Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found trojan.vundo and several other malware, removed and computer is still uber slow


  • Please log in to reply
10 replies to this topic

#1 santegelo

santegelo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 08 August 2009 - 09:44 AM

Our antivirus failed somehow and the computer started running abnormally slow. Downloaded shaw secure, scan was clean, downloaded malwarebytes and found 21 problems (see below). Then ran trojan remover from Symantec and found 2 more. Removed them. Computer is still SO SLOW and I am not super tech savvy. I have posted a hijackthis log...any help is appreciated SO SO MUCH!!

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49d63e18-33b1-46f2-82c2-39431fb94794} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49d63e18-33b1-46f2-82c2-39431fb94794} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSControlService (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1c26baf0-8131-40f1-1896-236ea210678a} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{49d63e18-33b1-46f2-82c2-39431fb94794} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zango 10.3.35.0 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17ddd869.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\a.zip (Worm.Archive) -> Quarantined and deleted successfully.


HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:52 PM, on 8/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\TOSHIBA\ivp\ISM\ivpsvmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2D494010-D487-4CB8-9FA1-027EF00A70D1} - (no file)
O2 - BHO: (no name) - {425EAFDA-D13C-45F5-A7C6-1AFCDA41851E} - (no file)
O2 - BHO: (no name) - {439D0C1E-C88D-4649-90DF-537278C20329} - (no file)
O2 - BHO: {0ed4da0b-d263-eeda-f564-624106da85c4} - {4c58ad60-1426-465f-adee-362db0ad4de0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6381DF95-EB5F-4B9E-A5A2-94EE8FD8A14E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [HbDetect.exe] C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GoogleT5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Zango 10.3.35.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.gameshed.com/freegames/5819/"
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://games.bigfishgames.com/en_mysteryso...mesLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...698/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11205 bytes

BC AdBot (Login to Remove)

 


#2 santegelo

santegelo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 08 August 2009 - 09:56 AM

Since posting this, I read that a DDS.txt is helpful too and am adding that. thank you for your help!!


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 7:52:37.21 on Sat 08/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.182 [GMT -7:00]

AV: Shaw Secure 8.02 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\TOSHIBA\ivp\ISM\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local;<local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2D494010-D487-4CB8-9FA1-027EF00A70D1} - No File
BHO: {425EAFDA-D13C-45F5-A7C6-1AFCDA41851E} - No File
{439d0c1e-c88d-4649-90df-537278c20329}
BHO: {4c58ad60-1426-465f-adee-362db0ad4de0} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {6381DF95-EB5F-4B9E-A5A2-94EE8FD8A14E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [HbDetect.exe] c:\program files\playskool\made for me software\HbDetect.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GoogleT5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Zango 10.3.35.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.gameshed.com/freegames/5819/"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://games.bigfishgames.com/en_mysterysolitairese/online/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5698/mcfscan.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\ievony\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\rb8t7bjg.default\
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-8-3 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-8-3 79872]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\shaw secure\hips\drivers\fshs.sys [2009-8-3 67808]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2009-8-3 215648]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2009-8-3 99960]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2009-8-3 55904]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2009-8-3 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2009-8-3 25184]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-08-05 08:21 <DIR> -cd----- c:\docume~1\owner\applic~1\Malwarebytes
2009-08-05 08:20 38,160 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 08:20 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-05 08:20 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-08-05 08:20 <DIR> -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-08-04 20:34 <DIR> -cd----- c:\program files\ToniArts
2009-08-04 16:52 73,728 ac------ c:\windows\system32\javacpl.cpl
2009-08-04 16:42 <DIR> -cd----- c:\documents and settings\owner\.SunDownloadManager
2009-08-04 16:38 <DIR> -cd----- c:\windows\McAfee.com
2009-08-03 23:17 <DIR> -cd----- c:\docume~1\owner\applic~1\F-Secure
2009-08-03 23:09 33,920 ac------ c:\windows\system32\drivers\fsbts.sys
2009-08-03 23:08 79,872 ac------ c:\windows\system32\drivers\fsdfw.sys
2009-08-03 23:05 <DIR> -cd----- c:\program files\Shaw Secure
2009-08-03 23:05 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\fssg
2009-08-03 23:04 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\f-secure
2009-07-12 20:50 <DIR> -cd----- c:\program files\iEvony
2009-07-11 13:49 <DIR> -cd----- c:\program files\Windows Installer Clean Up

==================== Find3M ====================

2009-08-04 16:51 411,368 ac------ c:\windows\system32\deploytk.dll
2009-07-03 10:09 915,456 ac------ c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 ac------ c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 ac------ c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 ac------ c:\windows\system32\quartz.dll
2009-04-22 20:31 36,352 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2008-10-21 22:38 0 ac------ c:\program files\codecpack.v.1.0.2021.exe
2008-10-21 22:32 0 ac------ c:\program files\codecpack.v.1.0.202.exe
2007-12-26 14:02 24,192 ac------ c:\documents and settings\owner\usbsermptxp.sys
2007-12-26 14:02 22,768 ac------ c:\documents and settings\owner\usbsermpt.sys
2007-08-27 07:52 774,144 ac------ c:\program files\RngInterstitial.dll
2007-06-28 14:52 60,968 ac------ c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2008-09-21 09:14 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 7:53:59.07 ===============

Attached Files



#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 AM

Posted 19 August 2009 - 07:27 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 santegelo

santegelo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 19 August 2009 - 11:14 PM

Thanks for the reply, here is a new DDS as per your request as the issues have not gotten better. I have deleted all unnecessary programs and files that I could think of and run CCleaner regularly, but after this trojan the computer is so slow to even open the start menu. It's awful.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 21:09:46.21 on Wed 08/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.210 [GMT -7:00]

AV: Shaw Secure 8.02 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local;<local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2D494010-D487-4CB8-9FA1-027EF00A70D1} - No File
BHO: {425EAFDA-D13C-45F5-A7C6-1AFCDA41851E} - No File
{439d0c1e-c88d-4649-90df-537278c20329}
BHO: {4c58ad60-1426-465f-adee-362db0ad4de0} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {6381DF95-EB5F-4B9E-A5A2-94EE8FD8A14E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [HbDetect.exe] c:\program files\playskool\made for me software\HbDetect.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GoogleT5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Zango 10.3.35.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.gameshed.com/freegames/5819/"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-M3I14.exe" /REG
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://games.bigfishgames.com/en_mysterysolitairese/online/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5698/mcfscan.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\ievony\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\rb8t7bjg.default\
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============


============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-08-14 20:26 313 ac------ c:\windows\is-M3I14.lst
2009-08-14 20:26 10,194 ac------ c:\windows\is-M3I14.msg
2009-08-14 20:26 775,168 ac------ c:\windows\is-M3I14.exe
2009-08-14 20:23 1,563,008 ac------ c:\windows\WRSetup.dll
2009-08-14 20:22 164 ac------ c:\windows\install.dat
2009-08-13 14:16 <DIR> -cd----- c:\program files\RamBooster 2.0
2009-08-12 21:02 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 20:59 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 08:21 <DIR> -cd----- c:\docume~1\owner\applic~1\Malwarebytes
2009-08-05 08:20 38,160 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 08:20 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-05 08:20 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-08-05 08:20 <DIR> -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 02:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:34 <DIR> -cd----- c:\program files\ToniArts
2009-08-04 16:52 73,728 ac------ c:\windows\system32\javacpl.cpl
2009-08-04 16:42 <DIR> -cd----- c:\documents and settings\owner\.SunDownloadManager
2009-08-04 16:38 <DIR> -cd----- c:\windows\McAfee.com
2009-08-03 23:17 <DIR> -cd----- c:\docume~1\owner\applic~1\F-Secure
2009-08-03 23:09 33,920 ac------ c:\windows\system32\drivers\fsbts.sys
2009-08-03 23:08 79,872 ac------ c:\windows\system32\drivers\fsdfw.sys
2009-08-03 23:05 <DIR> -cd----- c:\program files\Shaw Secure
2009-08-03 23:05 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\fssg
2009-08-03 23:04 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\f-secure

==================== Find3M ====================

2009-08-05 02:01 204,800 ac------ c:\windows\system32\mswebdvd.dll
2009-08-04 16:51 411,368 ac------ c:\windows\system32\deploytk.dll
2009-07-17 12:01 58,880 ac------ c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 ac------ c:\windows\system32\wmpdxm.dll
2009-07-03 10:09 915,456 ac------ c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 ac------ c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 ac------ c:\windows\system32\fontsub.dll
2009-06-12 05:31 76,288 ac------ c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 ac------ c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 ac------ c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 ac------ c:\windows\system32\wkssvc.dll
2009-06-03 12:09 1,291,264 ac------ c:\windows\system32\quartz.dll
2009-04-22 20:31 36,352 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2008-10-21 22:38 0 ac------ c:\program files\codecpack.v.1.0.2021.exe
2008-10-21 22:32 0 ac------ c:\program files\codecpack.v.1.0.202.exe
2007-12-26 14:02 24,192 ac------ c:\documents and settings\owner\usbsermptxp.sys
2007-12-26 14:02 22,768 ac------ c:\documents and settings\owner\usbsermpt.sys
2007-08-27 07:52 774,144 ac------ c:\program files\RngInterstitial.dll
2007-06-28 14:52 60,968 ac------ c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2008-09-21 09:14 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 21:11:05.57 ===============

Attached Files



#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 21 August 2009 - 12:29 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 santegelo

santegelo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 21 August 2009 - 10:14 PM

Hi Sam, thank you so much for helping me. I have both reports as per your instructions. Please let me know anything else you need. There was also an extra.Txt with the OTL so I have attached it in case you need it.

OTL logfile created on: 8/21/2009 6:04:46 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.42 Mb Total Physical Memory | 17.41 Mb Available Physical Memory | 3.47% Memory free
1.92 Gb Paging File | 1.11 Gb Available in Paging File | 58.03% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.33 Gb Total Space | 11.24 Gb Free Space | 15.12% Space Free | Partition Type: NTFS
Drive D: | 304.50 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FAMILY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/01/17 16:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [1999/12/13 09:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.exe
PRC - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\DVDRAMSV.exe
PRC - [2009/02/19 04:44:26 | 00,215,648 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
PRC - [2009/02/19 04:48:06 | 00,117,400 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FSMA32.EXE
PRC - [2009/08/03 23:26:15 | 00,466,048 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
PRC - [2009/02/19 04:48:08 | 00,232,088 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FSMB32.EXE
PRC - [2009/08/04 16:51:52 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2006/10/11 12:45:12 | 00,075,304 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
PRC - [2009/02/19 04:48:06 | 00,182,936 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FSM32.EXE
PRC - [2009/08/04 16:51:53 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/02/19 04:48:04 | 00,125,592 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FCH32.EXE
PRC - [2008/01/28 16:53:04 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/10/26 13:34:04 | 00,065,536 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
PRC - [2009/02/19 04:48:04 | 00,404,064 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
PRC - [2009/02/19 04:44:26 | 00,043,680 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
PRC - [2009/02/19 04:48:20 | 00,707,168 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\FSPC\fspc.exe
PRC - [2009/02/19 04:47:12 | 00,604,768 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
PRC - [2009/02/19 04:43:32 | 00,490,080 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
PRC - [2009/08/03 23:26:15 | 00,586,880 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
PRC - [2009/02/19 04:50:12 | 00,055,904 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
PRC - [2009/02/19 04:45:20 | 00,510,560 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
PRC - [2001/03/22 15:13:04 | 00,454,656 | ---- | M] (Toshiba Corporation) -- C:\TOSHIBA\ivp\netint\netint.exe
PRC - [2001/11/14 02:37:52 | 00,147,456 | ---- | M] (Toshiba Corporation) -- C:\TOSHIBA\ivp\ISM\pinger.exe
PRC - [2009/02/19 04:44:26 | 00,349,280 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2007/09/20 18:34:22 | 00,936,960 | ---- | M] () -- C:\Program Files\WinRAR\WinRAR.exe
PRC - [2009/08/21 18:03:22 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/08/03 08:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2005/01/17 16:38:00 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - File not found -- -- (CLTNetCnService [Auto | Stopped])
SRV - [1999/12/13 09:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Auto | Running])
SRV - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\DVDRAMSV.exe -- (DVD-RAM_Service [Auto | Running])
SRV - [2009/02/19 04:44:26 | 00,215,648 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter [Auto | Running])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/02/19 04:43:32 | 00,490,080 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe -- (FSAUA [On_Demand | Running])
SRV - [2009/02/19 04:45:20 | 00,510,560 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe -- (FSDFWD [On_Demand | Running])
SRV - [2009/02/19 04:48:06 | 00,117,400 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FSMA32.EXE -- (FSMA [Auto | Running])
SRV - [2009/02/19 04:50:12 | 00,055,904 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe -- (FSORSPClient [On_Demand | Running])
SRV - [2009/03/24 21:01:50 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/08/04 16:51:52 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - File not found -- -- (KodakCCS [On_Demand | Stopped])
SRV - File not found -- -- (Lavasoft Ad-Aware Service [Auto | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/09 00:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/03/04 14:02:20 | 01,066,278 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2005/06/20 07:08:44 | 02,324,480 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2004/11/15 01:22:08 | 00,101,874 | ---- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2005/08/03 08:10:18 | 01,273,344 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
DRV - [2006/09/21 16:59:52 | 00,099,720 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2005/04/21 02:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
DRV - [2009/02/27 02:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2008/01/23 16:31:30 | 00,671,744 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe -- (EKECioCtl [On_Demand | Stopped])
DRV - [2009/02/19 04:44:32 | 00,039,776 | ---- | M] () -- C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys -- (F-Secure Filter [Disabled | Stopped])
DRV - [2009/08/04 00:48:42 | 00,099,960 | ---- | M] () -- C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper [On_Demand | Running])
DRV - [2009/02/19 04:47:30 | 00,067,808 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys -- (F-Secure HIPS [System | Running])
DRV - [2009/02/19 04:44:32 | 00,025,184 | ---- | M] () -- C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys -- (F-Secure Recognizer [Disabled | Stopped])
DRV - [2009/08/03 23:35:55 | 00,033,920 | ---- | M] () -- C:\WINDOWS\system32\Drivers\fsbts.sys -- (fsbts [Boot | Running])
DRV - [2009/02/19 04:45:20 | 00,079,872 | ---- | M] (F-Secure Corporation) -- C:\WINDOWS\System32\drivers\fsdfw.sys -- (FSFW [Boot | Running])
DRV - [2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/03/08 04:52:26 | 00,051,120 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2005/03/08 04:52:28 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2005/03/08 04:52:28 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2005/07/18 20:34:22 | 01,049,180 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2003/09/10 23:36:54 | 00,021,060 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\System32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
DRV - [2005/06/02 03:33:00 | 00,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) -- C:\WINDOWS\System32\Drivers\meiudf.sys -- (meiudf [System | Running])
DRV - [2003/01/29 14:35:00 | 00,012,032 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys -- (Netdevio [Auto | Running])
DRV - [2003/09/25 11:47:36 | 00,016,509 | ---- | M] (Palm, Inc.) -- C:\WINDOWS\System32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
DRV - [2003/09/19 01:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (Pfc [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/29 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/04 05:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2005/03/03 20:10:26 | 00,074,496 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 15:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/01/23 16:31:30 | 00,671,744 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe -- (SrvcEKIOMngr [On_Demand | Stopped])
DRV - [2004/07/30 15:05:08 | 00,006,400 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\WINDOWS\System32\Drivers\SSIoMngr.sys -- (SrvcSSIOMngr [System | Running])
DRV - [2005/05/13 10:37:28 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
DRV - [2005/05/13 10:37:20 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\ssrtln.sys -- (ssrtln [System | Running])
DRV - [2008/06/13 14:14:02 | 00,031,280 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIM [On_Demand | Stopped])
DRV - [2008/06/13 14:14:02 | 00,031,280 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIMMP [On_Demand | Running])
DRV - [2002/01/24 14:43:40 | 00,006,528 | ---- | M] () -- C:\WINDOWS\System32\drivers\Tbiosdrv.sys -- (TBiosDrv [On_Demand | Stopped])
DRV - [2005/05/31 05:33:00 | 00,025,725 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,034,845 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,004,125 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,002,241 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,086,876 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,015,069 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,006,365 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,098,716 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
DRV - [2005/05/31 05:33:00 | 00,100,605 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
DRV - [2005/06/22 18:16:08 | 00,162,176 | ---- | M] (Texas Instruments) -- C:\WINDOWS\System32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
DRV - [2005/06/03 19:49:42 | 00,009,600 | ---- | M] (TOSHIBA ) -- C:\WINDOWS\System32\Drivers\TPwSav.sys -- (TPwSav [System | Running])
DRV - [2005/07/29 09:55:46 | 00,030,592 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\Tvs.sys -- (Tvs [On_Demand | Running])
DRV - [2007/12/26 14:02:31 | 00,022,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usbsermpt.sys -- (usbsermpt [On_Demand | Stopped])
DRV - [2005/04/30 01:01:56 | 03,281,408 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Running])
DRV - File not found -- Service key not found. -- (sshrmd [Unknown | Stopped])
DRV - File not found -- Service key not found. -- (ssfs0bbc [Unknown | Stopped])
DRV - File not found -- Service key not found. -- (ssidrv [Unknown | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.shoptoshiba.ca/welcome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.shoptoshiba.ca/welcome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\S-1-5-21-917453701-2682467703-2982482402-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\S-1-5-21-917453701-2682467703-2982482402-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/10 21:16:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/04 16:51:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/04 21:46:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/04 21:45:20 | 00,000,000 | ---D | M]

[2009/08/04 21:46:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions
[2009/08/04 21:46:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/29 08:13:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/08/20 23:04:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\rb8t7bjg.default\extensions
[2009/08/05 21:35:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\rb8t7bjg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/16 17:19:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/04 21:45:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/02 22:17:13 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/08/04 16:52:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/07/30 04:26:53 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/30 04:26:54 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/08/04 16:51:55 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/07/30 04:26:55 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/01/21 22:01:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/01/21 22:01:41 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/01/21 22:01:41 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/01/21 22:01:41 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/01/21 22:01:41 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/01/21 22:01:41 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/01/21 22:01:41 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/07/30 00:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 00:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 00:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 00:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 00:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 00:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 00:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {2D494010-D487-4CB8-9FA1-027EF00A70D1} - No CLSID value found.
O2 - BHO: (no name) - {425EAFDA-D13C-45F5-A7C6-1AFCDA41851E} - No CLSID value found.
O2 - BHO: (no name) - {439D0C1E-C88D-4649-90DF-537278C20329} - No CLSID value found.
O2 - BHO: (no name) - {4c58ad60-1426-465f-adee-362db0ad4de0} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (no name) - {6381DF95-EB5F-4B9E-A5A2-94EE8FD8A14E} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\Shaw Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [Pinger] C:\TOSHIBA\ivp\ISM\pinger.exe (Toshiba Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003..\Run: [HbDetect.exe] C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINDOWS\is-M3I14.exe ()
O4 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10a.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -Mozilla\4.0 ( File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O9 - Extra Button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (F-Secure Corporation)
O9 - Extra 'Tools' menuitem : Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (F-Secure Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O15 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\..Trusted Domains: microsoft.com ([oas.support] http in Trusted sites)
O15 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\..Trusted Domains: microsoft.com ([support] http in Trusted sites)
O15 - HKU\S-1-5-21-917453701-2682467703-2982482402-1003\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/Facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB (PogoWebLauncher Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Reg Error: Key error.)
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} http://games.bigfishgames.com/en_mysteryso...mesLauncher.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/webgames/popcaploader_v10.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...698/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/31 13:22:47 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/06/17 15:33:41 | 00,000,079 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{a4dcdffd-d03b-11da-830f-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{a4dcdffd-d03b-11da-830f-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a4dcdffd-d03b-11da-830f-806d6172696f}\Shell\AutoRun\command - "" = D:\CDStart.Exe -- [2005/09/23 18:37:21 | 00,161,392 | R--- | M] (Symantec Corporation)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/21 18:05:11 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/08/21 18:03:21 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/08/14 20:26:37 | 00,000,313 | ---- | C] () -- C:\WINDOWS\is-M3I14.lst
[2009/08/14 20:26:36 | 00,010,194 | ---- | C] () -- C:\WINDOWS\is-M3I14.msg
[2009/08/14 20:26:33 | 00,775,168 | ---- | C] () -- C:\WINDOWS\is-M3I14.exe
[2009/08/14 20:23:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/08/14 20:23:23 | 01,563,008 | ---- | C] (Webroot Software, Inc.) -- C:\WINDOWS\WRSetup.dll
[2009/08/14 20:22:35 | 00,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2009/08/13 14:16:53 | 00,000,000 | ---D | C] -- C:\Program Files\RamBooster 2.0
[2009/08/12 21:02:10 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/12 20:59:49 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/08/07 20:44:13 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/08/05 08:21:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/08/05 08:21:01 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/05 08:20:55 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/05 08:20:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/05 08:20:52 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/05 08:20:50 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/05 02:01:48 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/04 21:45:30 | 00,001,613 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/08/04 20:34:49 | 00,000,000 | ---D | C] -- C:\Program Files\ToniArts
[2009/08/04 16:52:18 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/08/04 16:52:17 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/08/04 16:52:17 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/08/04 16:52:17 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/08/04 16:38:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\McAfee.com
[2009/08/03 23:18:35 | 00,000,508 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2009/08/03 23:17:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\F-Secure
[2009/08/03 23:09:30 | 00,033,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2009/08/03 23:08:40 | 00,079,872 | ---- | C] (F-Secure Corporation) -- C:\WINDOWS\System32\drivers\fsdfw.sys
[2009/08/03 23:05:56 | 00,000,000 | ---D | C] -- C:\Program Files\Shaw Secure
[2009/08/03 23:05:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\fssg
[2009/08/03 23:04:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\f-secure
[2009/01/14 10:18:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/01/03 12:18:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2008/10/21 23:16:00 | 00,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.ini
[2008/07/07 11:41:11 | 00,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2008/02/04 18:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/01/23 11:39:40 | 00,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/09/19 18:22:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\CeEKey.INI
[2007/08/23 17:59:13 | 00,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2006/10/30 02:00:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2006/10/21 20:35:12 | 00,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2006/10/21 20:08:59 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/05/31 07:06:41 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/05/18 22:45:47 | 00,000,000 | ---- | C] () -- C:\WINDOWS\TPTray.INI
[2006/05/18 15:06:16 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\TosBthSupport.dll
[2006/04/20 17:07:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/04/20 00:04:00 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/04/20 00:04:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/04/20 00:04:00 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/04/20 00:04:00 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/04/20 00:03:26 | 00,006,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\Tbiosdrv.sys
[2005/08/31 18:54:36 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/31 17:14:34 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/31 17:06:42 | 00,051,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\WOWXT_kern_i386.sys
[2005/08/31 17:06:42 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/08/31 17:04:30 | 00,000,324 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/08/31 17:02:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/08/31 17:01:17 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/08/31 17:01:17 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/08/31 17:01:17 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/08/31 17:01:17 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/08/31 17:01:17 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/08/31 17:01:17 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/31 16:53:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\EBLib.DLL
[2005/08/31 16:51:44 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/08/31 13:27:03 | 00,000,831 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/08/31 12:50:49 | 00,002,392 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/08/31 12:50:28 | 00,000,845 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/08/31 12:50:26 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/08/10 19:02:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/02 10:39:44 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\HWS_Ctrl.dll
[2005/06/13 09:11:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2005/06/06 09:44:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\SPCtl.dll
[2005/06/06 09:39:40 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\EKECioCtl.dll
[2005/06/04 10:22:06 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll
[2005/04/27 11:38:00 | 00,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2005/04/27 11:37:49 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2003/10/02 02:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 02:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll

========== Files - Modified Within 30 Days ==========

[2009/08/21 18:03:22 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/08/21 16:27:51 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/08/21 05:27:09 | 00,000,508 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2009/08/17 20:28:01 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/08/17 10:36:30 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/08/16 21:19:55 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/14 20:30:20 | 00,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/14 20:26:37 | 00,010,194 | ---- | M] () -- C:\WINDOWS\is-M3I14.msg
[2009/08/14 20:26:37 | 00,000,845 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/14 20:26:37 | 00,000,313 | ---- | M] () -- C:\WINDOWS\is-M3I14.lst
[2009/08/14 20:26:36 | 00,775,168 | ---- | M] () -- C:\WINDOWS\is-M3I14.exe
[2009/08/14 20:22:39 | 00,000,164 | ---- | M] () -- C:\WINDOWS\install.dat
[2009/08/14 19:18:32 | 00,002,838 | ---- | M] () -- C:\WINDOWS\machine.ver
[2009/08/14 19:12:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/14 19:12:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/14 19:11:59 | 52,689,7152 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/13 15:32:54 | 00,001,559 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/08/09 13:40:58 | 00,000,831 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2009/08/08 13:12:59 | 00,238,592 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/07 20:44:13 | 00,001,745 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/08/05 08:21:01 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/05 02:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 02:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/04 21:45:30 | 00,001,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/08/04 16:51:49 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/08/04 16:51:49 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/08/04 16:51:49 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/08/04 16:51:48 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/08/04 16:51:44 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/08/03 23:35:55 | 00,033,920 | ---- | M] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/29 17:49:14 | 24,281,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/07/27 15:27:12 | 00,128,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx

========== Alternate Data Streams ==========

@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BF1DFF11
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4DBBB4EA
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3BF63E4A
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:81653DC8
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55F44B88
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:565A6F90
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DD9E1B63
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9ACB70D7
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EC2381A4
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98DFF516
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F943019
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89A5891E
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:71FA8B7F
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4980368
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:70E897B5
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:918B7566
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:316EAAE9
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0AC32449
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38FC7C60
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5EC637CB
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9A524EE6
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4EFDF5FB
< End of report >





GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-21 20:10:49
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateProcess [0xAA11DC44]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateProcessEx [0xAA11DC5E]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateThread [0xAA11CE02]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwLoadDriver [0xAA11D12A]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwMapViewOfSection [0xAA11CB4E]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwOpenSection [0xAA11D55C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwRenameKey [0xAA11E7FA]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSetSystemInformation [0xAA11D3AC]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSuspendProcess [0xAA11C9D4]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSuspendThread [0xAA11CE36]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSystemDebugControl [0xAA11CFB0]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwTerminateProcess [0xAA11C934]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwTerminateThread [0xAA11CA8A]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwWriteVirtualMemory [0xAA11CEFA]

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 34C 804E29A8 1 Byte [FA]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [D4, C9, 11, AA, 36, CE, 11, ...]
PAGE ntoskrnl.exe!IoCreateDevice 8059FA61 5 Bytes JMP F83D9FC6 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisRegisterProtocol F83AA17F 5 Bytes JMP F83D9DD8 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisOpenAdapter F83AA399 5 Bytes JMP F83DA360 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisCloseAdapter F83B4642 5 Bytes JMP F83D9EE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisDeregisterProtocol F83B4821 5 Bytes JMP F83DA17C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisReturnPackets F83B7810 5 Bytes JMP F83DABD8 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisRequest F83B797B 5 Bytes JMP F83DA578 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSend F83BA986 5 Bytes JMP F83DB558 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSendPackets F83BA9A3 5 Bytes JMP F83DB62A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisTransferData F83BA9BE 5 Bytes JMP F83DACD6 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoCreateVc F83C1186 5 Bytes JMP F83D9E42 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoDeleteVc F83C2557 5 Bytes JMP F83D9EB0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoSendPackets F83C2AF1 5 Bytes JMP F83DB342 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2792] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[2792] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\ControlSet003\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3DD18493-9C1B-DEA2-34B0-51E17CDA3EAF}

---- EOF - GMER 1.0.15 ----

Attached Files



#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 22 August 2009 - 11:37 AM

Well the good news is that I'm not seeing any indication of an active malware infection. So I'm not ruling out that malware is causing your slowdown, but it seems unlikely based on what I'm seeing in your logs.

Actually I suspect that Shaw may be the source of your problem. You stated in your first post that you downloaded Shaw in response to a malware infection that you had and then the computer remained slow. Shaw is a very resource intensive program. In your log I count 15 separate processes running in the background that are related to Shaw. You don't have a lot of memory installed on this computer and I think it's just eating it up. I would recommend that you uninstall Shaw completely and install the free version of Avast, which is known to be very light on the resources.

http://www.avast.com/eng/download-avast-home.html


I do see a few things in your log that we can clean up for you as well. Please post a hijackthis log and I'll review it and get back to you.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 santegelo

santegelo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 22 August 2009 - 03:47 PM

I was running Symantec corporate, but that is when we had the Vundo and several other malware on the computer, so something went wrong with it. I removed it (though I still see alot of symantec entries on those logs) and installed Shaw Secure. We used to run Norton 360 and didn't notice a slowdown even though it's a large program as well. The slowdown started, then I did a scan with Malwarebytes and found the malware. Removed it, used Symantec vundo fix and came up clean (so far as I could find) though the speed never increased. Nothing else has really changed recently. I have removed shaw secure and installed Avast, we'll see what happens now. Here is a new Hijack this log as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:02 PM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\TOSHIBA\ivp\ISM\pinger.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2D494010-D487-4CB8-9FA1-027EF00A70D1} - (no file)
O2 - BHO: (no name) - {425EAFDA-D13C-45F5-A7C6-1AFCDA41851E} - (no file)
O2 - BHO: (no name) - {439D0C1E-C88D-4649-90DF-537278C20329} - (no file)
O2 - BHO: {0ed4da0b-d263-eeda-f564-624106da85c4} - {4c58ad60-1426-465f-adee-362db0ad4de0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6381DF95-EB5F-4B9E-A5A2-94EE8FD8A14E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [HbDetect.exe] C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GoogleT5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Zango 10.3.35.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.gameshed.com/freegames/5819/"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://games.bigfishgames.com/en_mysteryso...mesLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...698/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9466 bytes

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 22 August 2009 - 05:35 PM

What we're going to do now is to clean up some remnants left behind and also eliminate some programs that you have running automatically at startup. This won't affect those programs at all, but it will keep them from running unnecessarily in the background.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {2D494010-D487-4CB8-9FA1-027EF00A70D1} - (no file)
O2 - BHO: (no name) - {425EAFDA-D13C-45F5-A7C6-1AFCDA41851E} - (no file)
O2 - BHO: (no name) - {439D0C1E-C88D-4649-90DF-537278C20329} - (no file)
O2 - BHO: {0ed4da0b-d263-eeda-f564-624106da85c4} - {4c58ad60-1426-465f-adee-362db0ad4de0} - (no file)
O2 - BHO: (no name) - {6381DF95-EB5F-4B9E-A5A2-94EE8FD8A14E} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [HbDetect.exe] C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GoogleT5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Zango 10.3.35.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.gameshed.com/freegames/5819/"
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)



Reboot your computer and post a new hijackthis log.
Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 santegelo

santegelo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 22 August 2009 - 11:00 PM

Hi Sam,

It seems to be running better since removing Shaw Secure. Thank goodness, still not 100% as quick as it used to be, but at least it isn't freezing up just trying to open the start menu. I did as you suggested in Hijack this and have a new log for your review. Again, I really appreciate your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:35 PM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\TOSHIBA\ivp\ISM\ivpsvmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://games.bigfishgames.com/en_mysteryso...mesLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...698/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7923 bytes

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:27 AM

Posted 23 August 2009 - 08:44 AM

Your log looks very good to me. Check out this link for some other suggestions for a slow computer.

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users