.9.2 Folder = C:\Documents and Settings\Admin Joe\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 103.75 Gb Free Space | 69.61% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 298.09 Gb Total Space | 165.65 Gb Free Space | 55.57% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 111.55 Gb Total Space | 106.16 Gb Free Space | 95.17% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: JKENDALL
Current User Name: Admin Joe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe" = C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- ()
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Warcraft III\DotA Allstars\DotA Allstars.exe" = C:\Program Files\Warcraft III\DotA Allstars\DotA Allstars.exe:*:Enabled:DotA Allstars -- ()
"C:\Program Files\Warcraft III\Frozen Throne.exe" = C:\Program Files\Warcraft III\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne -- (Blizzard Entertainment)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series" = Canon iP1800 series
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{312255E7-E2C2-4F3E-BBCB-02C5B8696CCB}" = Verizon FiOS Connection Wizard
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}" = NETGEAR WG111v3 wireless USB 2.0 adapter
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{5C1DA723-24FC-48AD-93BA-925695C3EF26}" = Logitech Gaming Software
"{659B48CD-0608-4ED5-94C0-0B6C87114F10}" = Apple Mobile Device Support
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8AF3E926-ED59-11D4-A44B-0000E86D2305}" = Ulead GIF Animator 5
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9659DF3D-22C8-4391-8E45-6CA3A3D968D1}" = Creatures SpriteExtension
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4418082-E601-3954-805B-D56A2B50EC8B}" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.1
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{AE6FB4CD-554F-4560-9A99-F8AE602414DB}" = TortoiseSVN 1.6.0.15855 (32 bit)
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B0255743-165B-4BD5-8DA8-37DFB9930012}" = Norton Ghost
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}" = iTunes
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{DC415D0C-CF77-436A-B27B-CE8A049C1F9D}" = VRQTool
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1CBC6F7-D82D-4DC5-B81C-9A14F418593A}_is1" = WC3Banlist
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB686487-C637-4EEF-BCB1-C92463F2CC05}" = Atheros Ethernet Utility
"{FC843A65-4030-4D82-B8D9-5A69A20DD2ED}" = MySQL Server 5.1
"{FCB10DE3-E190-4A7E-B06A-FAC61567ABFC}" = MySQL Tools for 5.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AIM_6" = AIM 6
"CanonMyPrinter" = Canon My Printer
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DotA Allstars Launcher" = DotA Allstars Launcher
"EuphRO" = EuphRO
"Fraps" = Fraps (remove only)
"FreeSpace2" = FreeSpace 2
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Install Creator Pro" = Install Creator Pro
"InstallShield_{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}" = NETGEAR WG111v3 wireless USB 2.0 adapter
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual C# 2008 Express Edition with SP1 - ENU" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"mIRC" = mIRC
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NAV" = Norton AntiVirus
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PFPortChecker" = PFPortChecker 1.0.28
"Rakion International_is1" = Rakion International
"Steam App 320" = Half-Life 2: Deathmatch
"Steam App 400" = Portal
"Steam App 440" = Team Fortress 2
"Steam App 500" = Left 4 Dead
"SWF.max" = Aero SWF.max 1.6.865
"SystemRequirementsLab" = System Requirements Lab
"VLC media player" = VLC media player 0.9.9
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinPcapInst" = WinPcap 3.1
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.1.9
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1801674531-1979792683-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"FileZilla Client" = FileZilla Client 3.2.4.1
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/28/2009 7:03:59 PM | Computer Name = JKENDALL | Source = Norton Ghost | ID = 100
Description = Error EC8F17D9: Cannot complete scheduled consolidation of incremental
recovery points for Primary Disk (C:\). Error EC8F17D8: Cannot complete consolidation
of incremental recovery points. Error EC8F03F1: Cannot open recovery point 'F:\Norton
Backups\JKENDALL_C_Drive001_i004.iv2i'. Error E0BB002B: File F:\Norton Backups\JKENDALL_C_Drive001_i004.iv2i
does not exist or is unavailable. Error EC8F03F1: Cannot open recovery point 'F:\Norton
Backups\JKENDALL_C_Drive001_i004.iv2i'. Error E0BB002B: File F:\Norton Backups\JKENDALL_C_Drive001_i004.iv2i
does not exist or is unavailable. Details: 0xE0BB002B Source: Norton Ghost

Error - 6/29/2009 1:55:52 AM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application muckclient.exe, version 3.4.2.0, faulting module
kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 6/30/2009 11:44:49 AM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application gryff_s.exe, version 1.1.0.1, faulting module
gryff_s.exe, version 1.1.0.1, fault address 0x0004aaf2.

Error - 6/30/2009 11:45:22 AM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application gryff_s.exe, version 1.1.0.1, faulting module
gryff_s.exe, version 1.1.0.1, fault address 0x0004aaf2.

Error - 6/30/2009 11:48:07 AM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application gryff_s.exe, version 1.1.0.1, faulting module
gryff_s.exe, version 1.1.0.1, fault address 0x0004aaf2.

Error - 6/30/2009 12:37:47 PM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application gryff_s.exe, version 1.1.0.1, faulting module
gryff_s.exe, version 1.1.0.1, fault address 0x0004aaf2.

Error - 6/30/2009 1:27:14 PM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application ventrilo.exe, version 3.0.4.0, faulting module
unknown, version 0.0.0.0, fault address 0x4b435553.

Error - 6/30/2009 8:28:51 PM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x000c66e1.

Error - 7/1/2009 2:06:55 PM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application ventrilo.exe, version 3.0.4.0, faulting module
unknown, version 0.0.0.0, fault address 0x4b435553.

Error - 7/1/2009 11:39:39 PM | Computer Name = JKENDALL | Source = Application Error | ID = 1000
Description = Faulting application ventrilo.exe, version 3.0.4.0, faulting module
ventrilo.exe, version 3.0.4.0, fault address 0x000e57a8.

[ System Events ]
Error - 7/14/2009 11:36:25 AM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/15/2009 12:38:01 AM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/15/2009 10:46:36 AM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/16/2009 12:09:48 PM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/16/2009 3:05:29 PM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/17/2009 11:32:00 AM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/17/2009 11:11:32 PM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/17/2009 11:17:48 PM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/18/2009 5:17:37 PM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 7/19/2009 9:41:20 AM | Computer Name = JKENDALL | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079


< End of report >



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:33 AM

Posted 20 July 2009 - 06:38 AM

Hi Red Mage Joe,

Gmer found a rootkit which we must remove.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 Red Mage Joe

Red Mage Joe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 July 2009 - 09:40 PM

ComboFix Log:

ComboFix 09-07-20.03 - Admin Joe 07/20/2009 22:27.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2516 [GMT -4:00]
Running from: c:\documents and settings\Admin Joe\Desktop\Combo-Fix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patchw32.dll
c:\windows\pw32a.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.

2009-07-21 00:28 . 2009-07-13 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\NAVENG.SYS
2009-07-21 00:28 . 2009-07-13 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\NAVEX15.SYS
2009-07-21 00:28 . 2009-07-09 00:33 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\EECTRL.SYS
2009-07-21 00:28 . 2009-07-09 00:33 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\ERASER.SYS
2009-07-21 00:28 . 2009-07-09 00:33 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\NAVENG32.DLL
2009-07-21 00:28 . 2009-07-09 00:33 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\NAVEX32A.DLL
2009-07-21 00:28 . 2009-07-09 00:33 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\ECMSVR32.DLL
2009-07-21 00:28 . 2009-07-09 00:33 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090720.065\CCERASER.DLL
2009-07-17 17:32 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSXpx86.sys
2009-07-17 17:32 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSvix86.sys
2009-07-17 17:32 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\Scxpx86.dll
2009-07-17 17:32 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSxpx86.dll
2009-07-17 17:32 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSviA64.sys
2009-07-16 18:22 . 2009-07-16 18:39 -------- d-----w- c:\program files\Fraps
2009-07-16 18:20 . 2009-07-16 18:20 -------- d-----w- c:\windows\Sun
2009-07-16 17:35 . 2008-07-10 18:56 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-07-16 17:35 . 2009-07-16 17:35 -------- d-----w- c:\windows\system32\QuickTime
2009-07-15 01:43 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSXpx86.sys
2009-07-15 01:43 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSvix86.sys
2009-07-15 01:43 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\Scxpx86.dll
2009-07-15 01:43 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSxpx86.dll
2009-07-15 01:43 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSviA64.sys
2009-07-13 15:51 . 2009-07-13 15:51 -------- d-----w- c:\program files\Ulead Systems
2009-07-13 15:51 . 1999-10-15 16:50 1056768 ----a-w- c:\windows\system32\ROBOEX32.DLL
2009-07-13 15:51 . 1999-01-28 19:44 49152 ----a-w- c:\windows\system32\INETWH32.dll
2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-07-09 02:03 . 2009-07-09 02:03 -------- d-sh--w- c:\documents and settings\Admin Joe\IECompatCache
2009-07-09 00:33 . 2009-07-09 00:33 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-07-09 00:33 . 2009-07-09 00:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-09 00:33 . 2009-07-09 00:33 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-09 00:33 . 2009-07-09 00:33 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-07-09 00:33 . 2009-07-09 00:33 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-07-09 00:33 . 2009-07-09 00:33 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-07-09 00:33 . 2009-07-09 00:33 -------- d-----w- c:\windows\system32\drivers\NAV
2009-07-09 00:33 . 2009-07-09 00:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-07-09 00:33 . 2009-07-09 00:33 -------- d-----w- c:\program files\Windows Sidebar
2009-07-08 16:02 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 16:02 . 2009-07-08 16:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 16:02 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 16:01 . 2009-07-08 16:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-08 16:00 . 2009-07-08 16:00 -------- d-----w- c:\program files\Java
2009-07-08 05:42 . 2009-07-08 05:42 -------- d-----w- c:\program files\Trend Micro
2009-07-08 05:28 . 2009-07-16 18:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-08 05:17 . 2009-07-08 05:17 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\Malwarebytes
2009-07-08 05:16 . 2009-07-08 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 04:41 . 2009-06-26 06:10 -------- d-----w- c:\program files\AZPR
2009-06-22 15:20 . 2009-06-22 15:20 -------- d-sh--w- c:\documents and settings\Admin Joe\PrivacIE
2009-06-22 15:19 . 2009-06-22 15:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-22 15:19 . 2009-06-22 15:19 -------- d-sh--w- c:\documents and settings\Admin Joe\IETldCache
2009-06-22 15:13 . 2009-06-22 15:13 -------- d-----w- c:\windows\ie8updates
2009-06-22 15:10 . 2009-06-22 15:12 -------- dc-h--w- c:\windows\ie8
2009-06-22 15:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-22 15:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-22 15:08 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 02:33 . 2009-04-06 07:09 -------- d-----w- c:\program files\DNA
2009-07-21 02:33 . 2009-04-06 07:09 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\DNA
2009-07-21 02:20 . 2009-04-06 16:41 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\SWF.max
2009-07-21 02:18 . 2009-04-11 03:42 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\mIRC
2009-07-20 15:33 . 2009-04-11 03:42 -------- d-----w- c:\program files\mIRC
2009-07-19 14:10 . 2009-04-06 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-16 21:13 . 2009-04-06 07:30 -------- d-----w- c:\program files\Warcraft III
2009-07-16 18:48 . 2009-04-06 07:10 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\BitTorrent
2009-07-15 17:28 . 2009-05-03 14:29 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\FileZilla
2009-07-15 03:45 . 2009-04-27 07:01 -------- d-----w- c:\program files\Steam
2009-07-14 21:27 . 2009-04-06 06:22 29240 ----a-w- c:\documents and settings\Admin Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-13 21:00 . 2009-04-06 16:53 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\Ventrilo
2009-07-13 15:51 . 2009-04-06 06:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-13 15:50 . 2009-04-06 05:59 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-09 00:34 . 2009-04-08 01:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-09 00:33 . 2009-07-09 00:33 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-09 00:33 . 2009-07-09 00:33 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-09 00:33 . 2009-05-25 18:42 -------- d-----w- c:\program files\Symantec
2009-07-09 00:33 . 2009-04-08 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-09 00:33 . 2009-05-25 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-08 23:06 . 2009-07-08 23:06 201963 ----a-w- C:\Grf90.tmp
2009-06-30 16:37 . 2009-06-30 16:37 482861 ----a-w- C:\Grf18C.tmp
2009-06-30 16:17 . 2009-04-06 06:43 -------- d-----w- c:\program files\Ragnarok Online
2009-06-30 15:48 . 2009-06-30 15:47 25800143 ----a-w- C:\GrfBE.tmp
2009-06-30 15:45 . 2009-06-30 15:45 25814390 ----a-w- C:\GrfBC.tmp
2009-06-24 03:00 . 2009-06-24 03:00 1548272 ----a-w- C:\Grf187.tmp
2009-06-23 03:11 . 2009-04-06 07:18 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-18 20:09 . 2009-04-06 05:50 -------- d-----w- c:\program files\AIM6
2009-06-18 20:08 . 2009-06-18 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-18 04:09 . 2009-06-15 06:15 -------- d-----w- c:\program files\FreeSpace2
2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 17:38 . 2009-04-06 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-06 15:29 . 2009-05-20 22:09 -------- d-----w- c:\program files\Common Files\Motive
2009-06-05 04:43 . 2009-06-05 04:43 -------- d-----w- c:\program files\Install Creator Pro
2009-06-03 22:59 . 2009-06-03 22:58 -------- d-----w- c:\program files\iTunes
2009-06-03 22:58 . 2009-06-03 22:58 -------- d-----w- c:\program files\iPod
2009-06-03 22:58 . 2009-04-06 09:14 -------- d-----w- c:\program files\Common Files\Apple
2009-06-03 22:57 . 2009-06-03 22:57 -------- d-----w- c:\program files\QuickTime
2009-06-03 22:54 . 2009-06-03 22:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:27 . 2009-04-06 05:54 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 17:36 . 2009-04-06 09:14 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 17:36 . 2009-04-06 09:14 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-27 05:11 . 2009-04-10 08:26 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\TortoiseSVN
2009-05-26 19:00 . 2009-05-26 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-26 03:27 . 2009-05-26 03:27 -------- d-----w- c:\documents and settings\Admin Joe\Application Data\Symantec
2009-05-26 03:15 . 2009-05-26 03:00 -------- d-----w- c:\program files\Norton Ghost
2009-05-25 18:43 . 2009-05-25 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-05-25 18:42 . 2009-05-25 18:42 -------- d-----w- c:\program files\NortonInstaller
2009-05-25 17:25 . 2009-05-25 17:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion
2009-05-25 17:21 . 2009-05-25 17:11 -------- d-----w- c:\program files\Google
2009-05-19 16:50 . 2009-05-19 16:50 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-05-19 05:36 . 2009-06-18 20:08 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-18 20:08 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-18 20:08 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-18 20:08 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-18 20:08 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-18 20:08 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-18 20:08 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-18 20:08 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-14 05:33 . 2009-05-14 05:34 38208 ----a-w- c:\documents and settings\Admin Joe\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-13 05:15 . 2006-06-23 15:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2009-04-09 18:56 344064 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-06 342848]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-08 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v3 Smart Wizard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Warcraft III\\DotA Allstars\\DotA Allstars.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [7/8/2009 8:33 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [7/8/2009 8:33 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [7/8/2009 8:33 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSXpx86.sys [7/17/2009 1:32 PM 276344]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R2 MySQL5;MySQL5;"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="c:\program files\MySQL\MySQL Server 5.1\my.ini" MySQL5 --> c:\program files\MySQL\MySQL Server 5.1\bin\mysqld [?]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [7/8/2009 8:33 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/9/2009 7:22 PM 101936]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: youtube.com\www
TCP: {8F7F2970-4521-48BC-87E2-6BD5F904A68F} = 192.168.1.1,192.168.1.0
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 22:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MySQL5]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL5"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2009-07-21 22:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-21 02:36

Pre-Run: 115,414,917,120 bytes free
Post-Run: 115,513,200,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
300 --- E O F --- 2009-07-15 04:02



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:33 AM

Posted 21 July 2009 - 05:50 AM

Thanks for the log Red Mage Joe.

Next we will run MBAM.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then we will run OTM to remove the temp files.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    C:\Grf*.tmp
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 Red Mage Joe

Red Mage Joe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 21 July 2009 - 10:42 PM

MBAM Log:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/21/2009 11:37:48 PM
mbam-log-2009-07-21 (23-37-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170716
Time elapsed: 1 hour(s), 18 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTM Log:

========== FILES ==========
C:\Grf187.tmp moved successfully.
C:\Grf18C.tmp moved successfully.
C:\Grf90.tmp moved successfully.
C:\GrfBC.tmp moved successfully.
C:\GrfBE.tmp moved successfully.

OTM by OldTimer - Version 3.0.0.5 log created on 07212009_235047


Edited by Red Mage Joe, 21 July 2009 - 10:51 PM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:33 AM

Posted 22 July 2009 - 12:01 PM

How are the redirects Red Mage Joe?

The MBAM log is clean and the temp files have been removed.

I would like you to run an online scan please.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 Red Mage Joe

Red Mage Joe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 22 July 2009 - 08:31 PM

Like I said, no other traces of redirects, malware, or anything of that nature. HOWEVER, I still get 2 and sometimes 3 iexplore.exe processes upon execution of IE, and if a particular one is closed, it runs an error page and asks if I wish to restore my last session, whereas the other will actually end the application.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:33 AM

Posted 23 July 2009 - 10:59 AM

Hi Red Mage Joe,

Okay, your PC is clean. The multiple iexplore.exe processes appear to be a bug in IE8.

I did find this information from a Microsoft expert.

Try disabling the crash recovery feature and see if your symptoms change?

Go to Options>Advanced tab>Browsing section

Uncheck: Enable automatic crash recovery and then close any browser windows and then reopen it.


If that doesn't work then post a question in the browser forum here at Bleeping.

But we are done here. :thumbup2:

Good stuff!

Let's firstly do some housekeeping

You have Viewpoint on your PC.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it Red Mage Joe, hope you sort the browser problem.

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:33 AM

Posted 29 July 2009 - 04:08 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users