Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avertisement Redirect -- Unknown Name/Type


  • This topic is locked This topic is locked
20 replies to this topic

#1 Baggi

Baggi

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 30 November 2009 - 03:23 PM

The Problem:

Browser will load without being prompted to an advertisement site. Also, when clicking on links in IE, Firefox and Safari, from sites like Google and Yahoo, i'll be redirected to an advertisement site not of my choosing.

Possibly Related:

Cannot load computer in safe mode.

DDS

DDS (Ver_09-11-29.01) - NTFSx86
Run by Owner at 11:54:36.17 on Mon 11/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2943.2004 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Owner\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Burn4Free Toolbar Helper: {d187a56b-a33f-4cbe-9d77-459fc0bae012} - c:\program files\burn4free toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Burn4Free Toolbar: {4f11acbb-393f-4c86-a214-ff3d0d155cc3} - c:\program files\burn4free toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\simple~1\photos~1\data\xtras\mssysmgr.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SmileboxTray] "c:\documents and settings\owner\application data\smilebox\SmileboxTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
IE: &Search - ?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\SOFTWARE
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\SOFTWARE\Burn4Free
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\SOFTWARE\Burn4Free\Burn4Free Toolbar
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: plaxo.com\www
Trusted Zone: turbotax.com
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://aolsvc.aol.com/onlinegames/free-trial-cooking-dash/CookingDashWeb.1.0.0.9.cab
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://aolsvc.aol.com/onlinegames/free-trial-chocolatier/ChocolatierWeb.1.0.0.13.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://aolsvc.aol.com/onlinegames/free-trial-fitness-dash/FitnessDashWeb.1.0.0.11.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-pi-the-lottery-ticket/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.33.7/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} - hxxp://aolsvc.aol.com/onlinegames/free-trial-parking-dash/parkingdash.1.0.0.10.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\uz57he1z.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npPxPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-7 207280]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-23 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-23 55656]
R2 MrHealthyService;MrHealthy;c:\program files\norton pc checkup\executables\mrhealthy\mrhealthy.exe -service --> c:\program files\norton pc checkup\executables\mrhealthy\MrHealthy.exe -service [?]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-11-19 583640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2009-4-25 443712]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-7 358600]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-10-31 56992]
S2 yjcmigjukv;yjcmigjukv;\??\c:\windows\system32\drivers\kqjndvwcwem.sys --> c:\windows\system32\drivers\kqjndvwcwem.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-11-29 21:50:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-29 21:50:01 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-29 21:50:01 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-11-28 22:53:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 22:53:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 22:53:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 00:33:01 0 d-----w- c:\program files\Trend Micro
2009-11-26 20:41:15 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-26 20:37:17 0 d-----r- c:\program files\Skype
2009-11-24 01:23:10 44416 ----a-r- c:\windows\system32\drivers\jraid_2.sys
2009-11-24 01:18:19 0 d-sha-r- C:\cmdcons
2009-11-24 01:16:08 98816 ----a-w- c:\windows\sed.exe
2009-11-24 01:16:08 77312 ----a-w- c:\windows\MBR.exe
2009-11-24 01:16:08 260608 ----a-w- c:\windows\PEV.exe
2009-11-24 01:16:08 161792 ----a-w- c:\windows\SWREG.exe
2009-11-24 01:15:50 0 d-----w- C:\ComboFix
2009-11-23 19:07:51 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 19:07:49 0 d-----w- c:\program files\Avira
2009-11-23 19:07:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-23 09:04:03 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-22 09:42:25 0 d-----w- C:\UBCD4Win
2009-11-22 00:07:58 0 d-----w- c:\program files\Burn4Free Toolbar
2009-11-21 21:45:30 0 d-----w- c:\windows\system32\temp
2009-11-21 21:10:16 0 d-----w- c:\program files\bfgclient
2009-11-21 21:10:13 0 d-----w- c:\program files\Yahoo! Games
2009-11-21 21:10:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Oberon Media
2009-11-21 21:09:34 0 d-----w- c:\docume~1\owner\applic~1\PC Tools
2009-11-21 21:09:34 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-20 02:02:03 0 d-----w- c:\windows\pss
2009-11-20 01:24:51 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2009-11-20 01:24:51 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2009-11-20 01:24:51 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2009-11-14 04:26:23 4096 ----a-w- c:\windows\d3dx.dat
2009-11-14 04:26:22 0 d-----w- c:\docume~1\owner\applic~1\Wildfire
2009-11-14 04:26:06 0 d-----w- c:\program files\Tumblebugs
2009-11-14 04:24:37 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2009-11-14 01:37:43 0 d-----w- c:\docume~1\alluse~1\applic~1\MumboJumbo
2009-11-14 01:37:09 0 d-----w- c:\program files\Shockwave.com
2009-11-11 18:53:33 0 d-----w- c:\program files\Oberon Media
2009-11-07 18:17:27 0 d-----w- c:\program files\iPod
2009-11-07 18:17:24 0 d-----w- c:\program files\iTunes
2009-11-07 10:28:04 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-07 10:28:04 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-07 10:28:02 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-07 10:28:02 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-07 10:28:02 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-07 10:28:02 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-07 10:27:57 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-07 10:27:57 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-07 10:27:52 0 d-----w- c:\program files\Spyware Doctor
2009-11-07 10:27:52 0 d-----w- c:\program files\common files\PC Tools
2009-11-07 06:32:27 0 d-----w- c:\documents and settings\owner\Tracing
2009-11-07 06:30:35 0 d-----w- c:\program files\Microsoft
2009-11-07 06:30:18 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-07 01:20:12 0 d-----w- c:\program files\common files\Windows Live
2009-11-05 21:08:31 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-11-05 21:08:30 0 d-----w- c:\program files\McAfee Security Scan
2009-11-01 06:31:05 75 ----a-w- c:\windows\system32\nvUnsupRes.dat
2009-10-31 23:01:26 1481 ----a-w- c:\windows\system32\nvhda.nvu
2009-10-31 23:01:24 56992 ----a-r- c:\windows\system32\drivers\nvhda32.sys
2009-10-31 23:01:24 19456 ----a-r- c:\windows\system32\nvhdap32.dll
2009-10-31 23:01:24 155648 ----a-r- c:\windows\system32\nvcohda.dll
2009-10-31 22:51:17 8 ----a-w- c:\windows\system32\nvModes.dat
2009-10-31 22:10:55 0 d-----w- c:\program files\NVIDIA Corporation
2009-10-31 22:10:49 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2009-10-31 22:09:18 485920 ----a-w- c:\windows\system32\nvuhda.exe
2009-10-31 22:07:10 0 d-----w- c:\windows\system32\AGEIA
2009-10-31 22:05:35 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-11-28 05:26:37 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-09-30 02:20:50 584296 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-29 18:58:29 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-29 18:58:26 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-29 18:58:26 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-09-29 18:58:25 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-29 18:58:25 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-29 18:58:18 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-09-29 18:58:18 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-29 18:58:18 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-09-29 18:58:17 5845632 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-28 01:20:04 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 23:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-22 20:06:12 82468 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2008-09-06 16:59:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 11:57:53.71 ===============


RootRepeal Log or ark.txt

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/30 12:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5518000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\AOL Games\Mystery P.I. - The Lottery Ticket\MysteryPI.exe:{D78EF9FF-7E11-2019-741F-9BEA786FEEBB}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{21EEACD2-6C1A-4144-ACD7-701B9F72DEA3}\RP767\A0072166.exe:{71C8CB97-8045-CAEC-B329-685A38710E39}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Application Data\Apple Computer\Preferences\LastSession.plist
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\Apple Computer\Safari\sessionstore.js
Status: Locked to the Windows API!

Path: c:\documents and settings\owner\application data\skype\bagginator\etilqs_ce2gocexohbs8itm1r0x
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\owner\application data\skype\bagginator\etilqs_wfrcfifiq04lisy39db4
Status: Allocation size mismatch (API: 32768, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xb8767ac6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb8767abc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xb8767acb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xb8767ad5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xb8767ada

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb8767aa8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb8767aad

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xb8767ae4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xb8767adf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xb8767ad0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xb8767ab7

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 30 November 2009 - 06:43 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 30 November 2009 - 07:43 PM

OTL.Txt:

OTL logfile created on: 11/30/2009 4:19:39 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 360.39 Gb Free Space | 77.38% Space Free | Partition Type: NTFS
Drive D: | 692.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DADS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/30 10:31:19 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/11/02 19:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/14 15:42:38 | 00,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
PRC - [2009/10/09 13:11:12 | 25,623,336 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2009/10/09 13:11:12 | 00,078,008 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe
PRC - [2009/09/23 12:17:22 | 00,358,600 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2009/08/06 09:01:18 | 01,794,856 | ---- | M] (Apple Inc.) -- C:\Program Files\Safari\Safari.exe
PRC - [2009/08/06 08:44:34 | 00,168,004 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/08/03 20:05:02 | 00,238,888 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
PRC - [2009/07/27 16:19:10 | 00,199,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/04/25 19:45:34 | 00,443,712 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
PRC - [2009/04/24 03:11:36 | 00,254,600 | ---- | M] (Smilebox, Inc.) -- C:\Documents and Settings\Owner\Application Data\Smilebox\SmileboxTray.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/01/29 14:09:14 | 00,578,920 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/25 11:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/12 13:49:46 | 01,209,904 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2007/03/12 13:49:46 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
PRC - [2007/03/12 13:49:26 | 00,153,136 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2007/02/28 16:50:50 | 00,180,224 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
PRC - [2007/01/15 12:23:48 | 00,344,064 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
PRC - [2006/12/18 05:34:36 | 00,868,352 | R--- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2006/04/10 13:24:20 | 00,049,220 | ---- | M] (Samsung) -- C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
PRC - [2006/02/28 04:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2005/01/21 16:04:42 | 00,163,840 | ---- | M] (Simple Star, Inc.) -- C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe
PRC - [1999/12/12 09:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE


========== Modules (SafeList) ==========

MOD - [2009/11/30 10:31:19 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/14 15:42:38 | 00,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2009/09/23 12:17:22 | 00,358,600 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/08/06 08:44:34 | 00,168,004 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/04/25 19:45:34 | 00,443,712 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2009/01/29 14:09:14 | 00,578,920 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -- (MrHealthyService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 11:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/09/18 09:30:09 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2007/05/03 15:23:38 | 00,779,824 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService)
SRV - [2007/03/12 13:49:46 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [1999/12/12 09:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-507921405-583907252-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-507921405-583907252-839522115-1003\S-1-5-21-507921405-583907252-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo!"
FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/21 13:07:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/21 13:07:50 | 00,000,000 | ---D | M]

[2009/11/21 13:10:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/05/05 13:23:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\extensions
[2009/05/05 13:23:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009/11/30 14:58:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uz57he1z.default\extensions
[2009/11/30 16:15:17 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/04/07 13:59:38 | 00,000,872 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\Yahooober1657812.gif
[2009/11/13 17:03:45 | 00,000,196 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\Yahooober1657812.src

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)
O2 - BHO: (Burn4Free Toolbar Helper) - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll ()
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Burn4Free Toolbar) - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-507921405-583907252-839522115-1003\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-507921405-583907252-839522115-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-583907252-839522115-1003\..\Toolbar\WebBrowser: (Burn4Free Toolbar) - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll ()
O3 - HKU\S-1-5-21-507921405-583907252-839522115-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\JMRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\SPIRun.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [PD0620 STISvc] C:\WINDOWS\System32\P0620Pin.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-507921405-583907252-839522115-1003..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-507921405-583907252-839522115-1003..\Run: [PhotoShow Deluxe Media Manager] C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O4 - HKU\S-1-5-21-507921405-583907252-839522115-1003..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKU\S-1-5-21-507921405-583907252-839522115-1003..\Run: [SmileboxTray] C:\Documents and Settings\Owner\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
O4 - HKU\S-1-5-21-507921405-583907252-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk = C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk = C:\Program Files\SEC\Natural Color Pro\NCProTray.exe (Samsung)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-507921405-583907252-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-507921405-583907252-839522115-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-507921405-583907252-839522115-1003\..Trusted Domains: plaxo.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-507921405-583907252-839522115-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-507921405-583907252-839522115-1003\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/Oneclickfix/tgctlsr.cab (SupportSoft Script Runner Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} http://aolsvc.aol.com/onlinegames/free-tri...Web.1.0.0.9.cab (CPlayFirstCookingDasControl Object)
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} http://aolsvc.aol.com/onlinegames/free-tri...eb.1.0.0.13.cab (CPlayFirstChocolatierControl Object)
O16 - DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} http://aolsvc.aol.com/onlinegames/free-tri...eb.1.0.0.11.cab (CPlayFirstFitnessDasControl Object)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab (SpinTop Games Launcher)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} http://aolsvc.aol.com/onlinegames/free-tri...esPlayer_v4.cab (GoBit Games Player)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab (Zylom Games Player)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} http://a.download.toontown.com/sv1.0.33.7/ttinst.cab (Toontown Installer ActiveX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab (Photodex Presenter AX control)
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx (CRLDownloadWrapper Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} http://www.costcophotocenter.com/upload/ac...veX_Control.cab? (Photo Upload Plugin Class)
O16 - DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} http://aolsvc.aol.com/onlinegames/free-tri...sh.1.0.0.10.cab (CPlayFirstParkingDasControl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/13 14:59:03 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/11/02 16:05:00 | 00,000,046 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/09/13 07:36:34 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (82194142058250240)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/30 16:18:34 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/30 12:00:00 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/11/29 13:50:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/29 13:50:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2009/11/29 13:50:01 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/29 00:59:06 | 00,070,778 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Owner\Desktop\GooredFix.exe
[2009/11/29 00:56:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\GooredFix Backups
[2009/11/28 14:53:47 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/28 14:53:45 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/28 14:53:45 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/28 14:52:52 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\abcdeft.exe
[2009/11/27 16:33:01 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/26 12:41:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\skypePM
[2009/11/26 12:38:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Skype
[2009/11/26 12:37:20 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2009/11/26 12:37:17 | 00,000,000 | R--D | C] -- C:\Program Files\Skype
[2009/11/26 12:37:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/11/23 23:05:11 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Owner\My Documents\My Data Sources
[2009/11/23 17:18:19 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/23 17:16:08 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/23 17:16:08 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/23 17:16:08 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/23 17:16:08 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/23 17:15:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/23 17:15:50 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/11/23 17:15:15 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/23 11:07:51 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/11/23 11:07:51 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/11/23 11:07:51 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/11/23 11:07:51 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/11/23 11:07:50 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/11/23 11:07:49 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/11/23 11:07:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/11/23 01:04:03 | 00,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/22 01:42:25 | 00,000,000 | ---D | C] -- C:\UBCD4Win
[2009/11/22 01:32:35 | 26,794,0236 | ---- | C] (UBCD4Win Team - Benjamin Burrows ) -- C:\Documents and Settings\Owner\Desktop\UBCD4WinV350.exe
[2009/11/21 16:07:58 | 00,000,000 | ---D | C] -- C:\Program Files\Burn4Free Toolbar
[2009/11/21 13:45:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\temp
[2009/11/21 13:10:16 | 00,000,000 | ---D | C] -- C:\Program Files\bfgclient
[2009/11/21 13:10:13 | 00,000,000 | ---D | C] -- C:\Program Files\Yahoo! Games
[2009/11/21 13:10:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Oberon Media
[2009/11/21 13:09:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/21 13:09:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\PC Tools
[2009/11/21 13:09:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/11/19 18:02:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/11/19 17:24:51 | 01,101,824 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox210.ocx
[2009/11/19 17:24:51 | 00,880,640 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox10.ocx
[2009/11/19 17:24:51 | 00,212,992 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBoxVB12.ocx
[2009/11/19 17:24:49 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2007/09/13 17:01:26 | 00,065,536 | R--- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/11/30 16:17:56 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/11/30 16:14:00 | 00,000,464 | ---- | M] () -- C:\WINDOWS\tasks\SDMsgUpdate (TE).job
[2009/11/30 16:12:59 | 00,248,739 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2009/11/30 16:12:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/30 16:12:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/30 15:39:38 | 08,912,896 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/11/30 15:39:14 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/11/30 12:00:46 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/11/30 10:31:19 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/29 19:18:12 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/28 18:45:22 | 00,027,108 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DSCN3233.JPG
[2009/11/28 18:44:49 | 00,049,241 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DSCN3232.JPG
[2009/11/28 18:44:29 | 00,045,959 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DSCN3231.JPG
[2009/11/28 15:04:16 | 00,524,800 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/11/28 14:53:49 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/28 12:43:10 | 00,000,346 | ---- | M] () -- C:\WINDOWS\tasks\Norton PC Checkup Weekend Scanner.job
[2009/11/28 10:11:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/28 02:17:49 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\abcdeft.exe
[2009/11/27 16:33:02 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/11/27 15:14:16 | 00,013,684 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/26 13:29:01 | 00,746,550 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Capital.bmp
[2009/11/26 12:41:15 | 00,000,048 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/11/26 12:37:21 | 00,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/11/26 09:50:07 | 00,070,778 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Owner\Desktop\GooredFix.exe
[2009/11/25 08:46:10 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/25 00:55:47 | 00,058,368 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Publication1.pub
[2009/11/24 11:44:04 | 00,011,458 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Walt Disney World Reservations.docx
[2009/11/24 00:26:40 | 00,058,368 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Publication2.pub
[2009/11/23 17:39:40 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/23 17:39:11 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/23 17:18:29 | 00,000,309 | RHS- | M] () -- C:\boot.ini
[2009/11/23 11:08:05 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/11/23 10:53:36 | 07,392,800 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
[2009/11/23 01:03:05 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 10:17:23 | 00,000,245 | ---- | M] () -- C:\Boot.bak
[2009/11/22 06:23:41 | 00,262,144 | ---- | M] () -- C:\Documents and Settings\All Users\NtUser.dat
[2009/11/22 01:45:01 | 00,001,241 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\UBCD4Win.lnk
[2009/11/22 01:32:35 | 26,794,0236 | ---- | M] (UBCD4Win Team - Benjamin Burrows ) -- C:\Documents and Settings\Owner\Desktop\UBCD4WinV350.exe
[2009/11/21 19:01:28 | 00,167,753 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\2009-11-21-TOS_CHARTS.jpg
[2009/11/21 16:07:51 | 00,000,694 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Burn4Free.lnk
[2009/11/20 23:38:36 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/20 21:58:08 | 00,073,216 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/19 18:03:30 | 00,000,862 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/19 17:24:52 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/11/18 17:20:00 | 00,000,346 | ---- | M] () -- C:\WINDOWS\tasks\Norton PC Checkup Weekday Scanner.job
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/30 12:00:46 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/11/30 11:53:46 | 00,524,800 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/11/29 13:50:09 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/29 13:48:01 | 07,392,800 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
[2009/11/28 18:45:29 | 00,027,108 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\DSCN3233.JPG
[2009/11/28 18:45:02 | 00,049,241 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\DSCN3232.JPG
[2009/11/28 18:44:41 | 00,045,959 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\DSCN3231.JPG
[2009/11/28 14:53:49 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/27 16:33:02 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/11/26 13:28:46 | 00,746,550 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Capital.bmp
[2009/11/26 12:41:15 | 00,000,048 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/11/26 12:37:21 | 00,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/11/25 00:55:47 | 00,058,368 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Publication1.pub
[2009/11/24 11:44:03 | 00,011,458 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Walt Disney World Reservations.docx
[2009/11/24 00:26:40 | 00,058,368 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Publication2.pub
[2009/11/23 17:18:28 | 00,000,245 | ---- | C] () -- C:\Boot.bak
[2009/11/23 17:18:21 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/23 17:16:08 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/23 17:16:08 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/23 17:16:08 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/23 17:16:08 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/23 17:16:08 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/23 11:08:05 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/11/23 01:03:05 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 06:23:41 | 00,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NtUser.dat
[2009/11/22 01:45:01 | 00,001,241 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\UBCD4Win.lnk
[2009/11/21 19:01:28 | 00,167,753 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\2009-11-21-TOS_CHARTS.jpg
[2009/11/21 16:07:51 | 00,000,694 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Burn4Free.lnk
[2009/11/21 13:42:20 | 12,067,2256 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ubcd411.iso
[2009/11/19 17:24:52 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/08/02 23:21:54 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2009/08/02 23:21:52 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009/08/02 23:21:52 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/12/30 16:06:39 | 00,007,452 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/08/04 09:10:10 | 00,000,642 | ---- | C] () -- C:\WINDOWS\tlknw5.ini
[2008/08/04 09:04:06 | 00,000,246 | ---- | C] () -- C:\WINDOWS\wldtlk5.ini
[2008/07/24 11:57:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/04/22 11:44:34 | 00,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2007/12/16 10:43:00 | 00,002,899 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/12/03 08:02:02 | 00,073,216 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/28 13:28:21 | 00,000,032 | ---- | C] () -- C:\WINDOWS\Pt.dll
[2007/10/18 14:08:04 | 00,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2007/10/01 13:38:15 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/22 19:40:48 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/09/13 17:02:18 | 00,003,118 | ---- | C] () -- C:\WINDOWS\System32\AudioDrv.ini
[2007/09/13 17:02:00 | 00,022,478 | R--- | C] () -- C:\WINDOWS\System32\Ludap17.ini
[2007/09/13 17:02:00 | 00,000,054 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/09/13 17:01:29 | 00,008,251 | R--- | C] () -- C:\WINDOWS\sfsyn.ini
[2007/09/13 17:01:26 | 00,137,216 | R--- | C] () -- C:\WINDOWS\System32\OemSpi.dll
[2007/09/13 17:01:26 | 00,053,248 | R--- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2007/09/13 16:34:59 | 00,013,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTictwl.sys
[2007/09/13 16:20:19 | 00,029,057 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2007/09/13 16:20:04 | 00,028,735 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/09/13 16:20:02 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/09/13 16:19:49 | 00,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/05/18 12:21:04 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/05/18 12:21:02 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2004/06/24 00:20:02 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[1999/01/22 10:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/12/19 15:25:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GoBit Games
[2009/11/13 17:37:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2009/11/21 13:10:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Media
[2008/12/13 11:14:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/10/29 11:29:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/10/22 19:41:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RosettaStoneLtdServices
[2009/02/22 13:07:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games
[2009/11/30 10:12:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/19 17:50:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2008/12/21 12:23:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2009/10/26 20:59:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/16 23:30:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/06/28 14:06:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EPSON
[2008/09/24 20:48:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ICQ
[2007/10/14 22:14:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2009/01/21 19:29:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Netscape
[2009/06/29 17:59:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Opera
[2008/12/13 11:14:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PlayFirst
[2007/10/29 09:45:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Simple Star
[2009/05/17 14:51:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SmartDraw
[2009/05/06 15:03:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Smilebox
[2009/04/20 11:57:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TestTaker
[2009/11/29 21:00:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Wildfire
[2009/11/30 16:14:00 | 00,000,464 | ---- | M] () -- C:\WINDOWS\Tasks\SDMsgUpdate (TE).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2007/10/03 22:01:14 | 12,984,832 | ---- | M] (thinkorswim, Inc.) -- C:\thinkorswim_installer.exe

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/04 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\UBCD4Win\BartPE\I386\SYSTEM32\EVENTLOG.DLL
[2006/02/28 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/04 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\UBCD4Win\BartPE\I386\SYSTEM32\SCECLI.DLL
[2006/02/28 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2004/08/04 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\UBCD4Win\BartPE\I386\SYSTEM32\NETLOGON.DLL
[2006/02/28 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/04 04:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\UBCD4Win\BartPE\I386\SYSTEM32\DRIVERS\ATAPI.SYS
[2002/10/24 15:59:48 | 00,087,040 | ---- | M] (Microsoft Corporation) MD5=F1D915C3870E741D83B5142F3B358761 -- C:\UBCD4Win\plugin\!Critical\Large IDE-Fix\files\sp2\atapi.sys
[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=AB21E7AD8B1F36EEBBBAD96CF675D1AA -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2009/11/27 21:26:37 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=AB21E7AD8B1F36EEBBBAD96CF675D1AA -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/11/27 21:26:37 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=AB21E7AD8B1F36EEBBBAD96CF675D1AA -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 04:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\system32\DRIVERS\atapi.sys
[2006/02/28 04:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38269005
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DF30C7A6
< End of report >


Extras.Txt

OTL Extras logfile created on: 11/30/2009 4:19:39 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 360.39 Gb Free Space | 77.38% Space Free | Partition Type: NTFS
Drive D: | 692.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DADS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\ICQ6\ICQ.exe" = C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\LogMeIn Rescue Calling Card\CallingCard.exe" = C:\Program Files\LogMeIn Rescue Calling Card\CallingCard.exe:*:Enabled:LogMeIn Rescue Calling Card -- (LogMeIn, Inc.)
"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services -- (Rosetta Stone Ltd.)
"C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon -- (Rosetta Stone Ltd.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 15
"{28101984-0BA6-40FD-9ABE-72F62F80C06C}" = Heroes of Might and Magic V
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{3230518C-2953-4FB9-8485-B3CDFCC36A70}" = Rosetta Stone Ltd Services
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{53E2DCBB-E6F7-4C83-B1EF-F78435B9814E}" = Sound Blaster X-Fi Xtreme Audio
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{5C74694C-A687-E3EB-FF18-B018D4A76ECD}" = Adobe Media Player
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6
"{6710FE30-27F7-492B-A660-D31D4A898A43}" = MSN Toolbar
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{779C40FF-9211-427B-A5C4-2026B85A1033}" = Nero 7 Essentials
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7E117A6A-8579-4435-8290-4089C1C5BEFA}" = CVA MAP Assistance
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}" = Opera 9.64
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skypeâ„¢ 4.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{E432C362-6A71-4E8A-A68A-AE5246520656}" = Art Explosion Scrapbook Factory
"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E721072F-AF17-4E39-8CC4-9811626E2867}" = Clever Island Free Edition
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FC2C7405-BC58-4E11-8F51-29671BEAC06B}" = Natural Color Pro
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"AIMars" = Active Images Express
"Ask Toolbar_is1" = Ask Toolbar
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BFGC" = Big Fish Games Client
"BFG-Tumblebugs" = Tumblebugs
"Burn4Free" = Burn4Free CD and DVD
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Creative PD0620" = Creative WebCam Instant Driver (1.03.02.0425)
"Creative Photo Manager" = Creative Photo Manager
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"Creative WebCam Center" = Creative WebCam Center
"Creative WebCam Instant User's Guide English" = Creative WebCam Instant User's Guide (English)
"Disney's Toontown Online" = Disney's Toontown Online
"ENTERPRISER" = Microsoft Office Enterprise 2007
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"Luxor 2" = Luxor 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Mystery P.I. - The Lottery Ticket" = Mystery P.I. - The Lottery Ticket (remove only)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Norton PC Checkup" = Norton PC Checkup
"NWEA NTE Administration Tool" = NWEA NTE Administration Tool
"Photodex Presenter" = Photodex Presenter
"PhotoShow Express" = PhotoShow Express
"Reader Rabbit® Reading Ages 6-9" = Reader Rabbit® Reading Ages 6-9
"Reader Rabbit's® Math Ages 6 - 9" = Reader Rabbit's® Math Ages 6 - 9
"Registry Mechanic_is1" = Registry Mechanic 9.0
"Spyware Doctor" = Spyware Doctor 7.0
"SysInfo" = Creative System Information
"thinkorswim" = thinkorswim
"Tumblebugs" = Tumblebugs
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"UBCD4Win_is1" = UBCD4Win 3.50
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebCam Instant Product Registration" = WebCam Instant Product Registration
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-507921405-583907252-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CVA MAP Spring 09" = CVA MAP Spring 09
"CVA MAP Spring 09 Primary " = CVA MAP Spring 09 Primary
"eggphone by babyTEL" = eggphone by babyTEL
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"SmartDraw 2009" = SmartDraw 2009
"Smilebox" = Hallmark Smilebox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/28/2009 12:03:39 AM | Computer Name = DADS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/28/2009 12:22:56 AM | Computer Name = DADS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/31/2009 6:15:56 PM | Computer Name = DADS | Source = nview_info | ID = 11141121
Description =

Error - 10/31/2009 6:15:56 PM | Computer Name = DADS | Source = nview_info | ID = 11141121
Description =

Error - 10/31/2009 6:15:56 PM | Computer Name = DADS | Source = nview_info | ID = 11141121
Description =

Error - 11/8/2009 5:28:30 AM | Computer Name = DADS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 11/8/2009 5:28:30 AM | Computer Name = DADS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 11/14/2009 5:15:46 PM | Computer Name = DADS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x000cde24.

Error - 11/14/2009 6:46:57 PM | Computer Name = DADS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x002400c8.

Error - 11/15/2009 10:54:45 PM | Computer Name = DADS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x00040123.

[ System Events ]
Error - 11/30/2009 3:24:19 PM | Computer Name = DADS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Intuit Update Service
service to connect.

Error - 11/30/2009 3:24:19 PM | Computer Name = DADS | Source = Service Control Manager | ID = 7000
Description = The Intuit Update Service service failed to start due to the following
error: %%1053

Error - 11/30/2009 6:47:02 PM | Computer Name = DADS | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 11/30/2009 6:47:02 PM | Computer Name = DADS | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 11/30/2009 6:47:33 PM | Computer Name = DADS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Intuit Update Service
service to connect.

Error - 11/30/2009 6:47:33 PM | Computer Name = DADS | Source = Service Control Manager | ID = 7000
Description = The Intuit Update Service service failed to start due to the following
error: %%1053

Error - 11/30/2009 8:13:22 PM | Computer Name = DADS | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 11/30/2009 8:13:22 PM | Computer Name = DADS | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 11/30/2009 8:13:49 PM | Computer Name = DADS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Intuit Update Service
service to connect.

Error - 11/30/2009 8:13:49 PM | Computer Name = DADS | Source = Service Control Manager | ID = 7000
Description = The Intuit Update Service service failed to start due to the following
error: %%1053


< End of report >


Also, since running those two scans everything is running much slower and my hard drive appears to be constantly running, as if i'm downloading something.

GMER is currently running but I wanted to get this posted in case something goes wrong and my computer shuts down or something and I lose all the information. Next post will have the GMER information. I hope this doesn't disturb protocol.

P.S. And thank you Sam for the help!

Edited by Baggi, 30 November 2009 - 07:44 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 30 November 2009 - 07:50 PM

Ok, that's fine. The Gmer log should give me some confirmation so I'll wait to see it before we proceed any further.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 30 November 2009 - 11:52 PM

Wow, that took awhile. Here is the Gmer Log

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 20:51:40
Windows 5.1.2600 Service Pack 3
Running: se28um38.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT B87DCAE6 ZwCreateKey
SSDT B87DCADC ZwCreateThread
SSDT B87DCAEB ZwDeleteKey
SSDT B87DCAF5 ZwDeleteValueKey
SSDT B87DCAFA ZwLoadKey
SSDT B87DCAC8 ZwOpenProcess
SSDT B87DCACD ZwOpenThread
SSDT B87DCB04 ZwReplaceKey
SSDT B87DCAFF ZwRestoreKey
SSDT B87DCAF0 ZwSetValueKey
SSDT B87DCAD7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB62EF380, 0x3DF295, 0xE8000020]
init C:\WINDOWS\system32\drivers\p17xfilt.sys entry point in "init" section [0xB5F89930]

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 8ACE2618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 01 December 2009 - 08:04 AM

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 01 December 2009 - 03:11 PM

I hope I did that correctly.l

12:7:32:515 1528 ForceUnloadDriver: NtUnloadDriver error 2
12:7:32:515 1528 ForceUnloadDriver: NtUnloadDriver error 2
12:7:32:515 1528 ForceUnloadDriver: NtUnloadDriver error 2
12:7:32:515 1528 main: Driver KLMD successfully dropped
12:7:32:812 1528 main: Driver KLMD successfully loaded
12:7:32:812 1528
Scanning Registry ...
12:7:32:843 1528 ScanServices: Searching service UACd.sys
12:7:32:843 1528 ScanServices: Open/Create key error 2
12:7:32:843 1528 ScanServices: Searching service TDSSserv.sys
12:7:32:843 1528 ScanServices: Open/Create key error 2
12:7:32:843 1528 ScanServices: Searching service gaopdxserv.sys
12:7:32:843 1528 ScanServices: Open/Create key error 2
12:7:32:843 1528 ScanServices: Searching service gxvxcserv.sys
12:7:32:843 1528 ScanServices: Open/Create key error 2
12:7:32:843 1528 ScanServices: Searching service MSIVXserv.sys
12:7:32:843 1528 ScanServices: Open/Create key error 2
12:7:32:953 1528 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
12:7:32:953 1528 UnhookRegistry: Kernel local addr: 1030000
12:7:33:0 1528 UnhookRegistry: KeServiceDescriptorTable addr: 10B5700
12:7:33:406 1528 UnhookRegistry: KiServiceTable addr: 105D460
12:7:33:406 1528 UnhookRegistry: NtEnumerateKey service number (local): 47
12:7:33:406 1528 UnhookRegistry: NtEnumerateKey local addr: 117CFF2
12:7:33:406 1528 KLMD_OpenDevice: Trying to open KLMD device
12:7:33:406 1528 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
12:7:33:406 1528 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
12:7:33:406 1528 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
12:7:33:406 1528 UnhookRegistry: NtEnumerateKey service number (kernel): 47
12:7:33:406 1528 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
12:7:33:406 1528 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
12:7:33:406 1528 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
12:7:33:406 1528 UnhookRegistry: No SDT hooks found on NtEnumerateKey
12:7:33:406 1528 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
12:7:33:406 1528 UnhookRegistry: No splicing found on NtEnumerateKey
12:7:33:406 1528
Scanning Kernel memory ...
12:7:33:406 1528 KLMD_OpenDevice: Trying to open KLMD device
12:7:33:406 1528 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
12:7:33:406 1528 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:7:33:406 1528 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AD1D9D8
12:7:33:406 1528 DetectCureTDL3: KLMD_GetDeviceObjectList returned 12 DevObjects
12:7:33:406 1528 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8A81B2E8
12:7:33:406 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A81B2E8
12:7:33:406 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A81B2E8[0x38]
12:7:33:406 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AD1D9D8
12:7:33:406 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD1D9D8[0xA8]
12:7:33:406 1528 KLMD_ReadMem: Trying to ReadMemory 0xE178D148[0x208]
12:7:33:406 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:33:406 1528 DetectCureTDL3: IrpHandler (0) addr: B811EBB0
12:7:33:406 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (2) addr: B811EBB0
12:7:33:406 1528 DetectCureTDL3: IrpHandler (3) addr: B8118D1F
12:7:33:406 1528 DetectCureTDL3: IrpHandler (4) addr: B8118D1F
12:7:33:406 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (9) addr: B81192E2
12:7:33:406 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (14) addr: B81193BB
12:7:33:406 1528 DetectCureTDL3: IrpHandler (15) addr: B811CF28
12:7:33:406 1528 DetectCureTDL3: IrpHandler (16) addr: B81192E2
12:7:33:406 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (22) addr: B811AC82
12:7:33:406 1528 DetectCureTDL3: IrpHandler (23) addr: B811F99E
12:7:33:406 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:406 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:406 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:421 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:812 1528 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A607AB8
12:7:33:812 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A607AB8
12:7:33:812 1528 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A8E2020
12:7:33:812 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8E2020
12:7:33:812 1528 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A7E6030
12:7:33:812 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7E6030
12:7:33:812 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A7E6030[0x38]
12:7:33:812 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AC37F38
12:7:33:812 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AC37F38[0xA8]
12:7:33:812 1528 KLMD_ReadMem: Trying to ReadMemory 0xE20671C0[0x208]
12:7:33:812 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:7:33:812 1528 DetectCureTDL3: IrpHandler (0) addr: A9657218
12:7:33:812 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (2) addr: A9657218
12:7:33:812 1528 DetectCureTDL3: IrpHandler (3) addr: A965723C
12:7:33:812 1528 DetectCureTDL3: IrpHandler (4) addr: A965723C
12:7:33:812 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (9) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (14) addr: A9657180
12:7:33:812 1528 DetectCureTDL3: IrpHandler (15) addr: A96529E6
12:7:33:812 1528 DetectCureTDL3: IrpHandler (16) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (22) addr: A96565F0
12:7:33:812 1528 DetectCureTDL3: IrpHandler (23) addr: A9654A6E
12:7:33:812 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:812 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:812 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:812 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:828 1528 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A9DD030
12:7:33:828 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A9DD030
12:7:33:828 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A9DD030[0x38]
12:7:33:828 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AD1D9D8
12:7:33:828 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD1D9D8[0xA8]
12:7:33:828 1528 KLMD_ReadMem: Trying to ReadMemory 0xE178D148[0x208]
12:7:33:828 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:33:828 1528 DetectCureTDL3: IrpHandler (0) addr: B811EBB0
12:7:33:828 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (2) addr: B811EBB0
12:7:33:828 1528 DetectCureTDL3: IrpHandler (3) addr: B8118D1F
12:7:33:828 1528 DetectCureTDL3: IrpHandler (4) addr: B8118D1F
12:7:33:828 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (9) addr: B81192E2
12:7:33:828 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (14) addr: B81193BB
12:7:33:828 1528 DetectCureTDL3: IrpHandler (15) addr: B811CF28
12:7:33:828 1528 DetectCureTDL3: IrpHandler (16) addr: B81192E2
12:7:33:828 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (22) addr: B811AC82
12:7:33:828 1528 DetectCureTDL3: IrpHandler (23) addr: B811F99E
12:7:33:828 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:828 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:828 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:828 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:828 1528 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8A854858
12:7:33:828 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A854858
12:7:33:828 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A854858[0x38]
12:7:33:828 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AD1D9D8
12:7:33:828 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD1D9D8[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE178D148[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: B81193BB
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: B811CF28
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: B811AC82
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: B811F99E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8A901248
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A901248
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A901248[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AD1D9D8
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD1D9D8[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE178D148[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: B81193BB
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: B811CF28
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: B811AC82
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: B811F99E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 8A890A68
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A890A68
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A890A68[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AD1D9D8
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD1D9D8[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE178D148[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: B81193BB
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: B811CF28
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: B811AC82
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: B811F99E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 8AB54AB8
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB54AB8
12:7:33:843 1528 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 8A83C020
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A83C020
12:7:33:843 1528 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 8A9A3EA0
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A9A3EA0
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A9A3EA0[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AC37F38
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AC37F38[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE20671C0[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: A9657180
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: A96529E6
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: A96565F0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: A9654A6E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A7F0298
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7F0298
12:7:33:843 1528 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A802020
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A802020
12:7:33:843 1528 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A76C030
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A76C030
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A76C030[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AC37F38
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AC37F38[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE20671C0[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: A9657180
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: A96529E6
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: A96565F0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: A9654A6E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8AA88AB8
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA88AB8
12:7:33:843 1528 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A7E8390
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7E8390
12:7:33:843 1528 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A8A7680
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8A7680
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A8A7680[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AC37F38
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AC37F38[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE20671C0[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: A9657180
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: A96529E6
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: A96565F0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: A9654A6E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8A981998
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A981998
12:7:33:843 1528 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8A7D1020
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7D1020
12:7:33:843 1528 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8A8CC030
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8CC030
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8A8CC030[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AC37F38
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AC37F38[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE20671C0[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: A9657218
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: A965723C
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: A9657180
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: A96529E6
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: A96565F0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: A9654A6E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\USBSTOR.sys
12:7:33:843 1528 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 8AD15030
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD15030
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD15030[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AD1D9D8
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD1D9D8[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE178D148[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: B811EBB0
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: B8118D1F
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: B81193BB
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: B811CF28
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: B81192E2
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: B811AC82
12:7:33:843 1528 DetectCureTDL3: IrpHandler (23) addr: B811F99E
12:7:33:843 1528 DetectCureTDL3: IrpHandler (24) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (25) addr: 804F4562
12:7:33:843 1528 DetectCureTDL3: IrpHandler (26) addr: 804F4562
12:7:33:843 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
12:7:33:843 1528 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 8AD1CAB8
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD1CAB8
12:7:33:843 1528 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 8AD35D58
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD35D58
12:7:33:843 1528 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 8AD209E8
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD209E8
12:7:33:843 1528 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 8ADA1D98
12:7:33:843 1528 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADA1D98
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8ADA1D98[0x38]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT addr: 8AC38BD0
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AC38BD0[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8AD39D98[0x38]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0x8ADAA218[0xA8]
12:7:33:843 1528 KLMD_ReadMem: Trying to ReadMemory 0xE17BA8D8[0x208]
12:7:33:843 1528 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
12:7:33:843 1528 DetectCureTDL3: IrpHandler (0) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (1) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (2) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (3) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (4) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (5) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (6) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (7) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (8) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (9) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (10) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (11) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (12) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (13) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (14) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (15) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (16) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (17) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (18) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (19) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (20) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (21) addr: 8ACA1618
12:7:33:843 1528 DetectCureTDL3: IrpHandler (22) addr: 8ACA1618
12:7:33:859 1528 DetectCureTDL3: IrpHandler (23) addr: 8ACA1618
12:7:33:859 1528 DetectCureTDL3: IrpHandler (24) addr: 8ACA1618
12:7:33:859 1528 DetectCureTDL3: IrpHandler (25) addr: 8ACA1618
12:7:33:859 1528 DetectCureTDL3: IrpHandler (26) addr: 8ACA1618
12:7:33:859 1528 DetectCureTDL3: All IRP handlers pointed to one addr: 8ACA1618
12:7:33:859 1528 KLMD_ReadMem: Trying to ReadMemory 0x8ACA1618[0x400]
12:7:33:859 1528 TDL3_HookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
12:7:33:859 1528 Driver atapi infected by TDSS rootkit ... 12:7:33:859 1528 TDL3_HookCure: Processing driver in memory: atapi
12:7:33:859 1528 KLMD_WriteMem: Trying to WriteMemory 0x8ACA167D[0xD]
12:7:33:859 1528 cured
12:7:33:859 1528 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
12:7:33:859 1528 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
12:7:33:875 1528
Completed

Results:
12:7:33:875 1528 Infected / Cured drivers in memory: 1 / 1
12:7:33:875 1528 Infected / Cured drivers on disk: 0 / 0
12:7:33:875 1528 Files deleted on next reboot: 0
12:7:33:875 1528 Registry nodes deleted on next reboot: 0
12:7:33:875 1528



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 01 December 2009 - 06:49 PM

Yes, that's right. Are you still being redirected?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 December 2009 - 12:59 AM

Ive been home from work and online for about 15-20 minutes now and havn't experienced any problems.

However, my wife said she was online earlier before I got home from work and said she was still being redirected after clicking on google search links. We had two problems before though, one was being redirected from google/yahoo/bing searches, the other was having our web browser start up by itself and just load a random advertisement. That second problem appears to be fixed for sure.

Is there something I can run now to see if i'm clean?

Or shall I just give it some time and if, after a couple of days I don't experience anything, all should be well?

And thank you a lot for your help, Sam. I really appreciate your efforts.

#10 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 December 2009 - 03:10 AM

Ive now been online for about 2 hours or so and ive been redirected only one time.

Plus my wifes claim that she was redirected earlier.

So there is something still wrong, but i'd say it is approximately 90% better right now than it was.

Edit: I attempted to start my computer in Safe Mode, as it seems to me like that was part of the problem, and it still does not start in Safe Mode

Edited by Baggi, 02 December 2009 - 03:16 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 02 December 2009 - 08:54 AM

It seems we've made some progress, but may not be completely done yet.

Download SafeBootKeyRepair.exe by sUBs and save to your desktop.
  • Double-click on it and follow the instructions.
  • When finished, see if you can access safe mode.


====================


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 December 2009 - 10:00 AM

I'll have to take care of this after work tonight, as i'm on my way to work in a few minutes.

I'd like to note, however, that last night things ran pretty good, although not perfectly. This morning, after I started my computer and visited this website and two others, each time I went to a new website, a new instance of Firefox was started and approximately 5 tabs were loading with different websites. Not sure if i'm being clear, hopefully that makes sense. Anyway, it seems that having turned the computer off last night and back on this morning, things have gone right back to where they started, or worse.

Hopefully after I follow the above directions tonight after work, things will make more sense.

This is an example of the webpage i'm being redirected to now:

It's all complete nonesense, rather than an actual website.

Edited by Buckeye_Sam, 02 December 2009 - 06:42 PM.
removed possible malicious link


#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:38 AM

Posted 02 December 2009 - 06:44 PM

I removed that link so someone doesn't inadvertently visit it and get infected.

Just post back when you've had opportunity to run those.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 December 2009 - 08:06 PM

You didn't ask for it, but here is the log for the SAFEBOOT:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PEVSystemStart
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\procexp90.Sys


Next I will run the Combofix.

#15 Baggi

Baggi
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 December 2009 - 08:28 PM

Here is Combofix:

ComboFix 09-12-02.05 - Owner 12/02/2009 17:12.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2943.2541 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-01 20:06 . 2009-12-01 20:06 -------- d-----w- C:\Desktop
2009-11-29 21:50 . 2009-11-29 21:50 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-29 21:50 . 2009-11-29 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-29 21:50 . 2009-11-29 21:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-29 21:50 . 2009-11-29 21:50 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-28 22:53 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 22:53 . 2009-11-28 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 22:53 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 00:33 . 2009-11-28 00:33 -------- d-----w- c:\program files\Trend Micro
2009-11-26 20:41 . 2009-12-03 00:47 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-26 20:41 . 2009-11-26 20:41 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-26 20:38 . 2009-12-03 00:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-26 20:37 . 2009-11-26 20:37 -------- d-----w- c:\program files\Common Files\Skype
2009-11-26 20:37 . 2009-11-26 20:37 -------- d-----r- c:\program files\Skype
2009-11-26 20:37 . 2009-11-26 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-24 01:23 . 2006-12-06 11:41 44416 ----a-r- c:\windows\system32\drivers\jraid_2.sys
2009-11-23 19:07 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 19:07 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-23 19:07 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-23 19:07 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-23 19:07 . 2009-11-23 19:07 -------- d-----w- c:\program files\Avira
2009-11-23 19:07 . 2009-11-23 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-23 09:04 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-22 09:42 . 2009-11-22 10:28 -------- d-----w- C:\UBCD4Win
2009-11-22 00:07 . 2009-11-22 00:08 -------- d-----w- c:\program files\Burn4Free Toolbar
2009-11-21 21:45 . 2009-11-22 09:47 -------- d-----w- c:\windows\system32\temp
2009-11-21 21:10 . 2009-11-21 21:10 -------- d-----w- c:\program files\bfgclient
2009-11-21 21:10 . 2009-11-21 21:10 -------- d-----w- c:\program files\Yahoo! Games
2009-11-21 21:10 . 2009-11-21 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Media
2009-11-21 21:09 . 2009-12-02 22:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-21 21:09 . 2009-11-21 21:09 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-11-21 21:09 . 2009-11-21 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-21 21:09 . 2009-11-21 21:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2009-11-14 04:26 . 2009-11-14 04:26 4096 ----a-w- c:\windows\d3dx.dat
2009-11-14 04:26 . 2009-12-02 21:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Wildfire
2009-11-14 04:26 . 2009-11-21 21:06 -------- d-----w- c:\program files\Tumblebugs
2009-11-14 04:24 . 2009-11-21 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-11-14 01:37 . 2009-11-14 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-11-14 01:37 . 2009-11-21 21:06 -------- d-----w- c:\program files\Shockwave.com
2009-11-14 01:15 . 2009-11-21 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-11 18:53 . 2009-11-14 01:04 -------- d-----w- c:\program files\Oberon Media
2009-11-08 21:05 . 2009-11-08 21:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-08 09:28 . 2009-11-08 09:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-07 21:08 . 2009-11-07 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-07 18:17 . 2009-11-21 21:09 -------- d-----w- c:\program files\iPod
2009-11-07 18:17 . 2009-11-21 21:09 -------- d-----w- c:\program files\iTunes
2009-11-07 18:13 . 2009-11-07 18:13 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-07 10:32 . 2009-11-07 10:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-07 10:28 . 2009-09-24 16:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-07 10:28 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-07 10:28 . 2009-09-24 00:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-07 10:27 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-07 10:27 . 2009-11-21 21:09 -------- d-----w- c:\program files\Spyware Doctor
2009-11-07 10:27 . 2009-11-21 21:09 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-07 10:23 . 2009-11-07 10:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-07 10:22 . 2009-11-21 21:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-11-07 10:22 . 2009-07-15 08:04 -------- d-s---w- c:\documents and settings\Administrator\IETldCache
2009-11-07 10:22 . 2009-11-21 21:09 -------- d-----w- c:\documents and settings\Administrator
2009-11-07 08:39 . 2009-11-21 21:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\dbpdtb
2009-11-07 06:32 . 2009-12-03 00:48 -------- d-----w- c:\documents and settings\Owner\Tracing
2009-11-07 06:30 . 2009-11-07 06:30 -------- d-----w- c:\program files\Microsoft
2009-11-07 06:30 . 2009-11-07 06:30 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-07 01:20 . 2009-11-07 01:20 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-05 21:08 . 2009-11-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-05 21:08 . 2009-11-05 21:08 -------- d-----w- c:\program files\McAfee Security Scan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 21:48 . 2009-10-31 22:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-28 20:45 . 2008-05-22 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-25 08:49 . 2008-04-06 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-24 03:10 . 2007-10-04 06:01 -------- d-----w- c:\program files\thinkorswim
2009-11-22 09:59 . 2009-01-16 03:31 -------- d-----w- c:\program files\Burn4Free
2009-11-21 21:09 . 2008-02-08 05:14 -------- d-----w- c:\program files\Common Files\Apple
2009-11-21 21:09 . 2009-05-08 19:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 21:09 . 2008-12-30 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 01:50 . 2008-12-30 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-11-14 01:28 . 2009-02-16 23:01 -------- d-----w- c:\program files\AOL Games
2009-11-14 01:08 . 2007-11-21 01:53 -------- d-----w- c:\program files\Yahoo!
2009-11-07 06:29 . 2008-02-07 20:15 -------- d-----w- c:\program files\Windows Live
2009-11-06 04:25 . 2007-09-14 00:31 98208 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 18:01 . 2008-04-06 00:12 -------- d-----w- c:\program files\Microsoft Works
2009-11-01 06:31 . 2009-11-01 06:31 75 ----a-w- c:\windows\system32\nvUnsupRes.dat
2009-10-31 22:52 . 2009-10-31 22:51 8 ----a-w- c:\windows\system32\nvModes.dat
2009-10-31 22:10 . 2009-10-31 22:10 -------- d-----w- c:\program files\NVIDIA Corporation
2009-10-31 22:10 . 2009-10-31 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-10-31 22:07 . 2009-10-31 22:07 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-27 05:11 . 2007-12-03 00:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-10-27 04:59 . 2009-10-27 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-27 04:57 . 2009-10-27 04:56 -------- d-----w- c:\program files\QuickTime
2009-10-27 04:51 . 2008-04-11 04:37 -------- d-----w- c:\program files\Safari
2009-10-23 03:41 . 2009-10-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\RosettaStoneLtdServices
2009-10-11 02:17 . 2009-10-11 02:17 -------- d-----w- c:\program files\RosettaStoneLtdServices
2009-10-05 20:32 . 2007-10-03 09:21 -------- d-----w- c:\program files\Java
2009-10-05 20:31 . 2009-10-05 20:31 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-30 02:20 . 2007-09-14 00:16 584296 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-28 01:20 . 2009-09-28 01:20 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 23:12 . 2007-09-14 00:17 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-22 20:06 . 2009-06-30 07:59 82468 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-24_01.39.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-03 01:12 . 2009-12-03 01:12 16384 c:\windows\Temp\Perflib_Perfdata_64c.dat
+ 2009-12-03 01:12 . 2009-12-03 01:12 16384 c:\windows\Temp\Perflib_Perfdata_618.dat
- 2007-07-18 12:42 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2007-07-18 12:42 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2006-02-28 12:00 . 2006-02-28 12:00 95360 c:\windows\system32\drivers\atapi.sys
+ 2006-02-28 12:00 . 2006-02-28 12:00 95360 c:\windows\system32\dllcache\atapi.sys
- 2008-09-06 16:59 . 2009-11-23 22:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-06 16:59 . 2009-12-03 00:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-08 21:05 . 2009-12-03 00:47 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-08 21:05 . 2009-11-23 22:24 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2008-09-06 16:59 . 2009-11-23 22:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-27 23:19 . 2009-12-03 00:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-25 16:45 . 2009-11-25 16:45 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2009-11-29 21:50 . 2009-11-30 03:18 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-11-29 21:50 . 2009-11-30 03:18 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-11-29 21:50 . 2009-11-30 03:18 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-07-12 08:02 . 2009-07-12 08:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-11-26 20:37 . 2009-11-26 20:37 794112 c:\windows\Installer\493d0f.msi
+ 2009-11-25 16:45 . 2009-11-25 16:45 429568 c:\windows\Installer\3517b3.msi
+ 2009-11-24 23:43 . 2009-11-24 23:43 195584 c:\windows\Installer\14ee3e3.msi
+ 2009-11-26 20:37 . 2009-11-26 20:37 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-07-21 08:03 . 2009-07-21 08:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-09-05 15:23 . 2009-07-31 18:05 1372672 c:\windows\system32\msxml6.dll
+ 2009-07-21 08:05 . 2009-07-21 08:05 1348432 c:\windows\system32\msxml4.dll
+ 2006-02-28 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-09-05 15:23 . 2009-07-31 18:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-11-13 00:38 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2009-11-26 20:37 . 2009-11-26 20:37 1565696 c:\windows\Installer\493d0a.msi
+ 2009-11-29 21:50 . 2009-11-29 21:50 1583616 c:\windows\Installer\101e1c.msi
- 2007-09-21 09:05 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
+ 2007-09-21 09:05 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2009-11-22 00:07 815104 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2009-11-22 815104]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2009-11-22 815104]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-20 68856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2005-01-22 163840]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-27 3883856]
"SmileboxTray"="c:\documents and settings\Owner\Application Data\Smilebox\SmileboxTray.exe" [2009-04-24 254600]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-03-01 180224]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-06 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"P17Helper"="SPIRun.dll" - c:\windows\system32\SPIRun.dll [2006-07-03 10752]
"PD0620 STISvc"="P0620Pin.dll" - c:\windows\system32\P0620Pin.dll [2005-05-10 36864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-4-22 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-9-13 49220]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LogMeIn Rescue Calling Card\\CallingCard.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/7/2009 2:28 AM 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 11:07 AM 108289]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/19/2009 5:24 PM 583640]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [4/25/2009 7:45 PM 443712]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/7/2009 2:27 AM 358600]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [10/31/2009 3:01 PM 56992]
S2 yjcmigjukv;yjcmigjukv;\??\c:\windows\system32\drivers\kqjndvwcwem.sys --> c:\windows\system32\drivers\kqjndvwcwem.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-19 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-11-28 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-12-03 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-05-17 14:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: plaxo.com\www
Trusted Zone: turbotax.com
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://aolsvc.aol.com/onlinegames/free-trial-cooking-dash/CookingDashWeb.1.0.0.9.cab
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://aolsvc.aol.com/onlinegames/free-trial-chocolatier/ChocolatierWeb.1.0.0.13.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://aolsvc.aol.com/onlinegames/free-trial-fitness-dash/FitnessDashWeb.1.0.0.11.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-pi-the-lottery-ticket/SpinTopGamesLauncher.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} - hxxp://aolsvc.aol.com/onlinegames/free-trial-parking-dash/parkingdash.1.0.0.10.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uz57he1z.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-02 17:24
ComboFix-quarantined-files.txt 2009-12-03 01:24
ComboFix2.txt 2009-11-24 01:47

Pre-Run: 386,460,913,664 bytes free
Post-Run: 386,462,642,176 bytes free

- - End Of File - - 014F5C1360947F0E1F3E857706F2D193


I'll not try anything else, even starting in Safe Mode, until I hear from you again Sam.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users