Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.Banker and Rogue.Installer


  • This topic is locked This topic is locked
11 replies to this topic

#1 robbigfalls

robbigfalls

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 19 September 2009 - 09:12 AM

I have had this problem since the end of August; almost 3 weeks now. I was first alerted to the problem when HughesNet slowed down my internet connection (this called being FAPed by their Fair Access Policy) I am allowed 350 MB per day but this was being exceeded with downloads per hour of anything between 40-100MB. At the moment I am controlling it by continually disconnecting my modem and the bug does have occasional quiet periods when downloads are normal.
I live in the rainforest in southern Belize and run a small network of 3 computers and have no local assistance. All computers run Windows XP Service Pack 2. I have 3 browsers installed on each (IE, Mozilla Firefox and Google Chrome) I generally avoided using IE except where https sites were incompatible with the other two. I had made Chrome my preference although after researching this problem I rwead about security problems with Chrome also.
I was insufficently protected before. I was running AVG FREE and Spyware doctor FREE as well as Spybot Search and Destroy.
I now have the full version of Spyware Doctor and Antivirus and have downloaded Superantispyware and Malwarebytes AntiMalware.
Yesterday and the day before I disconnected all 3 computers from each other and from the internet connection and ran Malwarbytes in Safe Mode with Networking . It found spyware.banker and rogue.installer and told me it had successfully quarantined and deleted them. I later ran it again and MBAM found both in different locations now. Yesterday I did a third run and it found nothing on any machine. However throughout yesterday it dowloaded substantially more than can be accounted for by my own use and in the last two hours downloaded 98MB and 57MB of data.
I am attaching the MBAM files and a hijackthis log made this morning.

All help appreciated. Each time HughesNet slows the internet connection down I am effectively unable to do any work for 24 hours.

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:09 AM

Posted 06 October 2009 - 04:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:09 AM

Posted 11 October 2009 - 05:49 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:09 PM

Posted 15 October 2009 - 07:22 PM

Topic reopened at the request of the op.

#5 robbigfalls

robbigfalls
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 17 October 2009 - 01:37 PM

I am pasting the OTL Notepad log below. OTL did not save an Extras file

OTL logfile created on: 10/17/2009 12:29:05 PM - Run 3
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Big Falls Lodge\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.07 Mb Total Physical Memory | 96.48 Mb Available Physical Memory | 9.51% Memory free
2.38 Gb Paging File | 1.46 Gb Available in Paging File | 61.28% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 18.21 Gb Free Space | 37.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 100.14 Gb Total Space | 30.85 Gb Free Space | 30.81% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 17.71 Gb Total Space | 8.69 Gb Free Space | 49.05% Space Free | Partition Type: NTFS

Computer Name: DREAM-DF0608A96
Current User Name: Big Falls Lodge
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/15 17:20:51 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Big Falls Lodge\Desktop\OTL.exe
PRC - [2009/09/28 19:52:08 | 10,584,149 | ---- | M] (SlimDevices - A Logitech Company) -- C:\Program Files\Squeezebox\server\SqueezeSvr.exe
PRC - [2009/09/28 19:51:40 | 02,351,191 | ---- | M] (SlimDevices - A Logitech Company) -- C:\Program Files\Squeezebox\SqueezeTray.exe
PRC - [2009/09/28 19:51:24 | 04,149,248 | ---- | M] () -- C:\Program Files\Squeezebox\server\Bin\MSWin32-x86-multi-thread\mysqld.exe
PRC - [2009/09/16 08:43:38 | 03,114,416 | ---- | M] (Tonec Inc.) -- E:\Program files\Internet Download Manager\IDMan.exe
PRC - [2009/09/12 16:35:02 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/04 14:49:58 | 01,994,480 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/07/27 15:55:29 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/27 15:55:29 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/22 22:44:50 | 01,181,064 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2009/07/22 22:44:48 | 01,097,096 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2009/07/21 15:21:08 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2009/06/30 17:39:08 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Big Falls Lodge\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
PRC - [2009/06/05 13:39:22 | 00,292,136 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/04/02 08:37:58 | 02,736,184 | ---- | M] (humyo.com Ltd.) -- C:\Program Files\humyo.com Client\hrfscore.exe
PRC - [2009/03/31 11:23:06 | 00,070,944 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/07 12:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/02 02:38:58 | 00,167,936 | ---- | M] (PowerISO Computing, Inc.) -- E:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2008/02/18 07:01:01 | 00,251,312 | ---- | M] (Tonec Inc.) -- E:\Program files\Internet Download Manager\IEMonitor.exe
PRC - [2007/08/18 08:25:22 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/06/18 16:51:50 | 00,565,248 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007/06/13 04:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/10/22 23:24:02 | 00,620,152 | ---- | M] (Adobe Systems Inc.) -- E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2006/03/30 09:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/03/08 19:46:12 | 00,061,440 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2004/11/08 13:05:44 | 00,241,664 | ---- | M] (Delta) -- C:\Program Files\Belkin Bulldog Plus\upsd.exe
PRC - [2004/09/29 15:19:40 | 00,102,400 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\TSIRCSRV.EXE
PRC - [2003/08/06 13:24:20 | 12,037,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2003/07/14 22:45:18 | 00,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

========== Win32 Services (SafeList) ==========

SRV - [2009/09/28 19:51:24 | 04,149,248 | ---- | M] () -- C:\Program Files\Squeezebox\server\Bin\MSWin32-x86-multi-thread\mysqld.exe -- (SqueezeMySQL [Auto | Running])
SRV - [2009/07/27 15:55:29 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/07/22 22:44:48 | 01,097,096 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService [Auto | Running])
SRV - [2009/07/21 15:21:08 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Running])
SRV - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/04/26 14:29:24 | 00,090,352 | ---- | M] (PC Pitstop LLC) -- C:\Program Files\PCPitstop\PCPitstopScheduleService.exe -- (PCPitstop Scheduling [Disabled | Stopped])
SRV - [2009/04/02 08:37:58 | 02,736,184 | ---- | M] (humyo.com Ltd.) -- C:\Program Files\humyo.com Client\hrfscore.exe -- (humyo.com [On_Demand | Running])
SRV - [2009/04/01 08:16:43 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2009/03/31 11:23:06 | 00,070,944 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe -- (ThreatFire [On_Demand | Running])
SRV - [2009/01/07 12:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/06/18 16:51:50 | 00,565,248 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice [Auto | Running])
SRV - [2007/03/20 16:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3 [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2006/03/30 09:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2006/02/28 06:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/03/08 19:46:12 | 00,061,440 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon [Auto | Running])
SRV - [2004/11/08 13:05:44 | 00,241,664 | ---- | M] (Delta) -- C:\Program Files\Belkin Bulldog Plus\upsd.exe -- (UPSentry_Smart [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2004/09/29 15:19:40 | 00,102,400 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\TSIRCSRV.EXE -- (TSIRCSRV [Auto | Running])
SRV - [2004/02/26 00:18:00 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/09/04 14:50:02 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
DRV - [2009/09/04 14:50:00 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/09/04 14:49:58 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2009/08/24 14:05:06 | 00,206,256 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore [Boot | Running])
DRV - [2009/04/02 08:38:02 | 00,144,696 | ---- | M] (humyo.com Ltd.) -- C:\WINDOWS\System32\Drivers\hrfsmrx.sys -- (hrfsmrx [On_Demand | Running])
DRV - [2009/03/31 11:23:26 | 00,039,200 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon [Boot | Running])
DRV - [2009/03/31 11:23:24 | 00,033,056 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys -- (TfNetMon [On_Demand | Running])
DRV - [2009/03/31 11:23:20 | 00,051,488 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon [Boot | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/12/11 08:38:22 | 00,159,600 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys -- (pctgntdi [System | Running])
DRV - [2008/12/10 11:36:04 | 00,064,392 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys -- (pctplsg [On_Demand | Running])
DRV - [2008/11/02 02:44:10 | 00,056,572 | ---- | M] (PowerISO Computing, Inc.) -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu [System | Running])
DRV - [2008/06/09 12:05:19 | 00,022,512 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\adwarealert.sys -- (adwarealert [Boot | Running])
DRV - [2008/05/24 10:21:24 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
DRV - [2008/02/22 20:38:33 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/05/10 15:00:16 | 00,156,160 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2006/02/28 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/04/05 21:46:28 | 00,830,684 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2005/01/27 16:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2004/09/29 16:23:16 | 00,043,040 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\drivers\tsiser.sys -- (TSISER [Auto | Running])
DRV - [2004/09/29 15:19:16 | 00,002,816 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\Drivers\tsircmir.sys -- (tsircmir [System | Running])
DRV - [2004/09/29 15:18:52 | 00,009,216 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\drivers\TSIRCINK.SYS -- (TSIRCINK [System | Stopped])
DRV - [2004/09/29 15:18:36 | 00,005,120 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\drivers\TSISTRMX.SYS -- (TSISTRMX [Auto | Running])
DRV - [2004/09/29 15:18:04 | 00,005,632 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\drivers\TSIMSF5.sys -- (TSIMSF5 [On_Demand | Running])
DRV - [2004/09/29 15:17:28 | 00,009,728 | ---- | M] (Laplink Software, Inc.) -- C:\WINDOWS\System32\drivers\TSIKBF5.sys -- (TSIKBF5 [On_Demand | Running])
DRV - [2004/09/17 10:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
DRV - [2004/08/03 23:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
DRV - [2004/02/26 00:18:02 | 00,021,488 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Running])
DRV - [2004/02/26 00:18:00 | 00,051,056 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Running])
DRV - [2004/02/26 00:18:00 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Running])
DRV - [2003/06/26 21:05:38 | 00,472,332 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\LVCM.sys -- (QCMerced [On_Demand | Running])
DRV - [2003/04/24 15:21:50 | 00,006,025 | R--- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND [Auto | Running])
DRV - [2001/08/17 13:58:00 | 00,019,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\HidBatt.sys -- (HidBatt [On_Demand | Running])
DRV - [2001/08/17 13:12:32 | 00,016,074 | ---- | M] (NETGEAR Corp.) -- C:\WINDOWS\System32\DRIVERS\FA312nd5.sys -- (FA312 [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = ;localhost;<local>
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:83


IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\S-1-5-21-790525478-562591055-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\S-1-5-21-790525478-562591055-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;<local>;*.local
IE - HKU\S-1-5-21-790525478-562591055-682003330-1003\S-1-5-21-790525478-562591055-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.0.1:6588

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.bbc.co.uk/|http://www.guardian.co.uk/"
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081127W
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:3.0.3
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007/08/18 08:33:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/11/06 11:14:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/07/27 15:55:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 20:43:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/15 15:36:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/15 15:36:57 | 00,000,000 | ---D | M]

[2008/06/17 15:45:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Big Falls Lodge\Application Data\mozilla\Extensions
[2008/06/17 15:45:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Big Falls Lodge\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/16 14:15:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Big Falls Lodge\Application Data\mozilla\Firefox\Profiles\831h403s.default\extensions
[2009/09/02 08:27:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Big Falls Lodge\Application Data\mozilla\Firefox\Profiles\831h403s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/12/11 16:12:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Big Falls Lodge\Application Data\mozilla\Firefox\Profiles\831h403s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/04/17 12:26:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Big Falls Lodge\Application Data\mozilla\Firefox\Profiles\831h403s.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2008/06/17 15:48:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Big Falls Lodge\Application Data\mozilla\Firefox\Profiles\831h403s.default\extensions\en-US@dictionaries.addons.mozilla.org
[2009/10/16 14:15:17 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/12 16:35:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/27 15:55:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2007/08/18 08:33:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\google-cjk@partners.mozilla.com
[2009/06/08 06:52:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\hrfsdownloader@hrfs.com
[2009/09/12 16:35:01 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/12 16:35:01 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/27 15:55:29 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/02/06 12:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/09/12 16:35:03 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2003/07/14 22:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2009/08/03 15:07:42 | 00,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npOGAPlugin.dll
[2006/10/22 23:24:32 | 00,091,768 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/11/06 11:14:06 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2009/06/12 15:44:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/06/12 15:44:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/06/12 15:44:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/06/12 15:44:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/06/12 15:44:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/06/12 15:44:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/06/12 15:44:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2008/11/06 11:14:43 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2008/11/06 11:13:11 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2008/08/27 19:23:26 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll
[2009/07/30 15:53:07 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2009/07/30 15:53:07 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/14 15:41:47 | 00,001,489 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/07/30 15:53:07 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2009/07/30 15:53:07 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 15:53:07 | 00,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2009/07/30 15:53:07 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 15:53:07 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 15:53:07 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Program files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (IEHelperObject Class) - {4DC16316-5372-4476-9CA5-88B2786B838F} - C:\Program Files\humyo.com Client\HrfsDownloader.dll (humyo.com Ltd.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-790525478-562591055-682003330-1003\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-790525478-562591055-682003330-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] E:\Program files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [CommCtr] C:\Program Files\Net2Phone CommCenter\CommCtr.exe (Net2Phone Inc.)
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [Google Update] C:\Documents and Settings\Big Falls Lodge\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [IDMan] E:\Program files\Internet Download Manager\IDMan.exe (Tonec Inc.)
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [Net2Phone Dialer] C:\Program Files\Net2Phone SIP Dialer\dialer.exe ()
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-790525478-562591055-682003330-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = E:\Program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\humyo.com Client.lnk = C:\Program Files\humyo.com Client\HrfsClient.exe (humyo.com Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Squeezebox Server Tray Tool.lnk = C:\Program Files\Squeezebox\SqueezeTray.exe (SlimDevices - A Logitech Company)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-790525478-562591055-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-562591055-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-790525478-562591055-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-790525478-562591055-682003330-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-562591055-682003330-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Download all links with IDM - E:\Program files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download FLV video content with IDM - E:\Program files\Internet Download Manager\IEGetVL.htm ()
O8 - Extra context menu item: Download with IDM - E:\Program files\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: Save Image To humyo.com - C:\Program Files\humyo.com Client\download.html ()
O8 - Extra context menu item: Save Target To humyo.com - C:\Program Files\humyo.com Client\download.html ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O15 - HKLM\..Trusted Domains: 46 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 45 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 45 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-790525478-562591055-682003330-1003\..Trusted Domains: 45 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 66.82.4.8 0.0.0.0
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/15 13:33:24 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{d4e9fa5c-662d-11dc-9c49-0080ae000001}\Shell\AutoRun\command - "" = G:\ntdelect.com -- File not found
O33 - MountPoints2\{d4e9fa5c-662d-11dc-9c49-0080ae000001}\Shell\explore\Command - "" = ntdeIect.com
O33 - MountPoints2\{d4e9fa5c-662d-11dc-9c49-0080ae000001}\Shell\open\Command - "" = ntdeIect.com
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/10/15 15:37:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2009/10/04 14:57:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Squeezebox
[2009/09/25 13:55:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Big Falls Lodge\Application Data\IObit
[2009/09/25 13:55:06 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2009/10/04 15:00:03 | 00,000,000 | ---D | C] -- C:\Program Files\Squeezebox
[2009/10/15 17:20:08 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Big Falls Lodge\Desktop\OTL.exe
[2009/10/14 15:51:49 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2003/03/21 09:30:04 | 02,187,264 | ---- | C] (MunsenWare) -- C:\Program Files\Tracker.exe
[2003/03/21 09:30:04 | 00,307,200 | ---- | C] (MunsenWare) -- C:\Program Files\Dbutil.exe
[2003/03/21 09:30:04 | 00,075,264 | ---- | C] (MunsenWare) -- C:\Program Files\Gtbackup.exe
[2003/03/21 09:30:04 | 00,060,928 | ---- | C] (MunsenWare) -- C:\Program Files\Verify.exe
[2003/03/21 09:30:04 | 00,046,336 | ---- | C] (MunsenWare) -- C:\Program Files\Usradmin.exe
[2003/03/21 09:30:04 | 00,038,144 | ---- | C] (MunsenWare) -- C:\Program Files\License.exe

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/10/17 11:55:12 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/10/17 11:45:37 | 00,002,197 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009/10/17 11:44:40 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/17 11:44:00 | 00,001,018 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-562591055-682003330-1003UA.job
[2009/10/17 11:43:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/17 11:43:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/16 17:44:02 | 00,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-562591055-682003330-1003Core.job
[2009/10/16 14:22:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/10/16 09:55:37 | 00,000,064 | ---- | M] () -- C:\Program Files\GT080524.ldb
[2009/10/16 09:55:36 | 05,079,040 | ---- | M] () -- C:\Program Files\GT080524.MDB
[2009/10/16 09:55:36 | 00,000,018 | ---- | M] () -- C:\Program Files\GT080524.USR
[2009/10/16 08:47:14 | 00,000,052 | ---- | M] () -- C:\Program Files\TRACKER.INI
[2009/10/15 17:20:51 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Big Falls Lodge\Desktop\OTL.exe
[2009/10/15 15:19:51 | 00,000,295 | ---- | M] () -- C:\Program Files\GT080524.GTP
[2009/10/15 15:19:44 | 00,000,039 | ---- | M] () -- C:\Program Files\GTBACKUP.INI
[2009/10/14 15:54:44 | 00,505,234 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/14 15:54:44 | 00,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/14 15:54:44 | 00,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/13 17:46:30 | 00,002,401 | ---- | M] () -- C:\Documents and Settings\Big Falls Lodge\Desktop\Google Chrome.lnk
[2009/10/11 12:57:09 | 00,001,648 | ---- | M] () -- C:\WINDOWS\cmbtll.ini
[2009/10/11 12:57:09 | 00,000,388 | ---- | M] () -- C:\WINDOWS\CMBTCTL.INI
[2009/10/11 12:57:09 | 00,000,095 | ---- | M] () -- C:\WINDOWS\combit.ini
[2009/10/04 15:00:42 | 00,000,770 | ---- | M] () -- C:\Documents and Settings\Big Falls Lodge\Desktop\Squeezebox Server.lnk
[2009/10/04 15:00:42 | 00,000,766 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Squeezebox Server Tray Tool.lnk
[2009/10/03 16:40:07 | 00,018,944 | ---- | M] () -- C:\Documents and Settings\Big Falls Lodge\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/02 12:01:57 | 25,198,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/09/26 03:00:00 | 00,000,348 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2009/09/25 13:55:27 | 00,000,404 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2009/09/25 13:55:12 | 00,000,697 | ---- | M] () -- E:\Data warehouse\Desktop\Smart Defrag.lnk
[2009/09/20 16:48:01 | 00,001,006 | ---- | M] () -- C:\Documents and Settings\Big Falls Lodge\Desktop\Spybot - Search & Destroy.lnk

========== Files - No Company Name ==========
[2009/10/15 15:19:50 | 00,000,064 | ---- | C] () -- C:\Program Files\GT080524.ldb
[2009/10/04 15:00:42 | 00,000,770 | ---- | C] () -- C:\Documents and Settings\Big Falls Lodge\Desktop\Squeezebox Server.lnk
[2009/10/04 15:00:42 | 00,000,766 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Squeezebox Server Tray Tool.lnk
[2009/09/25 13:55:27 | 00,000,404 | ---- | C] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2009/09/25 13:55:12 | 00,000,697 | ---- | C] () -- E:\Data warehouse\Desktop\Smart Defrag.lnk
[2009/07/21 15:34:53 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/05/03 20:03:07 | 00,000,064 | ---- | C] () -- C:\Program Files\TRACKER.ldb
[2008/12/08 07:55:29 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/11/02 18:46:54 | 00,000,427 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/12 10:59:14 | 00,160,256 | ---- | C] () -- C:\Program Files\tracker.FTG
[2008/09/27 15:21:02 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\Big Falls Lodge\Application Data\CAB84E
[2008/09/27 15:21:01 | 00,870,128 | ---- | C] () -- C:\Documents and Settings\Big Falls Lodge\Application Data\mcs.rma
[2008/07/28 18:44:11 | 00,000,024 | ---- | C] () -- C:\Program Files\TRACKER.GTP
[2008/07/28 18:37:45 | 00,000,295 | ---- | C] () -- C:\Program Files\GT080524.GTP
[2008/07/27 07:38:55 | 00,000,018 | ---- | C] () -- C:\Program Files\GT080524.USR
[2008/07/25 18:34:26 | 05,079,040 | ---- | C] () -- C:\Program Files\GT080524.MDB
[2008/07/25 18:34:26 | 00,000,039 | ---- | C] () -- C:\Program Files\UNKNOWN.GTP
[2008/06/13 10:55:29 | 00,022,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\adwarealert.sys
[2008/05/27 19:01:33 | 00,106,634 | -H-- | C] () -- C:\Program Files\tracker.GID
[2008/05/24 09:52:07 | 00,000,039 | ---- | C] () -- C:\Program Files\GTBACKUP.INI
[2008/03/31 13:09:55 | 00,000,031 | ---- | C] () -- C:\WINDOWS\SetupWIZ.INI
[2008/03/02 12:47:28 | 00,001,344 | ---- | C] () -- C:\WINDOWS\System32\odbcinst.ini
[2008/01/30 11:21:57 | 00,000,077 | ---- | C] () -- C:\WINDOWS\bi_group.ini
[2007/12/16 12:53:09 | 00,000,093 | ---- | C] () -- C:\WINDOWS\PinPoint.ini
[2007/10/26 12:35:48 | 00,000,967 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/09/29 18:19:05 | 00,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/13 15:50:08 | 00,257,536 | ---- | C] () -- C:\WINDOWS\BiImg.dll
[2007/09/13 15:50:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\JPEG32.DLL
[2007/09/13 15:50:08 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\BiMResNT.dll
[2007/09/03 20:20:05 | 04,840,668 | -H-- | C] () -- C:\Documents and Settings\Big Falls Lodge\Local Settings\Application Data\IconCache.db
[2007/08/28 14:55:04 | 00,014,938 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/08/24 07:29:49 | 00,003,240 | ---- | C] () -- C:\WINDOWS\ACTWIN2.INI
[2007/08/23 14:26:36 | 00,018,944 | ---- | C] () -- C:\Documents and Settings\Big Falls Lodge\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/21 10:47:51 | 00,001,648 | ---- | C] () -- C:\WINDOWS\cmbtll.ini
[2007/08/21 10:47:48 | 00,000,095 | ---- | C] () -- C:\WINDOWS\combit.ini
[2007/08/19 16:47:46 | 00,000,138 | ---- | C] () -- C:\Documents and Settings\Big Falls Lodge\Local Settings\Application Data\fusioncache.dat
[2007/08/19 06:26:18 | 00,022,532 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/08/15 14:25:30 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/15 13:37:46 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Big Falls Lodge\Application Data\desktop.ini
[2007/08/15 06:25:09 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/02/28 06:00:00 | 00,000,756 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 06:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/06/11 11:47:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2004/02/26 00:18:04 | 00,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/03/21 11:57:52 | 00,100,768 | ---- | C] () -- C:\Documents and Settings\Big Falls Lodge\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2003/03/21 10:34:07 | 00,000,388 | ---- | C] () -- C:\WINDOWS\CMBTCTL.INI
[2003/03/21 09:31:12 | 00,000,018 | ---- | C] () -- C:\Program Files\TRACKER.USR
[2003/03/21 09:31:11 | 00,000,052 | ---- | C] () -- C:\Program Files\TRACKER.INI
[2003/03/21 09:31:05 | 00,000,736 | -H-- | C] () -- C:\Program Files\TRACKER.LIC
[2003/03/21 09:30:07 | 00,220,554 | ---- | C] () -- C:\Program Files\Tracker.bmp
[2003/03/21 09:30:06 | 01,299,579 | ---- | C] () -- C:\Program Files\What's New in Version 3.pdf
[2003/03/21 09:30:06 | 00,491,520 | ---- | C] () -- C:\Program Files\Tracker.mdb
[2003/03/21 09:30:06 | 00,470,760 | ---- | C] () -- C:\Program Files\Web Module.pdf
[2003/03/21 09:30:06 | 00,119,669 | ---- | C] () -- C:\Program Files\V3.0 Update Procedure.pdf
[2003/03/21 09:30:06 | 00,099,509 | ---- | C] () -- C:\Program Files\V3.0 Network Install.pdf
[2003/03/21 09:30:06 | 00,091,877 | ---- | C] () -- C:\Program Files\V3.0 Install Procedure.pdf
[2003/03/21 09:30:05 | 02,410,749 | ---- | C] () -- C:\Program Files\TRACKER.hlp
[2003/03/21 09:30:05 | 00,289,078 | ---- | C] () -- C:\Program Files\Wam.hlp
[2003/03/21 09:30:05 | 00,156,682 | ---- | C] () -- C:\Program Files\Dbutil.hlp
[2003/03/21 09:30:05 | 00,041,127 | ---- | C] () -- C:\Program Files\Security Module.pdf
[2003/03/21 09:30:05 | 00,025,403 | ---- | C] () -- C:\Program Files\Usradmin.hlp
[2003/03/21 09:30:05 | 00,024,555 | ---- | C] () -- C:\Program Files\TRACKER.cnt
[2003/03/21 09:30:05 | 00,014,743 | ---- | C] () -- C:\Program Files\Gtbackup.hlp
[2003/03/21 09:30:05 | 00,002,640 | ---- | C] () -- C:\Program Files\WAM.cnt
[2003/03/21 09:30:05 | 00,000,829 | ---- | C] () -- C:\Program Files\dbutil.cnt
[2003/03/21 09:30:05 | 00,000,354 | ---- | C] () -- C:\Program Files\usradmin.CNT
[2003/03/21 09:30:05 | 00,000,240 | ---- | C] () -- C:\Program Files\GTBACKUP.cnt
[2003/03/21 09:30:04 | 00,220,554 | ---- | C] () -- C:\Program Files\Splash.bmp
[2003/03/21 09:30:04 | 00,034,899 | ---- | C] () -- C:\Program Files\Sysinfo.exe
[2003/03/21 09:30:04 | 00,019,062 | ---- | C] () -- C:\Program Files\Dialog.BMP
[2003/03/21 09:30:04 | 00,004,323 | ---- | C] () -- C:\Program Files\license.txt
[2003/03/21 09:30:04 | 00,002,856 | ---- | C] () -- C:\Program Files\30files.txt
[2003/03/21 09:30:04 | 00,000,837 | ---- | C] () -- C:\Program Files\Readme.txt
[2003/02/26 15:47:14 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\MimicICM.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1996/11/17 01:37:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA5F15C4
< End of report >

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:09 AM

Posted 18 October 2009 - 11:12 AM

Hi,

Malwarebytes is most effective when run in normal mode. Please update the tool and run it in normal mode once more. Post back the logs here.

Are you currently trying to diagnose the 3 PCs or did you single out the PC causing the downloads and how did you single it out?

Please also run a rootkitscan on the PC:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 robbigfalls

robbigfalls
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 20 October 2009 - 04:32 PM

I can't tell you how relieved and grateful I am to have you on the other end now. I believe that the problem is only affecting one computer but I have not been able to isolate it to be sure. I don't know how. What I do notice is that whenever I have the one computer on which we use mainly for Outlook and browsing the receive light on the HughesNet modem will go very active as soon as a browser is opened. I almost never use Internet Explorer preferring Google chrome or Mozilla Firefox.
Malware bytes detected hijack.homepage and I have asked MBAM to remove it.
Many thanks for your efforts.

The MBAM and RRepeal reports are pasted here below.

Malwarebytes' Anti-Malware 1.41
Database version: 2993
Windows 5.1.2600 Service Pack 2

10/20/2009 2:38:12 PM
mbam-log-2009-10-20 (14-38-00).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 262132
Time elapsed: 1 hour(s), 44 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Root Repeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/20 15:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAC19000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7C98000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9883000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\big falls lodge\application data\mozilla\firefox\profiles\831h403s.default\cookies.sqlite-journal
Status: Allocation size mismatch (API: 512, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf74a0d72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf74819a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf7481b98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf74a1568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf74a1820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf749fa80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf74a1c8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf74a1036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xaae100b0

==EOF==

#8 robbigfalls

robbigfalls
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 22 October 2009 - 09:03 AM

I had thought the day before yesterday when MBAM discovered hijack.homepage that this would have been the problem but having had the program remove 376MB of data were downloaded in a five hour period yesterday. I will run MBAM again to see whether it discovers it still there.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:09 AM

Posted 22 October 2009 - 02:52 PM

Hi,

what kind of network are you using for your PC? Do you use wireless? Is it encrypted?

Could it be possible that another person is connecting through your internet connection causing this problems?

How do you know that 376 Mb were downloaded yesterday?

I will be away till monday and unable to reply before that. My apologies.

regards _temp_

Edited by _temp_, 22 October 2009 - 02:53 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 robbigfalls

robbigfalls
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 23 October 2009 - 10:33 AM

We are in the rainforest in Belize www.thelodgeatbigfalls.com and there is no other user within 500 yards of us and trees all around so I am fairly sure that we are not being hacked by anyone locally who anyway mostly live in wooden thatched huts. We have a LAN which is wired. We use a Zonet router. It is not encrypted so that guests staying at the lodge can also use it.
I am able to see hourly useage by going to http://customercare.myhughesnet.com/frm_usage.cfm and putting in our site ID ******. It details all downloaded and uploaded data hour by hour.
This is a recurrence of a problem that I experienced about two years ago. At that time I bought software from AdwareAlert which itself could never identify the problem. Adware alert is always identified as malware ( I think because they trick you into buying the full program) by Spybot S&D and Spyware Doctor. However AdweareAlert did have good e-mail support and their technicians fixed the problem by analysis of HijackThis logs although I had to send logs a couple of times before the system returned to normal. I sent them HijackThis logs again when the problem recurred but received no answer so I assume they have gone out of business.
By the way, even though I clicked Track this Topic and asked for e-mail notification of replies I am not receiving them. Anyway I am checking back with you daily.
Have a good weekend.
Rob

Edited by _temp_, 26 October 2009 - 02:20 PM.
removed personal info


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:09 AM

Posted 27 October 2009 - 12:03 PM

Hi,

Open Notepad and copy/paste the code box below into a new text file.
@echo off
netstat -bo >%temp%\tmp.txt
%temp%\tmp.txt
  • Save the file as query.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "query.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.
The textfile will list all your current connections on the PC. Please run it once while you have all programs closed and once while you have your usual programs open.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:09 AM

Posted 05 November 2009 - 05:40 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users