Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE browser hijack / redirect; can't remove w/ HijackThis


  • This topic is locked This topic is locked
43 replies to this topic

#1 kingsalami

kingsalami

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 11 August 2009 - 05:59 PM

I'm sure you guys have seen this before, but I've got a nasty browser hijacker that I've tried to delete w/ HijackThis, but it keeps replicating. I've deleted the host files numerous times, but they alway pop right back up. It's really slowing down my IE browser & periodically redirects Google searches to :
[url=http://2popcorn.net/search.php?s=1&q=DcPBDYAgDADAN1swAWkL1HYcNJX0IwkSXV8vue5zRL_u5b2tMeO0x-0NEOwgrtCYdsqmUE_eCiAIqihnoyCaqEhC_ot8&pe=0]http://2popcorn.net/search.php?s=1&q=D...hC_ot8&pe=0[/url]
How do I kill it? Thanks in advance for the help!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:47 PM, on 8/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Applications\Spyware\HiJackThis.exe

O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.ba
O1 - Hosts: 89.248.168.188 google.be
O1 - Hosts: 89.248.168.188 google.bg
O1 - Hosts: 89.248.168.188 google.bs
O1 - Hosts: 89.248.168.188 google.ca
O1 - Hosts: 89.248.168.188 google.cd
O1 - Hosts: 89.248.168.188 google.com.gh
O1 - Hosts: 89.248.168.188 google.com.hk
O1 - Hosts: 89.248.168.188 google.com.jm
O1 - Hosts: 89.248.168.188 google.com.mx
O1 - Hosts: 89.248.168.188 google.com.my
O1 - Hosts: 89.248.168.188 google.com.na
O1 - Hosts: 89.248.168.188 google.com.nf
O1 - Hosts: 89.248.168.188 google.com.ng
O1 - Hosts: 89.248.168.188 google.ch
O1 - Hosts: 89.248.168.188 google.com.np
O1 - Hosts: 89.248.168.188 google.com.pr
O1 - Hosts: 89.248.168.188 google.com.qa
O1 - Hosts: 89.248.168.188 google.com.sg
O1 - Hosts: 89.248.168.188 google.com.tj
O1 - Hosts: 89.248.168.188 google.com.tw
O1 - Hosts: 89.248.168.188 google.dj
O1 - Hosts: 89.248.168.188 google.de
O1 - Hosts: 89.248.168.188 google.dk
O1 - Hosts: 89.248.168.188 google.dm
O1 - Hosts: 89.248.168.188 google.ee
O1 - Hosts: 89.248.168.188 google.fi
O1 - Hosts: 89.248.168.188 google.fm
O1 - Hosts: 89.248.168.188 google.fr
O1 - Hosts: 89.248.168.188 google.ge
O1 - Hosts: 89.248.168.188 google.gg
O1 - Hosts: 89.248.168.188 google.gm
O1 - Hosts: 89.248.168.188 google.gr
O1 - Hosts: 89.248.168.188 google.ht
O1 - Hosts: 89.248.168.188 google.ie
O1 - Hosts: 89.248.168.188 google.im
O1 - Hosts: 89.248.168.188 google.in
O1 - Hosts: 89.248.168.188 google.it
O1 - Hosts: 89.248.168.188 google.ki
O1 - Hosts: 89.248.168.188 google.la
O1 - Hosts: 89.248.168.188 google.li
O1 - Hosts: 89.248.168.188 google.lv
O1 - Hosts: 89.248.168.188 google.ma
O1 - Hosts: 89.248.168.188 google.ms
O1 - Hosts: 89.248.168.188 google.mu
O1 - Hosts: 89.248.168.188 google.mw
O1 - Hosts: 89.248.168.188 google.nl
O1 - Hosts: 89.248.168.188 google.no
O1 - Hosts: 89.248.168.188 google.nr
O1 - Hosts: 89.248.168.188 google.nu
O1 - Hosts: 89.248.168.188 google.pl
O1 - Hosts: 89.248.168.188 google.pn
O1 - Hosts: 89.248.168.188 google.pt
O1 - Hosts: 89.248.168.188 google.ro
O1 - Hosts: 89.248.168.188 google.ru
O1 - Hosts: 89.248.168.188 google.rw
O1 - Hosts: 89.248.168.188 google.sc
O1 - Hosts: 89.248.168.188 google.se
O1 - Hosts: 89.248.168.188 google.sh
O1 - Hosts: 89.248.168.188 google.si
O1 - Hosts: 89.248.168.188 google.sm
O1 - Hosts: 89.248.168.188 google.sn
O1 - Hosts: 89.248.168.188 google.st
O1 - Hosts: 89.248.168.188 google.tl
O1 - Hosts: 89.248.168.188 google.tm
O1 - Hosts: 89.248.168.188 google.tt
O1 - Hosts: 89.248.168.188 google.us
O1 - Hosts: 89.248.168.188 google.vu
O1 - Hosts: 89.248.168.188 google.ws
O1 - Hosts: 89.248.168.188 google.co.ck
O1 - Hosts: 89.248.168.188 google.co.id
O1 - Hosts: 89.248.168.188 google.co.il
O1 - Hosts: 89.248.168.188 google.co.in
O1 - Hosts: 89.248.168.188 google.co.jp
O1 - Hosts: 89.248.168.188 google.co.kr
O1 - Hosts: 89.248.168.188 google.co.ls
O1 - Hosts: 89.248.168.188 google.co.ma
O1 - Hosts: 89.248.168.188 google.co.nz
O1 - Hosts: 89.248.168.188 google.co.tz
O1 - Hosts: 89.248.168.188 google.co.ug
O1 - Hosts: 89.248.168.188 google.co.uk
O1 - Hosts: 89.248.168.188 google.co.za
O1 - Hosts: 89.248.168.188 google.co.zm
O1 - Hosts: 89.248.168.188 google.com
O1 - Hosts: 89.248.168.188 google.com.af
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1AF2568B-8097-4601-8E1E-E202598938EA} (STWarsControl Object) - http://www.xgenstudios.com/space-trader-wars/stwars-ocx.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1219528906125
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate1c98b1538c39c4c) (gupdate1c98b1538c39c4c) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O24 - Desktop Component 0: (no name) - http://a2.cdn.gaiaonline.com/gaia/members/...9736191_6.00_11
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg
O24 - Desktop Component 2: (no name) - http://www.pawngame.com/images/bg_main.gif

--
End of file - 10121 bytes

Edited by Orange Blossom, 11 August 2009 - 06:26 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 kingsalami

kingsalami
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 12 August 2009 - 05:42 PM

I'm sure you guys have seen this before, but I've got a nasty browser hijacker that I've tried to delete w/ HijackThis, but it keeps replicating. I've deleted the host files numerous times, but they alway pop right back up. It's really slowing down my IE browser & periodically redirects Google searches to : hxxp://2popcorn.net/search.php?s=1&q=DcPBDYAgDADAN1swAWkL1HYcNJX0IwkSXV8vue5zRL_u5b2tMeO0x-0NEOwgrtCYdsqmUE_eCiAIqihnoyCaqEhC_ot8&pe=0

Thanks for your help!!

DSS log:
Run by Nick at 17:35:27.39 on Wed 08/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1013.537 [GMT -5:00]

AV: Windows Security Suite *On-access scanning enabled* (Updated) {E99C6BFD-9304-44D2-96DE-74EB0C21272C}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Windows Security Suite *enabled* {517D8ED1-49D2-4371-8F09-B31B14DB4F20}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesSymantecLiveUpdateAluSchedulerSvc.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32igfxpers.exe
C:WINDOWSRTHDCPL.EXE
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:PROGRA~1COMMON~1SYMANT~1CCPD-LCsymlcsvc.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsNickLocal SettingsTemporary Internet FilesContent.IE5S5WHQNGDdds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:program filescommon filessymantec sharedcosharedbrowser2.5coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:progra~1common~1symant~1idsIPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre6binssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:program filescommon filessymantec sharedcosharedbrowser2.5CoIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ccApp] "c:program filescommon filessymantec sharedccApp.exe"
mRun: [osCheck] "c:program filesnorton internet securityosCheck.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
IE: E&xport to Microsoft Excel - c:progra~1micros~4office12EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office12REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1AF2568B-8097-4601-8E1E-E202598938EA} - hxxp://www.xgenstudios.com/space-trader-wars/stwars-ocx.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/IWONBarInitialSetup1.0.1.1.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1219528906125
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:program filescommon filessymantec sharedCCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:program filescommon filessymantec sharedCCSVCHST.EXE [2008-1-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:program filescommon filessymantec sharedCCSVCHST.EXE [2008-1-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2009-4-16 101936]
R3 NAVENG;NAVENG;c:progra~1common~1symant~1virusd~120090415.048NAVENG.SYS [2009-4-16 89104]
R3 NAVEX15;NAVEX15;c:progra~1common~1symant~1virusd~120090415.048NAVEX15.SYS [2009-4-16 876144]
R3 Symantec Core LC;Symantec Core LC;c:progra~1common~1symant~1ccpd-lcsymlcsvc.exe [2008-8-29 1245064]
S2 gupdate1c98b1538c39c4c;Google Update Service (gupdate1c98b1538c39c4c);"c:program filesgoogleupdategoogleupdate.exe" /svc --> c:program filesgoogleupdateGoogleUpdate.exe [?]
S3 COH_Mon;COH_Mon;c:windowssystem32driversCOH_Mon.sys [2008-1-12 23888]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:windowssystem32driverslibusb0.sys [2008-2-18 33792]

=============== Created Last 30 ================

2009-08-12 05:12 <DIR> --d----- c:windowsServicePackFiles
2009-08-09 16:17 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-08-09 16:17 19,096 a------- c:windowssystem32driversmbam.sys
2009-08-09 16:17 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-08-07 11:06 <DIR> --d----- c:program filesKingsIsle Entertainment
2009-07-31 00:18 <DIR> --d----- c:docume~1nickapplic~1Unity
2009-07-30 23:55 <DIR> --d----- c:program filesUnity
2009-07-28 18:29 <DIR> --d----- c:docume~1nickapplic~1Malwarebytes
2009-07-28 18:29 <DIR> --d----- c:docume~1alluse~1.winapplic~1Malwarebytes
2009-07-28 00:19 <DIR> --d----- c:docume~1nickapplic~1Ace
2009-07-28 00:17 3,426,072 a------- c:windowssystem32d3dx9_32.dll
2009-07-28 00:17 81,768 a------- c:windowssystem32xinput1_3.dll
2009-07-27 22:36 <DIR> --d----- c:docume~1nickapplic~1GanymedeNet
2009-07-27 16:29 <DIR> --d----- c:program filesGanymede
2009-07-20 11:02 <DIR> --d----- c:docume~1alluse~1.winapplic~1HermitWorks
2009-07-18 16:33 794,408 a------- c:windowssystem32pbsvc[1].exe
2009-07-15 21:37 <DIR> --d----- c:docume~1nickapplic~1Samsung
2009-07-15 21:35 174,592 a------- c:windowssystem32framedyn.dll
2009-07-15 21:35 114,304 a------- c:windowssystem32driverssscdmdm.sys
2009-07-15 21:35 87,936 a------- c:windowssystem32driverssscdbus.sys
2009-07-15 21:35 14,976 a------- c:windowssystem32driverssscdmdfl.sys
2009-07-15 21:35 12,160 a------- c:windowssystem32driverssscdcmnt.sys
2009-07-15 21:35 12,160 a------- c:windowssystem32driverssscdcm.sys
2009-07-15 21:35 12,160 a------- c:windowssystem32driverssscdwhnt.sys
2009-07-15 21:35 12,160 a------- c:windowssystem32driverssscdwh.sys
2009-07-15 21:34 <DIR> --d----- c:windowssystem32Samsung_USB_Drivers
2009-07-15 21:34 766 a------- c:windowssystem32Uninstall.ico
2009-07-15 21:34 5,632 a------- c:windowssystem32driversStarOpen.sys
2009-07-15 21:33 <DIR> --d----- c:program filesSamsung

==================== Find3M ====================

2009-08-05 04:11 204,800 a------- c:windowssystem32mswebdvd.dll
2009-07-27 22:25 34 a------- c:documents and settingsnickjagex_runescape_preferences.dat
2009-07-17 13:55 58,880 a------- c:windowssystem32atl.dll
2009-07-13 23:43 286,208 a------- c:windowssystem32wmpdxm.dll
2009-07-11 18:29 22,328 a------- c:docume~1nickapplic~1PnkBstrK.sys
2009-06-26 11:18 659,456 a------- c:windowssystem32wininet.dll
2009-06-26 11:18 81,920 a------- c:windowssystem32ieencode.dll
2009-06-16 09:55 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 09:55 82,432 a------- c:windowssystem32fontsub.dll
2009-06-12 06:50 76,288 a------- c:windowssystem32telnet.exe
2009-06-10 09:21 84,992 a------- c:windowssystem32avifil32.dll
2009-06-10 01:32 132,096 a------- c:windowssystem32wkssvc.dll
2009-06-05 02:42 655,872 a------- c:windowssystem32mstscax.dll
2009-06-03 14:27 1,290,752 a------- c:windowssystem32quartz.dll

============= FINISH: 17:35:39.70 ===============

I just noticed as I posted this that I've been reinfected w/ Windows Security Suite, too. I removed it last week, but my kids must have "found" it again. I'm running Malwarebytes to try to get rid of it so I can concentrate on my other issue. (I'll be really glad when they're back in school & have no free time to find malware to inadvertently download!)

===========

Merged posts. ~ OB

Edited by Orange Blossom, 11 February 2013 - 05:39 AM.
Merged topics. ~ OB Deactivated link. ~ OB


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 PM

Posted 23 August 2009 - 02:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 kingsalami

kingsalami
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 23 August 2009 - 02:58 PM

Thanks in advance for the assistance!! This is one tough cookie - I haven't seen a resolution in any of the 4 or 5 cases I've been following in other forums.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Nick at 14:47:35.67 on Sun 08/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1013.519 [GMT -5:00]

AV: Windows Security Suite *On-access scanning enabled* (Updated) {E99C6BFD-9304-44D2-96DE-74EB0C21272C}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Windows Security Suite *enabled* {517D8ED1-49D2-4371-8F09-B31B14DB4F20}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; 8868082903; MSN OptimizedIE8;ENUS)" -"http://www.miniclip.com/games/alien-hive/en/"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1219528906125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-16 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090415.048\NAVENG.SYS [2009-4-16 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090415.048\NAVEX15.SYS [2009-4-16 876144]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-29 1245064]
S2 gupdate1c98b1538c39c4c;Google Update Service (gupdate1c98b1538c39c4c);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:\windows\system32\drivers\libusb0.sys [2008-2-18 33792]

=============== Created Last 30 ================

2009-08-22 07:32 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Blizzard
2009-08-18 18:46 <DIR> --d----- c:\windows\ie8updates
2009-08-18 18:44 <DIR> -cd-h--- c:\windows\ie8
2009-08-18 16:17 <DIR> --dsh--- c:\documents and settings\nick\IECompatCache
2009-08-18 16:17 <DIR> --dsh--- c:\documents and settings\nick\PrivacIE
2009-08-18 16:15 <DIR> --dsh--- c:\documents and settings\nick\IETldCache
2009-08-18 15:33 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-08-18 15:32 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-18 15:32 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-18 15:32 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-18 15:31 <DIR> --d----- C:\d951c5cdef1c7633b4be
2009-08-12 05:12 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-09 16:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 16:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-09 16:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 11:06 <DIR> --d----- c:\program files\KingsIsle Entertainment
2009-07-31 00:18 <DIR> --d----- c:\docume~1\nick\applic~1\Unity
2009-07-30 23:55 <DIR> --d----- c:\program files\Unity
2009-07-28 18:29 <DIR> --d----- c:\docume~1\nick\applic~1\Malwarebytes
2009-07-28 18:29 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-07-28 00:19 <DIR> --d----- c:\docume~1\nick\applic~1\Ace
2009-07-28 00:17 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-07-28 00:17 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-07-27 22:36 <DIR> --d----- c:\docume~1\nick\applic~1\GanymedeNet
2009-07-27 16:29 <DIR> --d----- c:\program files\Ganymede

==================== Find3M ====================

2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-27 22:25 34 a------- c:\documents and settings\nick\jagex_runescape_preferences.dat
2009-07-18 16:33 794,408 a------- c:\windows\system32\pbsvc[1].exe
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-11 18:29 22,328 a------- c:\docume~1\nick\applic~1\PnkBstrK.sys
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 03:17 729,600 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:17 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:17 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 03:17 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:17 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:17 56,320 a------- c:\windows\system32\secur32.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 06:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 02:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll

============= FINISH: 14:48:12.65 ===============

On a side note, I thought I got rid of Windows Security Suite. It appears there are still remnants on my machine. Any tips on a final solution? I'm pretty much positive it's not responsible for the redirects.

#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 AM

Posted 26 August 2009 - 07:44 PM

Hello kingsalami,

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Your AntiVirus appears to be outdated, if this is the case please update it, or uninstall it and install a free AntiVirus.
  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#6 kingsalami

kingsalami
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 29 August 2009 - 11:11 AM

BTW - Avast found/deleted a few trojans my expired Norton missed. Sorry for the delay in posting my logs - I've been out of town this week.

Malwarebytes' Anti-Malware 1.40
Database version: 2712
Windows 5.1.2600 Service Pack 2

8/29/2009 10:32:03 AM
mbam-log-2009-08-29 (10-32-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 214992
Time elapsed: 1 hour(s), 20 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of random's system information tool 1.06 (written by random/random)
Run by Nick at 2009-08-29 11:01:40
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 167 GB (71%) free of 235 GB
Total RAM: 1013 MB (48% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:54 AM, on 8/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\Nick\Desktop\RSIT.exe
C:\Applications\Spyware\Nick.exe

O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.ba
O1 - Hosts: 89.248.168.188 google.be
O1 - Hosts: 89.248.168.188 google.bg
O1 - Hosts: 89.248.168.188 google.bs
O1 - Hosts: 89.248.168.188 google.ca
O1 - Hosts: 89.248.168.188 google.cd
O1 - Hosts: 89.248.168.188 google.com.gh
O1 - Hosts: 89.248.168.188 google.com.hk
O1 - Hosts: 89.248.168.188 google.com.jm
O1 - Hosts: 89.248.168.188 google.com.mx
O1 - Hosts: 89.248.168.188 google.com.my
O1 - Hosts: 89.248.168.188 google.com.na
O1 - Hosts: 89.248.168.188 google.com.nf
O1 - Hosts: 89.248.168.188 google.com.ng
O1 - Hosts: 89.248.168.188 google.ch
O1 - Hosts: 89.248.168.188 google.com.np
O1 - Hosts: 89.248.168.188 google.com.pr
O1 - Hosts: 89.248.168.188 google.com.qa
O1 - Hosts: 89.248.168.188 google.com.sg
O1 - Hosts: 89.248.168.188 google.com.tj
O1 - Hosts: 89.248.168.188 google.com.tw
O1 - Hosts: 89.248.168.188 google.dj
O1 - Hosts: 89.248.168.188 google.de
O1 - Hosts: 89.248.168.188 google.dk
O1 - Hosts: 89.248.168.188 google.dm
O1 - Hosts: 89.248.168.188 google.ee
O1 - Hosts: 89.248.168.188 google.fi
O1 - Hosts: 89.248.168.188 google.fm
O1 - Hosts: 89.248.168.188 google.fr
O1 - Hosts: 89.248.168.188 google.ge
O1 - Hosts: 89.248.168.188 google.gg
O1 - Hosts: 89.248.168.188 google.gm
O1 - Hosts: 89.248.168.188 google.gr
O1 - Hosts: 89.248.168.188 google.ht
O1 - Hosts: 89.248.168.188 google.ie
O1 - Hosts: 89.248.168.188 google.im
O1 - Hosts: 89.248.168.188 google.in
O1 - Hosts: 89.248.168.188 google.it
O1 - Hosts: 89.248.168.188 google.ki
O1 - Hosts: 89.248.168.188 google.la
O1 - Hosts: 89.248.168.188 google.li
O1 - Hosts: 89.248.168.188 google.lv
O1 - Hosts: 89.248.168.188 google.ma
O1 - Hosts: 89.248.168.188 google.ms
O1 - Hosts: 89.248.168.188 google.mu
O1 - Hosts: 89.248.168.188 google.mw
O1 - Hosts: 89.248.168.188 google.nl
O1 - Hosts: 89.248.168.188 google.no
O1 - Hosts: 89.248.168.188 google.nr
O1 - Hosts: 89.248.168.188 google.nu
O1 - Hosts: 89.248.168.188 google.pl
O1 - Hosts: 89.248.168.188 google.pn
O1 - Hosts: 89.248.168.188 google.pt
O1 - Hosts: 89.248.168.188 google.ro
O1 - Hosts: 89.248.168.188 google.ru
O1 - Hosts: 89.248.168.188 google.rw
O1 - Hosts: 89.248.168.188 google.sc
O1 - Hosts: 89.248.168.188 google.se
O1 - Hosts: 89.248.168.188 google.sh
O1 - Hosts: 89.248.168.188 google.si
O1 - Hosts: 89.248.168.188 google.sm
O1 - Hosts: 89.248.168.188 google.sn
O1 - Hosts: 89.248.168.188 google.st
O1 - Hosts: 89.248.168.188 google.tl
O1 - Hosts: 89.248.168.188 google.tm
O1 - Hosts: 89.248.168.188 google.tt
O1 - Hosts: 89.248.168.188 google.us
O1 - Hosts: 89.248.168.188 google.vu
O1 - Hosts: 89.248.168.188 google.ws
O1 - Hosts: 89.248.168.188 google.co.ck
O1 - Hosts: 89.248.168.188 google.co.id
O1 - Hosts: 89.248.168.188 google.co.il
O1 - Hosts: 89.248.168.188 google.co.in
O1 - Hosts: 89.248.168.188 google.co.jp
O1 - Hosts: 89.248.168.188 google.co.kr
O1 - Hosts: 89.248.168.188 google.co.ls
O1 - Hosts: 89.248.168.188 google.co.ma
O1 - Hosts: 89.248.168.188 google.co.nz
O1 - Hosts: 89.248.168.188 google.co.tz
O1 - Hosts: 89.248.168.188 google.co.ug
O1 - Hosts: 89.248.168.188 google.co.uk
O1 - Hosts: 89.248.168.188 google.co.za
O1 - Hosts: 89.248.168.188 google.co.zm
O1 - Hosts: 89.248.168.188 google.com
O1 - Hosts: 89.248.168.188 google.com.af
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1219528906125
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Update Service (gupdate1c98b1538c39c4c) (gupdate1c98b1538c39c4c) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O24 - Desktop Component 0: (no name) - http://a2.cdn.gaiaonline.com/gaia/members/...9736191_6.00_11
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 8748 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-10 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-10 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-10 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-04-16 142104]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-04-16 162584]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-04-16 138008]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-04-26 16132608]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-10 136600]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-08-03 419088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-08-14 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-04-16 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe"="C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe:*:Disabled:Enemy Territory - QUAKE Wars™"
"C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe"="C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:*:Disabled:etqwded.exe"
"C:\Program Files\Sierra\FEAR\FEAR.exe"="C:\Program Files\Sierra\FEAR\FEAR.exe:*:Disabled:FEAR"
"C:\Program Files\Sierra\FEAR\FEARMP.exe"="C:\Program Files\Sierra\FEAR\FEARMP.exe:*:Disabled:FEARMP"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Disabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Disabled:PnkBstrB"
"C:\Documents and Settings\All Users.WINDOWS\Application Data\1f977ec\WI1f97.exe"="C:\Documents and Settings\All Users.WINDOWS\Application Data\1f977ec\WI1f97.exe:*:Disabled:Windows Security Suite"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb1472df-2735-11dd-8fa6-001d0991e8ca}]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fcb1bc6a-603f-11de-91d2-001d0991e8ca}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-08-29 11:01:40 ----D---- C:\rsit
2009-08-29 09:05:45 ----D---- C:\WINDOWS\LastGood
2009-08-29 09:05:39 ----D---- C:\Program Files\Avira
2009-08-29 09:05:39 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2009-08-26 03:00:17 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-22 07:32:13 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Blizzard
2009-08-18 18:46:46 ----D---- C:\WINDOWS\ie8updates
2009-08-18 18:44:24 ----HDC---- C:\WINDOWS\ie8
2009-08-18 15:33:55 ----HD---- C:\WINDOWS\msdownld.tmp
2009-08-18 15:31:31 ----D---- C:\d951c5cdef1c7633b4be
2009-08-14 19:08:37 ----D---- C:\Program Files\QuickTime
2009-08-13 03:00:55 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-12 05:14:25 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 05:14:18 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 05:14:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 05:14:04 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 05:13:55 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9L$
2009-08-12 05:13:48 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 05:13:41 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 05:12:24 ----D---- C:\WINDOWS\ServicePackFiles
2009-08-12 05:12:22 ----HDC---- C:\WINDOWS\$NtUninstallKB958470$
2009-08-12 05:12:10 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-09 16:17:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-07 11:06:13 ----D---- C:\Program Files\KingsIsle Entertainment
2009-07-31 00:18:09 ----D---- C:\Documents and Settings\Nick\Application Data\Unity
2009-07-30 23:55:25 ----D---- C:\Program Files\Unity

======List of files/folders modified in the last 1 months======

2009-08-29 11:01:39 ----D---- C:\WINDOWS\Prefetch
2009-08-29 10:34:22 ----D---- C:\WINDOWS\system32\drivers
2009-08-29 09:51:31 ----D---- C:\Downloads
2009-08-29 09:30:05 ----D---- C:\Documents and Settings\Nick\Application Data\ZiggyGames
2009-08-29 09:10:00 ----D---- C:\Applications
2009-08-29 09:06:09 ----D---- C:\WINDOWS\Temp
2009-08-29 09:05:47 ----HD---- C:\WINDOWS\inf
2009-08-29 09:05:46 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-29 09:05:45 ----D---- C:\WINDOWS
2009-08-29 09:05:39 ----RD---- C:\Program Files
2009-08-29 09:04:28 ----SHD---- C:\WINDOWS\Installer
2009-08-29 09:04:28 ----HD---- C:\Config.Msi
2009-08-29 09:04:27 ----D---- C:\WINDOWS\WinSxS
2009-08-29 09:01:07 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-08-29 09:00:37 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-29 08:59:26 ----D---- C:\WINDOWS\system32
2009-08-29 08:58:42 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2009-08-29 08:58:37 ----D---- C:\Program Files\Common Files
2009-08-29 08:56:24 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-29 08:56:09 ----SD---- C:\WINDOWS\Tasks
2009-08-28 16:14:03 ----D---- C:\Incomplete
2009-08-24 12:14:09 ----D---- C:\Documents and Settings\Nick\Application Data\U3
2009-08-22 23:53:43 ----D---- C:\Devin's Stuff
2009-08-21 18:42:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-18 18:48:02 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-18 18:48:02 ----D---- C:\WINDOWS\Help
2009-08-18 18:48:02 ----D---- C:\Program Files\Internet Explorer
2009-08-18 18:47:12 ----A---- C:\WINDOWS\imsins.BAK
2009-08-18 18:46:52 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-18 18:45:32 ----D---- C:\WINDOWS\WBEM
2009-08-18 18:45:32 ----D---- C:\WINDOWS\system32\en-us
2009-08-18 18:45:25 ----D---- C:\WINDOWS\Media
2009-08-12 05:13:43 ----D---- C:\Program Files\Outlook Express
2009-08-11 14:25:13 ----A---- C:\WINDOWS\win.ini
2009-08-09 16:11:14 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-07 11:06:12 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-05 04:11:47 ----A---- C:\WINDOWS\system32\mswebdvd.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-13 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-04-16 5760096]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-05-02 4403712]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-10-25 27264]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
S3 grmnusb;grmnusb; C:\WINDOWS\system32\drivers\grmnusb.sys [2007-03-08 8320]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-07 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-07 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-07 21744]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0; C:\WINDOWS\system32\DRIVERS\libusb0.sys [2008-02-18 33792]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2008-02-22 87936]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2008-02-22 14976]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2008-02-22 114304]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-10 152984]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 gupdate1c98b1538c39c4c;Google Update Service (gupdate1c98b1538c39c4c); C:\Program Files\Google\Update\GoogleUpdate.exe /svc []
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-08-29 1245064]
S3 Symantec RemoteAssist;Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [2008-01-29 394704]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-12-02 74384]

-----------------EOF-----------------

Sansa Media Converter-->"C:\Program Files\InstallShield Installation Information\{FC053571-8507-44E4-8B6D-AACEAB8CA57C}\setup.exe" --u:{FC053571-8507-44E4-8B6D-AACEAB8CA57C}
-->"C:\Documents and Settings\Nick\My Documents\Garmin\IbycusUSA2\uninstall.exe"
-->C:\Applications\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AVI Codec Pack-->C:\Applications\AVI Codec Pack\uninstall.exe
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
CleanUp!-->C:\Applications\uninstall.exe
Colorado Topo Maps-->"C:\Documents and Settings\Nick\My Documents\Garmin\Colorado topo\COTOPO\uninstall.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DivX Codec-->C:\Applications\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Applications\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Applications\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Applications\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Enemy Territory - QUAKE Wars™-->C:\Program Files\InstallShield Installation Information\{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}\setup.exe -runfromtemp -l0x0409
FATE-->"C:\Program Files\WildGames\FATE\Uninstall.exe"
FEAR-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x9 /zU -removeonly
Free Mp3 Wma Converter V 1.8.0-->"C:\Applications\Audio Converter\unins000.exe"
Garmin Trip and Waypoint Manager v5-->MsiExec.exe /X{414A373B-59DF-4102-94CA-9FE9A74CBDDA}
Google Earth-->MsiExec.exe /X{548EAC70-EE00-11DD-908C-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Applications\Spyware\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
HP Deskjet 5900 series-->C:\Program Files\HP\Digital Imaging\{79546A5F-AE7C-4693-8670-A3401B43ABD2}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Image Zone Express-->MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.0-->C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections 12.1.12.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire PRO 4.12.3-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Halo-->"C:\Program Files\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Paint Shop Pro 7-->MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE-->C:\Documents and Settings\All Users.WINDOWS\Application Data\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SAMSUNG Mobile Composite Device Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
SAMSUNG Mobile Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile phone USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3-->"C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
SPORE™-->"C:\Program Files\InstallShield Installation Information\{9DF0196F-B6B8-4C3A-8790-DE42AA530101}\SPORESetup.exe" -runfromtemp -l0x0009 -removeonly
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Symantec Technical Support Web Controls-->MsiExec.exe /X{20C53FA2-4307-4671-A93F-9463B29DFCF1}
TagTuner 1.9-->"C:\Applications\TagTuner\unins000.exe" /SILENT /SUPPRESSMSGBOXES
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.6d-->C:\Applications\VLC\uninstall.exe
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe

=====HijackThis Backups=====

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-08-09]
O1 - Hosts: 74.125.45.100 test1112.com [2009-08-09]
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/th...ameLauncher.CAB [2009-08-09]
O1 - Hosts: 74.125.45.100 secure-plus-payments.com [2009-08-09]
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com [2009-08-09]
O1 - Hosts: 74.125.45.100 www.getavplusnow.com [2009-08-09]
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com [2009-08-09]
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com [2009-08-09]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [2009-08-09]
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com [2009-08-09]
O1 - Hosts: 74.125.45.100 test1111.com [2009-08-09]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com [2009-08-09]
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com [2009-08-09]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com [2009-08-09]
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com [2009-08-09]
O1 - Hosts: 74.125.45.100 4-open-davinci.com [2009-08-09]
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com [2009-08-09]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com [2009-08-09]
R3 - URLSearchHook: (no name) - - (no file) [2009-08-09]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab [2009-08-09]
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2009-08-09]
O1 - Hosts: 74.125.45.100 test1112.com [2009-08-09]
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com [2009-08-09]
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com [2009-08-09]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) [2009-08-09]
O1 - Hosts: 74.125.45.100 www.getavplusnow.com [2009-08-09]
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com [2009-08-09]
O1 - Hosts: 74.125.45.100 test1111.com [2009-08-09]
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com [2009-08-09]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet [2009-08-09]
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE [2009-08-09]
O1 - Hosts: 74.125.45.100 4-open-davinci.com [2009-08-09]
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com [2009-08-09]
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com [2009-08-09]
O1 - Hosts: 74.125.45.100 secure-plus-payments.com [2009-08-09]
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com [2009-08-09]
O1 - Hosts: 89.248.168.188 google.com.gh [2009-08-10]
O1 - Hosts: 89.248.168.188 google.im [2009-08-10]
O1 - Hosts: 89.248.168.188 google.dm [2009-08-10]
O1 - Hosts: 89.248.168.188 google.as [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ee [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ht [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.qa [2009-08-10]
O1 - Hosts: 89.248.168.188 google.gm [2009-08-10]
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ca [2009-08-10]
O1 - Hosts: 89.248.168.188 google.at [2009-08-10]
O1 - Hosts: 74.125.45.100 test1112.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.gg [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ie [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.ng [2009-08-10]
O1 - Hosts: 89.248.168.188 google.fr [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.tj [2009-08-10]
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com [2009-08-10]
O1 - Hosts: 74.125.45.100 test1111.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.bg [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.np [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.na [2009-08-10]
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.de [2009-08-10]
O1 - Hosts: 89.248.168.188 google.fm [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ge [2009-08-10]
O1 - Hosts: 74.125.45.100 4-open-davinci.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.la [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ch [2009-08-10]
O1 - Hosts: 89.248.168.188 google.be [2009-08-10]
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.mw [2009-08-10]
O1 - Hosts: 89.248.168.188 google.no [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ba [2009-08-10]
O1 - Hosts: 74.125.45.100 secure-plus-payments.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ma [2009-08-10]
O1 - Hosts: 89.248.168.188 google.gr [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.hk [2009-08-10]
O1 - Hosts: 89.248.168.188 google.dj [2009-08-10]
O1 - Hosts: 89.248.168.188 google.in [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.sg [2009-08-10]
O1 - Hosts: 89.248.168.188 google.li [2009-08-10]
O1 - Hosts: 89.248.168.188 google.fi [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.mx [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ms [2009-08-10]
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.nf [2009-08-10]
O1 - Hosts: 89.248.168.188 google.cd [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.jm [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.tw [2009-08-10]
O1 - Hosts: 89.248.168.188 google.bs [2009-08-10]
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ki [2009-08-10]
O1 - Hosts: 89.248.168.188 google.az [2009-08-10]
O1 - Hosts: 89.248.168.188 google.nl [2009-08-10]
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.my [2009-08-10]
O1 - Hosts: 89.248.168.188 google.it [2009-08-10]
O1 - Hosts: 89.248.168.188 google.mu [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.pr [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ae [2009-08-10]
O1 - Hosts: 89.248.168.188 google.dk [2009-08-10]
O1 - Hosts: 89.248.168.188 google.lv [2009-08-10]
O1 - Hosts: 74.125.45.100 www.getavplusnow.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.nr [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.ck [2009-08-10]
O1 - Hosts: 89.248.168.188 google.tm [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.jp [2009-08-10]
O1 - Hosts: 89.248.168.188 google.vu [2009-08-10]
O1 - Hosts: 89.248.168.188 google.pn [2009-08-10]
O1 - Hosts: 89.248.168.188 google.si [2009-08-10]
O24 - Desktop Component 10: (no name) - http://a2.cdn.gaiaonline.com/gaia/members/...9736191_6.00_11 [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ro [2009-08-10]
O1 - Hosts: 89.248.168.188 google.sh [2009-08-10]
O1 - Hosts: 89.248.168.188 google.rw [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ru [2009-08-10]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-08-10]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab [2009-08-10]
O24 - Desktop Component 11: (no name) - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg [2009-08-10]
O1 - Hosts: 89.248.168.188 google.tt [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.il [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.in [2009-08-10]
O1 - Hosts: 89.248.168.188 google.pt [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.kr [2009-08-10]
O1 - Hosts: 89.248.168.188 google.sn [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.tz [2009-08-10]
O1 - Hosts: 89.248.168.188 google.pl [2009-08-10]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-08-10]
O1 - Hosts: 89.248.168.188 google.nu [2009-08-10]
O24 - Desktop Component 12: (no name) - http://www.pawngame.com/images/bg_main.gif [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.ls [2009-08-10]
O1 - Hosts: 89.248.168.188 google.sm [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.za [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.ug [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.uk [2009-08-10]
O24 - Desktop Component 2: (no name) - http://www.mythicalrealm.com/images-2/minotaursmall.jpg [2009-08-10]
O1 - Hosts: 89.248.168.188 google.us [2009-08-10]
O23 - Service: Google Update Service (gupdate1c98b1538c39c4c) (gupdate1c98b1538c39c4c) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing) [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.zm [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.ma [2009-08-10]
O1 - Hosts: 89.248.168.188 google.sc [2009-08-10]
O24 - Desktop Component 0: (no name) - http://www.mythicalrealm.com/images-2/Dragon-06-june.gif [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.af [2009-08-10]
O24 - Desktop Component 1: (no name) - http://www.mythicalrealm.com/images-2/dragon42.gif [2009-08-10]
O1 - Hosts: 89.248.168.188 google.tl [2009-08-10]
O1 - Hosts: 89.248.168.188 google.se [2009-08-10]
O1 - Hosts: 89.248.168.188 google.ws [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.id [2009-08-10]
O1 - Hosts: 89.248.168.188 google.co.nz [2009-08-10]
O1 - Hosts: 89.248.168.188 google.st [2009-08-10]
O24 - Desktop Component 9: (no name) - http://s2.cdn.gaiaonline.com/images/gaia_g...er_bg_durem.jpg [2009-08-10]
O24 - Desktop Component 4: (no name) - http://www.mythicalrealm.com/images/anmi3.gif [2009-08-10]
O24 - Desktop Component 8: (no name) - http://www.google.com/logos/autumn08.gif [2009-08-10]
O24 - Desktop Component 6: (no name) - http://www.mythicalrealm.com/images/phoenixani.gif [2009-08-10]
O24 - Desktop Component 3: (no name) - http://www.mythicalrealm.com/images/unicorn.gif [2009-08-10]
O24 - Desktop Component 5: (no name) - http://www.mythicalrealm.com/images/cerberus.gif [2009-08-10]
O24 - Desktop Component 7: (no name) - http://www.mythicalrealm.com/images-2/chimera-ani.gif [2009-08-10]
O1 - Hosts: 89.248.168.188 google.com.na [2009-08-21]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-08-21]
O1 - Hosts: 89.248.168.188 google.in [2009-08-21]
O1 - Hosts: 89.248.168.188 google.sh [2009-08-21]
O1 - Hosts: 89.248.168.188 google.pn [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.af [2009-08-21]
O1 - Hosts: 89.248.168.188 google.us [2009-08-21]
O1 - Hosts: 89.248.168.188 google.gg [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ki [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.ls [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.ng [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.hk [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.nz [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.jp [2009-08-21]
O1 - Hosts: 89.248.168.188 google.gm [2009-08-21]
O1 - Hosts: 89.248.168.188 google.se [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.kr [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ch [2009-08-21]
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.nr [2009-08-21]
O1 - Hosts: 89.248.168.188 google.mw [2009-08-21]
O1 - Hosts: 89.248.168.188 google.tt [2009-08-21]
O1 - Hosts: 89.248.168.188 google.nl [2009-08-21]
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.qa [2009-08-21]
O1 - Hosts: 89.248.168.188 google.bs [2009-08-21]
O1 - Hosts: 89.248.168.188 google.mu [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.uk [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.nf [2009-08-21]
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.at [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.ug [2009-08-21]
O1 - Hosts: 89.248.168.188 google.cd [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ge [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ma [2009-08-21]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.tw [2009-08-21]
O1 - Hosts: 74.125.45.100 secure-plus-payments.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.as [2009-08-21]
O1 - Hosts: 89.248.168.188 google.fm [2009-08-21]
O1 - Hosts: 89.248.168.188 google.si [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.id [2009-08-21]
O1 - Hosts: 89.248.168.188 google.sc [2009-08-21]
O1 - Hosts: 89.248.168.188 google.it [2009-08-21]
O1 - Hosts: 89.248.168.188 google.be [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ie [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ca [2009-08-21]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.in [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ro [2009-08-21]
O1 - Hosts: 89.248.168.188 google.sn [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.tz [2009-08-21]
O1 - Hosts: 89.248.168.188 google.im [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.jm [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ru [2009-08-21]
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.fi [2009-08-21]
O1 - Hosts: 89.248.168.188 google.fr [2009-08-21]
O1 - Hosts: 89.248.168.188 google.pt [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.np [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.tj [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.gh [2009-08-21]
O1 - Hosts: 89.248.168.188 google.pl [2009-08-21]
O1 - Hosts: 89.248.168.188 google.la [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ae [2009-08-21]
O1 - Hosts: 89.248.168.188 google.lv [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.za [2009-08-21]
O1 - Hosts: 74.125.45.100 test1112.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.tl [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.il [2009-08-21]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.sg [2009-08-21]
O1 - Hosts: 89.248.168.188 google.az [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.zm [2009-08-21]
O1 - Hosts: 89.248.168.188 google.dm [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ht [2009-08-21]
O1 - Hosts: 89.248.168.188 google.sm [2009-08-21]
O1 - Hosts: 89.248.168.188 google.de [2009-08-21]
O1 - Hosts: 89.248.168.188 google.dk [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.vu [2009-08-21]
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com [2009-08-21]
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.ma [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ws [2009-08-21]
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ee [2009-08-21]
O16 - DPF: {1AF2568B-8097-4601-8E1E-E202598938EA} (STWarsControl Object) - http://www.xgenstudios.com/space-trader-wars/stwars-ocx.cab [2009-08-21]
O1 - Hosts: 74.125.45.100 test1111.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.bg [2009-08-21]
O1 - Hosts: 89.248.168.188 google.tm [2009-08-21]
O1 - Hosts: 89.248.168.188 google.gr [2009-08-21]
O1 - Hosts: 89.248.168.188 google.li [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ms [2009-08-21]
O1 - Hosts: 89.248.168.188 google.st [2009-08-21]
O1 - Hosts: 74.125.45.100 4-open-davinci.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.pr [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.mx [2009-08-21]
O1 - Hosts: 89.248.168.188 google.rw [2009-08-21]
O1 - Hosts: 89.248.168.188 google.no [2009-08-21]
O1 - Hosts: 89.248.168.188 google.com.my [2009-08-21]
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-08-21]
O1 - Hosts: 74.125.45.100 www.getavplusnow.com [2009-08-21]
O1 - Hosts: 89.248.168.188 google.dj [2009-08-21]
O1 - Hosts: 89.248.168.188 google.ba [2009-08-21]
O1 - Hosts: 89.248.168.188 google.nu [2009-08-21]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-08-21]
O1 - Hosts: 89.248.168.188 google.co.ck [2009-08-21]
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab [2009-08-21]
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab [2009-08-21]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab [2009-08-21]
O24 - Desktop Component 2: (no name) - http://www.pawngame.com/images/bg_main.gif [2009-08-21]

======Hosts File======

74.125.45.100 test1111.com
74.125.45.100 test1112.com
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com

======Security center information======

AV: Windows Security Suite
AV: AntiVir Desktop
FW: Windows Security Suite

======System event log======

Computer Name: GRBAS
Event Code: 1002
Message: The IP address lease 192.168.100.2 for the Network Card with network address 001D0991E8CA has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 40422
Source Name: Dhcp
Time Written: 20090811092614.000000-300
Event Type: error
User:

Computer Name: GRBAS
Event Code: 32003
Message: The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Record Number: 40420
Source Name: ipnathlp
Time Written: 20090811092552.000000-300
Event Type: error
User:

Computer Name: GRBAS
Event Code: 1002
Message: The IP address lease 72.198.63.37 for the Network Card with network address 001D0991E8CA has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 40419
Source Name: Dhcp
Time Written: 20090811092552.000000-300
Event Type: error
User:

Computer Name: GRBAS
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D0991E8CA. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 40418
Source Name: Dhcp
Time Written: 20090811092548.000000-300
Event Type: warning
User:

Computer Name: GRBAS
Event Code: 27
Message: Intel® 82562V-2 10/100 Network Connection
Link has been disconnected.

Record Number: 40415
Source Name: e1express
Time Written: 20090811092545.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: GRBAS
Event Code: 1000
Message: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Record Number: 30151
Source Name: Application Error
Time Written: 20090816085337.000000-300
Event Type: error
User:

Computer Name: GRBAS
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.3156, faulting module comctl32.dll, version 6.0.2900.2982, fault address 0x00044039.

Record Number: 30150
Source Name: Application Error
Time Written: 20090816085332.000000-300
Event Type: error
User:

Computer Name: GRBAS
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 29876
Source Name: Application Hang
Time Written: 20090813095903.000000-300
Event Type: error
User:

Computer Name: GRBAS
Event Code: 4353
Message: The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
Record Number: 29531
Source Name: EventSystem
Time Written: 20090810212226.000000-300
Event Type: warning
User:

Computer Name: GRBAS
Event Code: 4356
Message: The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 8007041F.
Record Number: 29530
Source Name: EventSystem
Time Written: 20090810212226.000000-300
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\Samsung\Samsung PC Studio 3\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 22 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=1601
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\

-----------------EOF-----------------

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 AM

Posted 29 August 2009 - 12:21 PM

No problem with the delay :thumbup2:

Download the HostsXpert
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Next

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then please post back here with the following:
  • OTListIt.txt
  • Extra.txt
  • Gmer log
Thanks

unite.jpg


#8 kingsalami

kingsalami
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 29 August 2009 - 01:06 PM

I can't get HostsXpert to resore the hosts file. A couple dialog boxes popped up - "host files are listed under 'system files' and 'hidden files". I followed the prompt to remove the system/hidden file attributes. Then I get an error - "cannot read file..." It also won't allow me to change the host file manually from a 'read only' file.
Something is protecting those host files from being manipulated?

Edited by kingsalami, 29 August 2009 - 01:14 PM.


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 AM

Posted 29 August 2009 - 01:32 PM

Ok, please try following the other steps.

unite.jpg


#10 kingsalami

kingsalami
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 29 August 2009 - 08:22 PM

Had to go to a wedding (while that GMER scan ran). Thanks so much for the assistance!!

OTL logfile created on: 8/29/2009 2:47:55 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Nick\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.11 Mb Total Physical Memory | 668.29 Mb Available Physical Memory | 65.96% Memory free
2.38 Gb Paging File | 2.03 Gb Available in Paging File | 85.35% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.47 Gb Total Space | 162.81 Gb Free Space | 70.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GRBAS
Current User Name: Nick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/04/16 19:51:30 | 00,162,584 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2007/04/16 19:51:00 | 00,138,008 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxpers.exe
PRC - [2007/04/26 14:27:06 | 16,132,608 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2007/04/16 19:50:50 | 00,252,696 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxsrvc.exe
PRC - [2008/11/10 06:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/08/29 12:56:06 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/10/17 15:52:10 | 00,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - File not found -- -- (gupdate1c98b1538c39c4c [Auto | Stopped])
SRV - [2004/08/04 05:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/11/10 06:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])
SRV - [2007/12/02 18:34:30 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [Disabled | Stopped])
SRV - [2008/08/29 11:13:45 | 01,245,064 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [On_Demand | Stopped])
SRV - [2008/01/29 16:09:02 | 00,394,704 | ---- | M] (Symantec, Inc.) -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist [On_Demand | Stopped])
SRV - [2004/08/04 05:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (uploadmgr [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService [Auto | Running])
SRV - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2004/12/13 16:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
DRV - [2007/04/13 20:33:34 | 00,254,872 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Running])
DRV - [2007/03/08 17:18:00 | 00,008,320 | ---- | M] (GARMIN Corp.) -- C:\WINDOWS\System32\drivers\grmnusb.sys -- (grmnusb [On_Demand | Stopped])
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/03/07 23:52:26 | 00,051,120 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2005/03/07 23:52:27 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2005/03/07 23:52:28 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2007/04/16 21:16:26 | 05,760,096 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2007/05/02 16:21:22 | 04,403,712 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/02/18 18:36:44 | 00,033,792 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\libusb0.sys -- (libusb0 [On_Demand | Stopped])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/14 03:00:00 | 00,043,840 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/09/05 14:31:42 | 00,447,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
DRV - [2008/02/22 15:33:00 | 00,087,936 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
DRV - [2008/02/22 15:33:02 | 00,014,976 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
DRV - [2008/02/22 15:33:02 | 00,114,304 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
DRV - [2006/07/24 16:05:00 | 00,005,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen [System | Running])
DRV - [2009/07/28 16:33:56 | 00,055,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avgntflt.sys -- (avgntflt [Auto | Running])
DRV - [2009/02/13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio [System | Running])
DRV - [2009/03/30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avipbb.sys -- (avipbb [System | Running])
DRV - [2009/05/11 10:12:24 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\S-1-5-21-1202660629-1715567821-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/02 17:42:25 | 00,000,000 | ---D | M]


O1 HOSTS File: (7599 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.ba
O1 - Hosts: 89.248.168.188 google.be
O1 - Hosts: 89.248.168.188 google.bg
O1 - Hosts: 89.248.168.188 google.bs
O1 - Hosts: 89.248.168.188 google.ca
O1 - Hosts: 89.248.168.188 google.cd
O1 - Hosts: 89.248.168.188 google.com.gh
O1 - Hosts: 89.248.168.188 google.com.hk
O1 - Hosts: 201 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab (AXIDMDCP Class)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1219528906125 (MUCatalogWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 () - http://a2.cdn.gaiaonline.com/gaia/members/...9736191_6.00_11
O24 - Desktop Components:1 () - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg
O24 - Desktop Components:2 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{eb1472df-2735-11dd-8fa6-001d0991e8ca}\Shell - "" = AutoRun
O33 - MountPoints2\{eb1472df-2735-11dd-8fa6-001d0991e8ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{eb1472df-2735-11dd-8fa6-001d0991e8ca}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{fcb1bc6a-603f-11de-91d2-001d0991e8ca}\Shell - "" = AutoRun
O33 - MountPoints2\{fcb1bc6a-603f-11de-91d2-001d0991e8ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fcb1bc6a-603f-11de-91d2-001d0991e8ca}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/08/29 12:56:21 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\2klie3wf.exe
[2009/08/29 12:56:05 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\OTL.exe
[2009/08/29 11:01:40 | 00,000,000 | ---D | C] -- C:\rsit
[2009/08/29 09:08:54 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\RSIT.exe
[2009/08/29 09:05:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/08/29 09:05:41 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/08/29 09:05:41 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/08/29 09:05:41 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/08/29 09:05:41 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/08/29 09:05:41 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/08/29 09:05:39 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/08/29 09:05:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
[2009/08/23 15:02:55 | 00,082,592 | ---- | C] () -- C:\Documents and Settings\Nick\My Documents\red tails.jpg
[2009/08/22 14:14:19 | 00,011,160 | ---- | C] () -- C:\Documents and Settings\Nick\My Documents\Auto Parts.docx
[2009/08/22 07:32:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Blizzard
[2009/08/18 18:46:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/08/18 18:44:24 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/08/18 16:15:53 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Nick\My Documents\My Music
[2009/08/18 15:33:55 | 00,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2009/08/18 15:32:21 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/08/18 15:32:21 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/08/18 15:32:10 | 00,101,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/08/18 15:31:31 | 00,000,000 | ---D | C] -- C:\d951c5cdef1c7633b4be
[2009/08/16 08:54:16 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Nick\My Documents\My Pictures
[2009/08/14 19:08:37 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/08/12 05:12:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2009/08/11 22:13:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\My Documents\My Games
[2009/08/11 14:24:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Local Settings\Application Data\WorldWinner.com
[2009/08/09 16:17:43 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/09 16:17:42 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/09 16:17:42 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/07 11:06:13 | 00,000,000 | ---D | C] -- C:\Program Files\KingsIsle Entertainment
[2009/07/31 00:18:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Application Data\Unity
[2009/07/30 23:55:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Local Settings\Application Data\Unity
[2009/07/30 23:55:25 | 00,000,000 | ---D | C] -- C:\Program Files\Unity
[2009/07/15 21:34:16 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/07/11 18:28:36 | 00,000,316 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/12/14 12:55:49 | 00,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/09/19 16:57:34 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/19 16:55:10 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/19 16:55:10 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/19 16:54:18 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/08/16 17:06:24 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/08/16 16:02:45 | 00,000,616 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/08/16 16:02:21 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/02/18 18:36:44 | 00,033,792 | ---- | C] () -- C:\WINDOWS\System32\drivers\libusb0.sys
[2005/04/27 06:38:00 | 00,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2005/04/27 06:37:49 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2004/12/19 08:29:40 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/19 08:17:10 | 00,614,400 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2002/10/06 13:42:56 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/04 18:04:24 | 00,921,600 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll
[2002/10/04 18:04:24 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/04 18:04:16 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2002/05/15 18:38:40 | 00,091,136 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/08/29 14:06:42 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Outlook 2007.lnk
[2009/08/29 12:56:22 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\2klie3wf.exe
[2009/08/29 12:56:06 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\OTL.exe
[2009/08/29 09:08:54 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\RSIT.exe
[2009/08/29 09:01:15 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/29 09:01:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/29 09:01:08 | 10,623,87712 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/23 18:33:16 | 00,002,515 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Microsoft Office Word 2007.lnk
[2009/08/23 15:09:18 | 00,082,592 | ---- | M] () -- C:\Documents and Settings\Nick\My Documents\red tails.jpg
[2009/08/22 14:14:20 | 00,011,160 | ---- | M] () -- C:\Documents and Settings\Nick\My Documents\Auto Parts.docx
[2009/08/22 13:27:51 | 00,105,984 | ---- | M] () -- C:\Documents and Settings\Nick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/21 18:42:01 | 00,001,203 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.new
[2009/08/18 18:47:12 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/16 09:15:12 | 00,052,736 | ---- | M] () -- C:\Documents and Settings\Nick\My Documents\for sale.doc
[2009/08/11 14:25:13 | 00,000,616 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/05 04:11:47 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 04:11:47 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
< End of report >


OTL Extras logfile created on: 8/29/2009 2:47:55 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Nick\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.11 Mb Total Physical Memory | 668.29 Mb Available Physical Memory | 65.96% Memory free
2.38 Gb Paging File | 2.03 Gb Available in Paging File | 85.35% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.47 Gb Total Space | 162.81 Gb Free Space | 70.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GRBAS
Current User Name: Nick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1337:TCP" = 1337:TCP:*:Disabled:PowerFolder
"4752:TCP" = 4752:TCP:*:Disabled:PowerFolder
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- ()
"C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe" = C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe:*:Disabled:Enemy Territory - QUAKE Wars™ -- (Splash Damage, Ltd.)
"C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe" = C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:*:Disabled:etqwded.exe -- (Splash Damage, Ltd.)
"C:\Program Files\Sierra\FEAR\FEAR.exe" = C:\Program Files\Sierra\FEAR\FEAR.exe:*:Disabled:FEAR -- (Monolith Productions, Inc.)
"C:\Program Files\Sierra\FEAR\FEARMP.exe" = C:\Program Files\Sierra\FEAR\FEARMP.exe:*:Disabled:FEARMP -- (Monolith Productions, Inc.)
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Disabled:PnkBstrA -- File not found
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Disabled:PnkBstrB -- File not found
"C:\Documents and Settings\All Users.WINDOWS\Application Data\1f977ec\WI1f97.exe" = C:\Documents and Settings\All Users.WINDOWS\Application Data\1f977ec\WI1f97.exe:*:Disabled:Windows Security Suite -- File not found
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 11
"{2B653229-9854-4989-B780-D978F5F13EAB}" = FEAR
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{414A373B-59DF-4102-94CA-9FE9A74CBDDA}" = Garmin Trip and Waypoint Manager v5
"{548EAC70-EE00-11DD-908C-005056806466}" = Google Earth
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71C27D05-DFB4-4585-919E-631379695D72}" = Samsung PC Studio 3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{79546A5F-AE7C-4693-8670-A3401B43ABD2}" = HP Deskjet 5900 series
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8307E622-89E1-435A-BC8A-678C678F6A43}" = SA30xx Media Converter
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5222E5A-13CB-4C98-9F5C-21CF6896A25C}" = HPDeskjet5900Series
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}" = Enemy Territory - QUAKE Wars™
"{C4A4722E-79F9-417C-BD72-8D359A090C97}" = Samsung PC Studio 3
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" = Sansa Media Converter
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AVI Codec Pack" = AVI Codec Pack
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CleanUp!" = CleanUp!
"COTOPO" = Colorado Topo Maps
"ENTERPRISER" = Microsoft Office Enterprise 2007
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.8.0
"Halo" = Microsoft Halo
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 5.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}" = Enemy Territory - QUAKE Wars™
"LimeWire" = LimeWire PRO 4.12.3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"TagTuner_is1" = TagTuner 1.9
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WT015792" = FATE
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1202660629-1715567821-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"World of Warcraft Trial" = World of Warcraft Trial

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/13/2009 10:59:03 AM | Computer Name = GRBAS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/16/2009 9:53:32 AM | Computer Name = GRBAS | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module comctl32.dll, version 6.0.2900.2982, fault address 0x00044039.

Error - 8/16/2009 9:53:37 AM | Computer Name = GRBAS | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 8/16/2009 10:30:14 AM | Computer Name = GRBAS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/21/2009 10:28:42 PM | Computer Name = GRBAS | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007041F from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 8/21/2009 10:28:42 PM | Computer Name = GRBAS | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 8/26/2009 7:45:05 PM | Computer Name = GRBAS | Source = Application Error | ID = 1000
Description = Faulting application symcuw.exe, version 8.1.0.27, faulting module
symsubwz.dll, version 8.1.0.27, fault address 0x00004988.

Error - 8/29/2009 12:27:59 AM | Computer Name = GRBAS | Source = Microsoft Office 12 | ID = 5000
Description = EventType officelifeboathang, P1 outlook.exe, P2 12.0.4518.1014, P3
ntdll.dll, P4 5.1.2600.3520, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 8/29/2009 4:17:11 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate1c98b1538c39c4c) service failed
to start due to the following error: %%3

Error - 8/29/2009 4:17:11 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 8/29/2009 4:17:11 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The SRTSPL service failed to start due to the following error: %%31

Error - 8/29/2009 9:40:48 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate1c98b1538c39c4c) service failed
to start due to the following error: %%3

Error - 8/29/2009 9:40:48 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 8/29/2009 9:40:48 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The SRTSPL service failed to start due to the following error: %%31

Error - 8/29/2009 9:40:50 AM | Computer Name = GRBAS | Source = SRTSPL | ID = 458785
Description =

Error - 8/29/2009 10:01:28 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate1c98b1538c39c4c) service failed
to start due to the following error: %%3

Error - 8/29/2009 10:01:28 AM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 8/29/2009 3:40:12 PM | Computer Name = GRBAS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the WZCSVC service.

< End of report >

GMER 1.0.15.15077 [2klie3wf.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 20:20:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT F7BF4D16 ZwCreateKey
SSDT F7BF4D0C ZwCreateThread
SSDT F7BF4D1B ZwDeleteKey
SSDT F7BF4D25 ZwDeleteValueKey
SSDT F7BF4D2A ZwLoadKey
SSDT F7BF4CF8 ZwOpenProcess
SSDT F7BF4CFD ZwOpenThread
SSDT F7BF4D34 ZwReplaceKey
SSDT F7BF4D2F ZwRestoreKey
SSDT F7BF4D20 ZwSetValueKey
SSDT F7BF4D07 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[896] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3160] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A8FC5C8A

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 AM

Posted 30 August 2009 - 03:55 PM

The host file modification is from the Windows Security Suite infection you had, it appears to be gone appart from a couple of leftovers.

I need to have a look at the permissions on the host file to see if they have been changed.
Go to Start >> Run then copy and paste the following line into the run box, then click Ok.

CMD /C CACLS "C:\WINDOWS\System32\drivers\etc\Hosts" >perml.txt&perml.txt&DEL perml.txt

A notepad will now open please copy the contents in your next reply.

unite.jpg


#12 kingsalami

kingsalami
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 30 August 2009 - 05:20 PM

C:\WINDOWS\System32\drivers\etc\hosts NT AUTHORITY\Authenticated Users:(special access:)

READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES

#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 AM

Posted 30 August 2009 - 06:30 PM

Yes, those permissions don't look rite lets try and correct them.

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as.
In the box that opens type in permR.bat for the file name. Right below that click the down arrow in the line for "save as" and select
all files
. Save this to your desktop and close notepad.

CACLS "C:\WINDOWS\system32\drivers\etc\Hosts" /P BUILTIN\Users:R "BUILTIN\Power Users:R" "BUILTIN\Administrators:F" "NT AUTHORITY\SYSTEM:F" "GRBAS\Nick:F"
CACLS "C:\WINDOWS\system32\drivers\etc\Hosts" >perml.txt&perml.txt&DEL perml.txt

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Then double click on permR.bat, the command prompt will pop up and prompt you (y\n)? press y then Enter.
A notepad will now open please copy the contents in your next reply.

unite.jpg


#14 kingsalami

kingsalami
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 30 August 2009 - 07:35 PM

Will Wordpad work? I couldn't find notepad on my machine.

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 AM

Posted 30 August 2009 - 07:45 PM

No wordpad will not work.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    :filefind
    notepad.exe
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users