Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My 2nd computer, had Trojan.BHO, WinPC, FakeAlert, WinAv


  • This topic is locked This topic is locked
27 replies to this topic

#1 metalmaiden

metalmaiden

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 10 July 2009 - 09:01 PM

Hi,

Thanks to rigel and farbar from your team for fixing my other computer :thumbup2:

This is my 2nd computer with problems. It's running windows xp sp3. At the time of infection it was on AVGfree, with Spybot and Malwarebytes. We also had this one in the computer shop to be repaired. They removed Spybot :) and installed Norton Antivirus 2009 at my partner's request (not what I would've done, I have an aversion to Norton)
Before it went into the shop it appeared clean, but we wanted to make sure everything was gone. It previously had Fakealert, WinAv, WinPCAntivirus, Trojan.bho, which I had tried to manually remove.

I know my other computer came back from that same shop supposedly clean, but it still had a rootkit, so I'm guessing this computer would be the same, because it had the same infections and it was running the same programs, and is the same type of computer.

It gets BSOD on shutdown, the error messages are in the DDS log.

The Norton scans are coming up clean, Malwarebytes is coming up clean.

So do we have a rootkit here (or any other nasties hiding)?


Here are the DDS logs:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Tascha at 10:22:08.84 on 11/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.447.179 [GMT 9.5:30]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Acer TV-FM\PCMService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tascha\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ninemsn.com.au/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCMService] "c:\program files\acer tv-fm\PCMService.exe"
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MediaSync] c:\program files\acer\acer econsole\MediaSync.exe
mRun: [LaunchApp] Alaunch
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ImageItEncrypt] c:\windows\system32\ImageItEncrypt.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [AspireService] c:\program files\acer\acer emode management\AspireService.exe
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerwl~1.lnk - c:\program files\acer wlan 11g usb dongle\ZDWlan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171160723189
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {72CC6A2B-7C0E-440E-93F2-F073DC09EAA3} = 123.200.191.17 123.200.191.18
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-6-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-6-9 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-6-9 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090709.001\IDSXpx86.sys [2009-7-11 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-6-9 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-9 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090710.032\NAVENG.SYS [2009-7-11 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090710.032\NAVEX15.SYS [2009-7-11 876144]
S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2006-1-31 11970]
S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2006-1-31 138816]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2006-1-31 299715]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2006-1-31 142913]
S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2006-1-31 494144]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2006-1-31 23104]
S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\tascha\locals~1\temp\kwwalpgr.sys --> c:\docume~1\tascha\locals~1\temp\kwwalpgr.sys [?]
S3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-5-16 892032]

=============== Created Last 30 ================

2009-07-11 09:46 <DIR> --d----- c:\documents and settings\tascha\Tracing
2009-07-07 13:54 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-07-07 13:51 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-07 13:11 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-06 12:56 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-02 18:55 34 a------- c:\documents and settings\tascha\jagex_runescape_preferences.dat
2009-07-01 12:16 12 a------- c:\windows\bthservsdp.dat
2009-07-01 10:53 8,192 a------- c:\windows\system32\wshirda.dll
2009-07-01 10:53 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-07-01 10:53 151,552 a------- c:\windows\system32\irftp.exe
2009-07-01 10:53 151,552 a------- c:\windows\system32\dllcache\irftp.exe
2009-07-01 10:53 28,160 a------- c:\windows\system32\irmon.dll
2009-07-01 10:53 28,160 a------- c:\windows\system32\dllcache\irmon.dll
2009-06-27 11:32 0 a------- c:\documents and settings\tascha\settings.dat
2009-06-23 09:32 3,252 a------- c:\windows\system32\wbem\Outlook_01c9f395e757fdf0.mof

==================== Find3M ====================

2009-07-06 12:55 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 14:46 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-09 14:46 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-09 14:46 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-09 14:46 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-09 14:46 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-05-08 01:02 345,600 a------- c:\windows\system32\localspl.dll
2009-05-08 01:02 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 14:26 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 14:26 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 14:26 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 14:26 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 14:26 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 14:26 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 14:26 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 14:26 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 14:26 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 14:26 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 14:26 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 18:35 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 18:35 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 14:57 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 14:56 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 21:56 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 21:56 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 00:21 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-16 00:21 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-11 17:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021120090212\index.dat

============= FINISH: 10:22:44.43 ===============


Attached File  Attach.zip   2.93KB   15 downloads

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:03 PM

Posted 19 July 2009 - 10:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 20 July 2009 - 03:09 AM

Thanks. I still need help. :thumbup2:
The computer has not been switched on since the above DDS logs were posted.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:03 PM

Posted 22 July 2009 - 05:10 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

They removed Spybot :) and installed Norton Antivirus 2009 at my partner's request (not what I would've done, I have an aversion to Norton)


I have the same aversion to Norton :thumbup2:

Nothing to much is showing in them logs let's see if their is a rootkit hiding.


Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job. Please keep it disabled whilst I am helping you then you can enable it again
when your clean.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.

Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Next

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Then please post back here with the following:
  • Gmer log
  • OTListIt.txt
  • Extra.txt
Thanks

unite.jpg


#5 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 22 July 2009 - 08:24 PM

Hello syler,

Thankyou for your assistance :)

Here is the GMER log
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-23 09:43:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 843C1050 ZwAlertResumeThread
SSDT 843C2050 ZwAlertThread
SSDT 8396AB80 ZwAllocateVirtualMemory
SSDT 838F3E50 ZwAssignProcessToJobObject
SSDT 84935510 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF19D7040]
SSDT 8396A320 ZwCreateMutant
SSDT 838F3CB0 ZwCreateSymbolicLinkObject
SSDT 838F51F0 ZwCreateThread
SSDT 838F3F10 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF19D72C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF19D7820]
SSDT 8396ACD8 ZwDuplicateObject
SSDT 8396A9E0 ZwFreeVirtualMemory
SSDT 843BF050 ZwImpersonateAnonymousToken
SSDT 843C0050 ZwImpersonateThread
SSDT 8499C4F0 ZwLoadDriver
SSDT 8396A900 ZwMapViewOfSection
SSDT 8396C050 ZwOpenEvent
SSDT 8396AE78 ZwOpenProcess
SSDT 84922210 ZwOpenProcessToken
SSDT 8396A118 ZwOpenSection
SSDT 8396ADA8 ZwOpenThread
SSDT 838F3D80 ZwProtectVirtualMemory
SSDT 849382F0 ZwResumeThread
SSDT 843D5050 ZwSetContextThread
SSDT 8396A7A8 ZwSetInformationProcess
SSDT 838F3FD0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF19D7A70]
SSDT 8396A1D8 ZwSuspendProcess
SSDT 843F8050 ZwSuspendThread
SSDT 84928210 ZwTerminateProcess
SSDT 842C4050 ZwTerminateThread
SSDT 8499B1D0 ZwUnmapViewOfSection
SSDT 8396AAB0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !
? System32\Drivers\sfc.SYS The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd600c8d
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd600c8d@001e75c99c6c 0xCA 0x22 0xF0 0x95 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd600c8d
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd600c8d@001e75c99c6c 0xCA 0x22 0xF0 0x95 ...

---- EOF - GMER 1.0.15 ----


Here are the OTL logs
OTL logfile created on: 23/07/2009 10:25:57 - Run 1
OTL by OldTimer - Version 3.0.10.0 Folder = C:\Documents and Settings\Tascha\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

447.48 Mb Total Physical Memory | 109.93 Mb Available Physical Memory | 24.57% Memory free
1.03 Gb Paging File | 0.64 Gb Available in Paging File | 61.80% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.19 Gb Total Space | 19.58 Gb Free Space | 57.28% Space Free | Partition Type: NTFS
Drive D: | 34.69 Gb Total Space | 34.68 Gb Free Space | 99.98% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 11.74 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: LOADTOXICITY
Current User Name: Tascha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/05/05 07:23:36 | 00,438,272 | ---- | M] (Acer Inc.) -- C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
PRC - [2006/03/30 13:23:34 | 00,028,672 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PRC - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2006/03/30 14:20:50 | 00,266,338 | ---- | M] () -- C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
PRC - [2006/03/30 14:20:20 | 01,073,152 | ---- | M] (Cyberlink) -- C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
PRC - [2009/07/06 12:55:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/06/09 14:46:23 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
PRC - [2006/03/30 14:20:52 | 00,114,784 | ---- | M] () -- C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
PRC - [2005/09/30 19:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2009/06/09 14:46:23 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
PRC - [2008/04/14 09:42:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/08/17 07:09:00 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/11/03 12:54:46 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2006/03/30 14:20:26 | 00,143,360 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Acer TV-FM\PCMService.exe
PRC - [2006/05/05 07:25:20 | 00,425,984 | ---- | M] (Acer Inc.) -- C:\Program Files\Acer\Acer eConsole\MediaSync.exe
PRC - [2008/03/30 10:36:40 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2006/04/29 09:13:34 | 00,401,408 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2006/06/10 04:54:18 | 00,110,592 | ---- | M] (Acer Inc.) -- C:\Program Files\Acer\Acer eMode Management\AspireService.exe
PRC - [2006/04/19 12:24:50 | 00,049,152 | ---- | M] ( ) -- C:\WINDOWS\System32\SysMonitor.exe
PRC - [2009/07/06 12:55:46 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2006/05/12 05:30:24 | 00,045,056 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
PRC - [2005/11/17 12:55:14 | 00,745,472 | ---- | M] (X-Micro Technology Corp.) -- C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
PRC - [2008/03/30 10:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/04/14 09:42:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2009/07/23 10:22:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tascha\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/05/05 07:23:36 | 00,438,272 | ---- | M] (Acer Inc.) -- C:\Program Files\Acer\Acer eConsole\MediaServerService.exe -- (Acer Media Server [Auto | Running])
SRV - [2006/03/30 13:23:34 | 00,028,672 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe -- (AcerMemUsageCheckService [Auto | Running])
SRV - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2005/09/30 19:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2006/03/30 14:20:50 | 00,266,338 | ---- | M] () -- C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2006/03/30 14:20:52 | 00,114,784 | ---- | M] () -- C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
SRV - [2006/03/30 14:20:20 | 01,073,152 | ---- | M] (Cyberlink) -- C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service [Auto | Running])
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/14 09:42:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 19:54:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/03/30 10:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/07/06 12:55:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2009/06/09 14:46:23 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe -- (Norton AntiVirus [Auto | Running])
SRV - [2003/07/28 10:58:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/02/24 07:28:56 | 00,011,776 | ---- | M] (Arcsoft, Inc.) -- C:\WINDOWS\System32\drivers\Afc.sys -- (Afc [On_Demand | Running])
DRV - [2005/08/19 06:01:00 | 03,644,800 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2004/08/04 14:59:28 | 00,701,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
DRV - [2009/06/09 14:46:28 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\BHDrvx86.sys -- (BHDrvx86 [System | Running])
DRV - [2009/06/09 14:46:28 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\ccHPx86.sys -- (ccHP [System | Running])
DRV - [2009/06/09 14:46:28 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/06/09 14:46:28 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2008/01/29 12:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/01/31 08:35:00 | 00,011,970 | ---- | M] (Hauppauge Computer Works, Inc) -- C:\WINDOWS\System32\drivers\hcw88aud.sys -- (HCW88AUD [System | Stopped])
DRV - [2006/01/31 08:35:26 | 00,138,816 | ---- | M] (Hauppauge Computer Works, Inc) -- C:\WINDOWS\System32\drivers\hcw88bda.sys -- (HCW88BDA [On_Demand | Stopped])
DRV - [2006/01/31 08:36:14 | 00,299,715 | ---- | M] (Hauppauge Computer Works, Inc) -- C:\WINDOWS\System32\drivers\hcw88tse.sys -- (HCW88TSE [On_Demand | Stopped])
DRV - [2006/01/31 09:47:10 | 00,142,913 | ---- | M] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw88tun.sys -- (HCW88TUNE [On_Demand | Stopped])
DRV - [2006/01/31 08:34:12 | 00,494,144 | ---- | M] (Hauppauge Computer Works, Inc) -- C:\WINDOWS\System32\drivers\hcw88vid.sys -- (hcw88vid [On_Demand | Stopped])
DRV - [2006/01/31 08:34:26 | 00,023,104 | ---- | M] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\HCW88BAR.sys -- (HCW88XBAR [On_Demand | Stopped])
DRV - [2008/03/17 10:03:46 | 00,101,376 | R--- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\ewusbmdm.sys -- (hwdatacard [On_Demand | Running])
DRV - [2009/07/12 05:04:12 | 00,276,344 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090715.003\IDSxpx86.sys -- (IDSxpx86 [System | Running])
DRV - [2005/01/14 07:16:16 | 00,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys [On_Demand | Running])
DRV - [2006/05/16 11:34:00 | 00,892,032 | ---- | M] (Animation Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\LVHybrid.sys -- (LVHybrid [On_Demand | Stopped])
DRV - [2001/08/18 06:27:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2008/04/14 04:16:22 | 00,015,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2009/07/22 17:30:00 | 00,087,888 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090722.035\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/07/22 17:30:00 | 00,875,728 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090722.035\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2005/10/20 13:46:58 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
DRV - [2004/08/04 21:30:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/06/14 18:04:00 | 00,081,408 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2007/11/13 19:55:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/06/30 02:51:38 | 00,258,560 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisgrp.sys -- (SiS315 [On_Demand | Running])
DRV - [2006/06/29 19:57:00 | 00,016,768 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\srvkp.sys -- (SiSkp [System | Running])
DRV - [2005/06/06 19:13:04 | 00,925,192 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\System32\DRIVERS\smserial.sys -- (smserial [On_Demand | Running])
DRV - [2009/06/09 14:46:29 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SRTSP.SYS -- (SRTSP [On_Demand | Running])
DRV - [2009/06/09 14:46:29 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2009/06/09 14:46:29 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMEFA.SYS -- (SymEFA [Boot | Running])
DRV - [2009/06/09 14:46:41 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2009/06/09 14:46:29 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMFW.SYS -- (SYMFW [On_Demand | Running])
DRV - [2009/06/09 14:46:29 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMIDS.SYS -- (SYMIDS [On_Demand | Running])
DRV - [2009/06/09 14:46:29 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIM [On_Demand | Stopped])
DRV - [2009/06/09 14:46:29 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIMMP [On_Demand | Running])
DRV - [2009/06/09 14:46:29 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMNDIS.SYS -- (SYMNDIS [On_Demand | Running])
DRV - [2009/06/09 14:46:29 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2004/12/18 09:44:44 | 00,013,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper [System | Running])
DRV - [2008/02/18 11:16:24 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2005/10/29 04:08:18 | 00,402,432 | ---- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\System32\DRIVERS\zd1211Bu.sys -- (ZD1211BU(ZyDAS) [On_Demand | Stopped])
DRV - [2005/10/05 08:08:24 | 00,280,064 | ---- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\System32\DRIVERS\zd1211u.sys -- (ZD1211U(ZyDAS) [On_Demand | Stopped])
DRV - [2004/10/26 06:10:58 | 00,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\Drivers\ZDPSp50.sys -- (ZDPSp50 [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\S-1-5-21-57979684-3736213593-2922411195-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/07/06 12:55:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/07 18:26:43 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\System32\SysMonitor.exe ( )
O4 - HKLM..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe (Acer Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.CPL (Microsoft Corporation)
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [ImageItEncrypt] C:\WINDOWS\System32\ImageItEncrypt.exe ()
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe (Acer Inc.)
O4 - HKLM..\Run: [MSPY2002] \WINDOWS\system32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe ()
O4 - HKLM..\Run: [PCMService] C:\Program Files\Acer TV-FM\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.DLL (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe (Acer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe (X-Micro Technology Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\System32\wshbth.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1171160723189 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/20 13:47:16 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/24 07:14:40 | 00,114,688 | R--- | M] (Huawei Technologies Co., Ltd.) - J:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2008/06/20 01:23:14 | 00,000,056 | R--- | M] () - J:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{730871c8-1906-11de-abd2-001921ab782b}\Shell - "" = AutoRun
O33 - MountPoints2\{730871c8-1906-11de-abd2-001921ab782b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{730871c8-1906-11de-abd2-001921ab782b}\Shell\AutoRun\command - "" = J:\AutoRun.exe -- [2008/04/24 07:14:40 | 00,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O33 - MountPoints2\{730871cb-1906-11de-abd2-001921ab782b}\Shell - "" = AutoRun
O33 - MountPoints2\{730871cb-1906-11de-abd2-001921ab782b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{730871cb-1906-11de-abd2-001921ab782b}\Shell\AutoRun\command - "" = J:\AutoRun.exe -- [2008/04/24 07:14:40 | 00,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O33 - MountPoints2\{9e24743f-19e1-11de-abd3-001921ab782b}\Shell - "" = AutoRun
O33 - MountPoints2\{9e24743f-19e1-11de-abd3-001921ab782b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e24743f-19e1-11de-abd3-001921ab782b}\Shell\AutoRun\command - "" = J:\AutoRun.exe -- [2008/04/24 07:14:40 | 00,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/07/23 10:22:11 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tascha\Desktop\OTL.exe
[2009/07/23 08:48:14 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Tascha\Desktop\zzo5ky9s.exe
[2009/07/11 11:24:59 | 00,002,996 | ---- | C] () -- C:\Documents and Settings\Tascha\Desktop\Attach.zip
[2009/07/11 09:41:06 | 46,929,1008 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/07 13:54:36 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Office Outlook Connector
[2009/07/07 13:51:54 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/07/07 13:11:43 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/07/06 12:56:14 | 00,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/07/06 12:56:14 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/07/06 12:56:14 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/07/06 12:56:14 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/07/04 10:42:53 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/07/02 15:24:50 | 00,080,384 | ---- | C] () -- C:\Documents and Settings\Tascha\My Documents\TaschaTask1.doc
[2009/07/02 15:13:20 | 00,035,328 | ---- | C] () -- C:\Documents and Settings\Tascha\My Documents\TaschaFinancial_transaction.doc
[2009/07/02 15:12:28 | 00,051,712 | ---- | C] () -- C:\Documents and Settings\Tascha\My Documents\TaschaFinancial_Servicessector.doc
[2009/07/02 15:03:45 | 00,033,792 | ---- | C] () -- C:\Documents and Settings\Tascha\My Documents\TaschaPrivacyConsumerCredit.doc
[2009/07/01 12:16:07 | 00,000,012 | ---- | C] () -- C:\WINDOWS\bthservsdp.dat
[2009/07/01 11:08:36 | 00,018,092 | -H-- | C] () -- C:\Documents and Settings\Tascha\My Documents\ZbThumbnail.info
[2009/07/01 10:53:34 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wshirda.dll
[2009/07/01 10:53:34 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wshirda.dll
[2009/07/01 10:53:33 | 00,151,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irftp.exe
[2009/07/01 10:53:33 | 00,151,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irftp.exe
[2009/07/01 10:53:33 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irmon.dll
[2009/07/01 10:53:33 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irmon.dll
[2008/12/31 16:04:42 | 00,691,560 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/02/16 15:55:59 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/07/01 18:48:28 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS3y.DLL
[2007/03/29 16:57:15 | 00,000,032 | ---- | C] () -- C:\WINDOWS\SpriteKt.ini
[2007/03/25 11:36:43 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2007/02/18 16:56:11 | 00,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2007/02/15 17:19:42 | 00,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2007/02/11 11:39:56 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/31 03:17:56 | 00,000,956 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/08/27 06:54:22 | 00,000,093 | ---- | C] () -- C:\WINDOWS\alaunch.ini
[2006/05/13 08:59:20 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\MWLPS.dll
[2006/03/30 14:20:42 | 00,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2006/02/23 03:50:14 | 00,331,776 | ---- | C] () -- C:\WINDOWS\System32\ScrollBarLib.dll
[2006/02/23 03:50:14 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.Shell32.dll
[2005/12/06 12:15:44 | 00,003,072 | ---- | C] () -- C:\WINDOWS\System32\34CoInstaller.dll
[2005/10/21 07:47:46 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/10/20 13:47:38 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/10/20 13:47:00 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/10/20 13:47:00 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/10/20 13:47:00 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/10/20 13:47:00 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/10/20 13:34:58 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/10/20 13:29:38 | 00,000,243 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
[2005/07/13 07:14:42 | 00,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2005/06/06 19:10:50 | 00,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2005/06/06 19:10:50 | 00,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2005/06/06 19:10:50 | 00,069,632 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2005/06/06 19:10:50 | 00,069,632 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2005/06/06 19:10:50 | 00,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2005/06/06 19:10:50 | 00,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2005/06/06 19:10:50 | 00,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2005/06/06 19:10:50 | 00,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2005/06/06 19:10:50 | 00,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2004/12/18 09:44:44 | 00,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/09/07 02:53:00 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/08/04 21:30:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/04 21:25:59 | 01,614,848 | ---- | C] () -- C:\WINDOWS\System32\sfcfiles.dll
[2004/08/04 17:26:46 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/03/24 09:08:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2003/01/07 13:35:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/09/24 04:41:24 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll
[2001/12/27 08:42:30 | 00,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 16:16:38 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/31 09:03:56 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 14:34:36 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/07/23 10:22:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tascha\Desktop\OTL.exe
[2009/07/23 08:48:14 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\Tascha\Desktop\zzo5ky9s.exe
[2009/07/23 08:36:31 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/07/23 08:35:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/23 08:35:26 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/23 08:35:23 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/23 08:35:19 | 46,929,1008 | -HS- | M] () -- C:\hiberfil.sys
[2009/07/21 07:34:11 | 00,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2009/07/11 11:34:40 | 03,774,786 | -H-- | M] () -- C:\Documents and Settings\Tascha\Local Settings\Application Data\IconCache.db
[2009/07/11 11:24:59 | 00,002,996 | ---- | M] () -- C:\Documents and Settings\Tascha\Desktop\Attach.zip
[2009/07/11 09:46:56 | 00,068,928 | ---- | M] () -- C:\Documents and Settings\Tascha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/07/10 13:56:31 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/07 17:59:36 | 00,280,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/06 12:55:45 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/07/06 12:55:45 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/07/06 12:55:45 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/07/06 12:55:45 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/07/06 12:55:44 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/07/05 13:26:37 | 00,000,570 | ---- | M] () -- C:\Documents and Settings\Tascha\My Documents\My Sharing Folders.lnk
[2009/07/04 10:42:54 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/07/04 10:38:16 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/07/02 15:24:53 | 00,080,384 | ---- | M] () -- C:\Documents and Settings\Tascha\My Documents\TaschaTask1.doc
[2009/07/02 15:13:24 | 00,035,328 | ---- | M] () -- C:\Documents and Settings\Tascha\My Documents\TaschaFinancial_transaction.doc
[2009/07/02 15:12:31 | 00,051,712 | ---- | M] () -- C:\Documents and Settings\Tascha\My Documents\TaschaFinancial_Servicessector.doc
[2009/07/02 15:03:56 | 00,033,792 | ---- | M] () -- C:\Documents and Settings\Tascha\My Documents\TaschaPrivacyConsumerCredit.doc
[2009/07/01 11:15:44 | 00,528,084 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/07/01 11:15:44 | 00,445,678 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/07/01 11:15:44 | 00,072,692 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/07/01 11:08:39 | 00,018,092 | -H-- | M] () -- C:\Documents and Settings\Tascha\My Documents\ZbThumbnail.info
< End of report >


OTL Extras logfile created on: 23/07/2009 10:25:57 - Run 1
OTL by OldTimer - Version 3.0.10.0 Folder = C:\Documents and Settings\Tascha\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

447.48 Mb Total Physical Memory | 109.93 Mb Available Physical Memory | 24.57% Memory free
1.03 Gb Paging File | 0.64 Gb Available in Paging File | 61.80% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.19 Gb Total Space | 19.58 Gb Free Space | 57.28% Space Free | Partition Type: NTFS
Drive D: | 34.69 Gb Total Space | 34.68 Gb Free Space | 99.98% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 11.74 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: LOADTOXICITY
Current User Name: Tascha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Acer\Acer eConsole\MediaSync.exe" = C:\Program Files\Acer\Acer eConsole\MediaSync.exe:LocalSubNet:Enabled:Media Synchoronizer -- (Acer Inc.)
"C:\Program Files\Acer\Acer eConsole\eConsole.exe" = C:\Program Files\Acer\Acer eConsole\eConsole.exe:LocalSubNet:Enabled:eConsole -- (Acer Inc.)
"C:\Program Files\Acer\Acer eConsole\MediaServerService.exe" = C:\Program Files\Acer\Acer eConsole\MediaServerService.exe:LocalSubNet:Enabled:Acer Media Server -- (Acer Inc.)
"C:\Program Files\Acer TV-FM\PowerCinema.exe" = C:\Program Files\Acer TV-FM\PowerCinema.exe:*:Enabled:CyberLink PowerCinema -- (CyberLink Corp.)
"C:\Program Files\Acer TV-FM\PCMService.exe" = C:\Program Files\Acer TV-FM\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0CB98AC0-D691-4B21-AD3D-95982517021D}" = Acer WLAN 11g USB Dongle
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{65CDEC30-4BF4-48FB-8059-9FC480E4E94F}" = Acer eMode Management
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7057702F-6D71-4F30-8000-9E72BC771887}" = Acer ePerformance Management
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0120-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B148AB4B-C8FA-474B-B981-F2943C5B5BCD}" = OGA Notifier 1.7.0105.35.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
"{EC028E6B-F3F1-4192-B63E-A7C97302ED5A}" = Acer eConsole
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANONBJ_Deinstall_CNMCP3y.DLL" = Canon S200SP
"CSCLIB" = Canon Camera Support Core Library
"DVD Shrink_is1" = DVD Shrink 3.2
"EOS Utility" = Canon Utilities EOS Utility
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Indeo® Software" = Indeo® Software
"InstallShield_{0CB98AC0-D691-4B21-AD3D-95982517021D}" = Acer WLAN 11g USB Dongle
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NAV" = Norton AntiVirus
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OcaHistoryUpd" = OCA Client history tool install
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"VIRGIN BROADBAND" = VIRGIN BROADBAND
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 07/07/2009 18:43:26 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 08/07/2009 21:01:17 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 09/07/2009 20:08:17 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 09/07/2009 23:48:48 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2005
Description = Unable to read performance data from the Server service. No Server
performance data will be returned in this sample. Error code returned is in data
DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Error - 09/07/2009 23:48:48 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2006
Description = Unable to read Server Queue performance data from the Server service.
No
Server Queue performance data will be returned in this sample. Error code returned
is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Error - 10/07/2009 02:14:58 | Computer Name = LOADTOXICITY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/07/2009 20:11:22 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 20/07/2009 18:02:10 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 20/07/2009 18:02:12 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 22/07/2009 19:05:32 | Computer Name = LOADTOXICITY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

[ System Events ]
Error - 10/07/2009 02:13:01 | Computer Name = LOADTOXICITY | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 10/07/2009 02:13:01 | Computer Name = LOADTOXICITY | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 10/07/2009 02:13:01 | Computer Name = LOADTOXICITY | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 10/07/2009 02:13:01 | Computer Name = LOADTOXICITY | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 10/07/2009 02:13:01 | Computer Name = LOADTOXICITY | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 10/07/2009 02:13:01 | Computer Name = LOADTOXICITY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX
SYMTDI
Tcpip

Error - 10/07/2009 03:37:09 | Computer Name = LOADTOXICITY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/07/2009 20:17:45 | Computer Name = LOADTOXICITY | Source = System Error | ID = 1003
Description = Error code 1000008e, parameter1 c0000005, parameter2 8066aeb1, parameter3
f7687aa8, parameter4 00000000.

Error - 22/07/2009 19:08:56 | Computer Name = LOADTOXICITY | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 22/07/2009 19:09:14 | Computer Name = LOADTOXICITY | Source = System Error | ID = 1003
Description = Error code 1000008e, parameter1 c0000005, parameter2 8066aeb1, parameter3
f6cbfaa8, parameter4 00000000.


< End of report >


I didn't reinstall spybot on this computer but I noticed in the log it has the spybot teatimer in there, or was it looking for it?

Also I turned off Norton real time protection while doing the scans, but during the GMER scan it started up a background full system scan and opened up a window to try to open the internet connection. I hope this hasn't affected the scan :thumbup2: (I don't know how to stop the norton scan.)
Apart from that everything went smoothly :)
Oh and another thing I didn't mention in my first post is that this computer is extremely slow, and it always seems to be busy doing things (hard drive clicking away busily) when it is not doing anything.

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:03 PM

Posted 23 July 2009 - 02:51 PM

Hi metalmaiden,

It looks like the computer shop got this one cleaned, all I am seeing is a few orphaned entries one of which is
spybot which I will remove, apart from that it looks good.

(I don't know how to stop the norton scan.)


Who does :thumbup2:


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKU\S-1-5-21-57979684-3736213593-2922411195-1007..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found
    :Commands
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it in your next reply.
Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Then please post back here with the following:
  • OTL results
  • Kaspersky results
  • New DDS.txt
Thanks

unite.jpg


#7 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 24 July 2009 - 08:40 AM

Hi syler,
Thanks for helping me
Ha ha good old Norton kept popping up (to tell me it was doing a full scan in the background) during the Kaspersky scan :)

Here's OTL

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-57979684-3736213593-2922411195-1007\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-57979684-3736213593-2922411195-1007\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-21-57979684-3736213593-2922411195-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_USERS\S-1-5-21-57979684-3736213593-2922411195-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_USERS\S-1-5-21-57979684-3736213593-2922411195-1007\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 36426 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Paul
->Temp folder emptied: 19277681 bytes
->Temporary Internet Files folder emptied: 33043776 bytes
->Java cache emptied: 191152 bytes

User: Tascha
File delete failed. C:\Documents and Settings\Tascha\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tascha\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tascha\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 47878874 bytes
File delete failed. C:\Documents and Settings\Tascha\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 8748456 bytes
->Java cache emptied: 713910 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
File delete failed. C:\WINDOWS\temp\JETADB4.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2b8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 1305056 bytes
RecycleBin emptied: 362071551 bytes

Total Files Cleaned = 454.04 mb


OTL by OldTimer - Version 3.0.10.0 log created on 07242009_165957

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\JETADB4.tmp not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_2b8.dat not found!

Registry entries deleted on Reboot...


Here's the Kaspersky report
Friday, July 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 24, 2009 10:58:55
Records in database: 2525301


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics
Files scanned 55181
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 02:34:10

File name Threat name Threats count
C:\WINDOWS\system32\sfcfiles.dll Infected: Trojan.Win32.Patched.fr 1

The selected area was scanned.

It took longer to download the updates for it than the actual scan took! :thumbup2:

Is that a Trojan or just the remains of it in the results?

DDS logs

DDS (Ver_09-06-26.01) - NTFSx86
Run by Tascha at 22:46:59.95 on 24/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.447.150 [GMT 9.5:30]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Acer TV-FM\PCMService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tascha\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ninemsn.com.au/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCMService] "c:\program files\acer tv-fm\PCMService.exe"
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MediaSync] c:\program files\acer\acer econsole\MediaSync.exe
mRun: [LaunchApp] Alaunch
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ImageItEncrypt] c:\windows\system32\ImageItEncrypt.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [AspireService] c:\program files\acer\acer emode management\AspireService.exe
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerwl~1.lnk - c:\program files\acer wlan 11g usb dongle\ZDWlan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171160723189
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {72CC6A2B-7C0E-440E-93F2-F073DC09EAA3} = 123.200.191.17 123.200.191.18
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-6-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-6-9 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-6-9 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090715.003\IDSXpx86.sys [2009-7-23 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-6-9 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-9 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090723.066\NAVENG.SYS [2009-7-24 87888]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090723.066\NAVEX15.SYS [2009-7-24 875728]
S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2006-1-31 11970]
S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2006-1-31 138816]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2006-1-31 299715]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2006-1-31 142913]
S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2006-1-31 494144]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2006-1-31 23104]
S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\tascha\locals~1\temp\kwwalpgr.sys --> c:\docume~1\tascha\locals~1\temp\kwwalpgr.sys [?]
S3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-5-16 892032]

=============== Created Last 30 ================

2009-07-24 16:59 <DIR> --d----- C:\_OTL
2009-07-11 09:46 <DIR> --d----- c:\documents and settings\tascha\Tracing
2009-07-07 13:54 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-07-07 13:51 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-07 13:11 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-06 12:56 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-02 18:55 34 a------- c:\documents and settings\tascha\jagex_runescape_preferences.dat
2009-07-01 12:16 12 a------- c:\windows\bthservsdp.dat
2009-07-01 10:53 8,192 a------- c:\windows\system32\wshirda.dll
2009-07-01 10:53 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-07-01 10:53 151,552 a------- c:\windows\system32\irftp.exe
2009-07-01 10:53 151,552 a------- c:\windows\system32\dllcache\irftp.exe
2009-07-01 10:53 28,160 a------- c:\windows\system32\irmon.dll
2009-07-01 10:53 28,160 a------- c:\windows\system32\dllcache\irmon.dll
2009-06-27 11:32 0 a------- c:\documents and settings\tascha\settings.dat

==================== Find3M ====================

2009-07-06 12:55 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 14:46 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-09 14:46 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-09 14:46 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-09 14:46 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-09 14:46 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-05-08 01:02 345,600 a------- c:\windows\system32\localspl.dll
2009-05-08 01:02 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 14:26 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 14:26 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 14:26 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 14:26 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 14:26 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 14:26 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 14:26 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 14:26 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 14:26 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 14:26 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 14:26 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 18:35 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 18:35 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-11 17:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021120090212\index.dat

============= FINISH: 22:47:34.71 ===============
Attached File  Attach.zip   2.63KB   15 downloads

Thanks :)

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:03 PM

Posted 24 July 2009 - 10:55 AM

Is that a Trojan or just the remains of it in the results?


Unfortunately that is a legitimate windows file that has been patched by malware so we will have to see if it can be fixed
or we may need to find a replacement for it.


Please download from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    :filefind
    sfcfiles.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. [color="green"](You can use Notepad to open the DrWeb.cvs report)
Then please post back SystemLook.txt and the DrWeb report and let me no how the computers running.

Thanks

unite.jpg


#9 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 25 July 2009 - 04:12 AM

Hi syler :)

The scans went ok. DrWebCureIt found some things. After the restart, Norton detected "Hacktool.Rootkit" and blocked it. File name c:\windows\system32\drivers\sfc.sys


Here are the logs as requested.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 08:07 on 25/07/2009 by Tascha (Administrator - Elevation successful)

========== filefind ==========

Searching for "sfcfiles.dll"
C:\WINDOWS\$NtServicePackUninstall$\sfcfiles.dll -----c 1580544 bytes [07:43 11/02/2009] [12:00 04/08/2004] 30A609E00BD1D4FFC49D6B5A432BE7F2
C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll ------ 1614848 bytes [00:12 14/04/2008] [00:12 14/04/2008] 9DD07AF82244867CA36681EA2D29CE79
C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [11:55 04/08/2004] [00:12 14/04/2008] 638CEB90549361126D1930474DAB1263

-=End Of File=-

DrWebCureIt

a10b.msi\stream005;C:\WINDOWS\Installer\a10b.msi;Trojan.WiFiKill;;
a10b.msi;C:\WINDOWS\Installer;Archive contains infected objects;Moved.;
Kill1211.exe;C:\WINDOWS\system32;Trojan.WiFiKill;Deleted.;


Is it common for computer shops to give back your computer (after virus removal) with viruses? This is the second one! :thumbup2:


Thanks so much

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:03 PM

Posted 25 July 2009 - 03:48 PM

Hey metalmaiden,

I don't no if it's common or not but where ever your taking them they aren't doing a good job :thumbup2:
Lets get this patched file fixed and do another scan, and hopefully it will come up clean.

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as.
In the box that opens type in replace.bat for the file name. Right below that click the down arrow in the line for "save as type" and select
all files
. Save this to your desktop and close notepad.

COPY C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll C:\WINDOWS\system32\ /y 
DEL %0

Then double click on replace.bat, box will pop up briefly on your screen and disappear, this is normal.

Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    :filefind
    sfcfiles.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

Please run a BitDefender Online Scan
  • Click on the Start Scanner button.
  • Check I Agree to agree to the EULA, then click start here.
  • Allow the ActiveX control to install when prompted.
  • Click Start scan to begin scanning.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop as results.txt and post it in your next reply.
Then please post back with systemlook.txt and the Bitdefender report.

Thanks

unite.jpg


#11 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 26 July 2009 - 07:00 AM

I'm sorry syler,
I've been in Adelaide today with my son for a 10 hour Pedal Prix event and haven't had a chance to do anything on the computer. I thought I'd let you know. I'll get it done after work tomorrow,
Thanks

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:03 PM

Posted 26 July 2009 - 07:04 AM

No problem metalmaiden, have fun at the Pedal Prix :thumbup2:

unite.jpg


#13 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 27 July 2009 - 02:34 AM

Hi syler,

Thanks, the Pedal Prix was good. The weather was nice too, only a little rain in the last hour, so the riders didn't have to stay cold and wet for long.



Here's one of the logs.
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 13:07 on 27/07/2009 by Tascha (Administrator - Elevation successful)

========== filefind ==========

Searching for "sfcfiles.dll"
C:\WINDOWS\$NtServicePackUninstall$\sfcfiles.dll -----c 1580544 bytes [07:43 11/02/2009] [12:00 04/08/2004] 30A609E00BD1D4FFC49D6B5A432BE7F2
C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll ------ 1614848 bytes [00:12 14/04/2008] [00:12 14/04/2008] 9DD07AF82244867CA36681EA2D29CE79
C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [11:55 04/08/2004] [00:12 14/04/2008] 638CEB90549361126D1930474DAB1263

-=End Of File=-

I had trouble with BitDefender. First it froze, so I tried again. Then I couldn't get the virus definitions update, and got this message. "Bitdefender failed to update the virus definitions. Although it might be possible to check for viruses, the result will probably not be 100% accurate".
Then I tried again and it froze at 21% updated. Tried again and it didn't get past 0%. Finally got it to go, and there were no viruses found. I clicked it off without saving the log :thumbup2: (sorry I wasn't thinking!) But I did read the log and I couldn't see any warnings.

I also have a "Wireless LAN Configuration Tool Plus" (with an acer logo) open on my taskbar. I can't close it and it's not on my running applications list. It's been there since I started the computer up today. Don't know why!

Thanks for your assistance.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:03 PM

Posted 27 July 2009 - 10:26 AM

Hi agian,

It looks like the file has not been replaced from that log, Can you tell me if you did the instructions in the order
I posted them? Im not sure about the "Wireless LAN Configuration Tool Plus" I dont think its malware related I
have an idea what it could be but lets try and get this file replaced first.

unite.jpg


#15 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:33 AM

Posted 27 July 2009 - 10:26 PM

Yeah, I did everything in order and copied and pasted everything as you posted. The only thing I didn't do was download SystemLook, because I still have it from the last time you asked me to download. Should I have deleted it and redownloaded?

The LAN thing isn't there today, I saw it for a second then it disappeared.

Thanks :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users