Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirects/ Popups


  • This topic is locked This topic is locked
38 replies to this topic

#1 bbokie

bbokie

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 08 December 2009 - 11:57 PM

I've been having numerous browser redirects to bogus sites when I use google, yahoo, dogpile, etc. When i click on a selection I am sent to a random site, sometimes with assorted virus warnings going off. Also, various popups will stack up on my desktop wth messages saying "trying to connect to http.... " and list an odd assortment of characters and wingdings - sometimes these will be stacked 30 high. Any help you could provide as McAfee AV, Spybot SD, Malwarebytes, SuperAntiSpyware and AdAware haven't helped? Requested logs are posted below!
Thanks


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 22:31:58.94 on Tue 12/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.415 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
g:\autorun.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner.COMPUTER\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Documents and Settings\Owner.COMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/msk/en-us/msk7/default.asp?affid=370-16
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [cdloader] "c:\documents and settings\owner.computer\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner~1.com\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5826/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-4 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-5 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-5 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-5 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-5 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-5 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-5 34248]

=============== Created Last 30 ================

2009-12-09 03:35:49 0 d-----w- c:\windows\McAfee.com
2009-12-05 05:09:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-05 04:02:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-05 03:58:49 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-05 03:58:23 0 d-----w- c:\program files\Lavasoft
2009-11-28 21:24:55 1 ----a-w- C:\s
2009-11-25 14:45:25 0 d-----w- c:\program files\Trend Micro
2009-11-18 02:45:29 0 d-----w- c:\windows\system32\URTTemp
2009-11-17 03:06:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-17 03:06:39 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-17 03:06:39 0 d-----w- c:\docume~1\owner~1.com\applic~1\SUPERAntiSpyware.com
2009-11-17 03:06:07 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-17 02:09:59 0 d-----w- c:\program files\CCleaner
2009-11-11 14:18:55 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 14:18:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 03:07:34 14398 ----a-w- c:\program files\common files\liky._dl
2009-09-09 03:07:34 13587 ----a-w- c:\program files\common files\pupomifo.vbs
2008-08-30 14:22:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 22:34:21.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:53 PM

Posted 20 December 2009 - 08:07 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
Thanks

unite.jpg


#3 bbokie

bbokie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 21 December 2009 - 12:39 AM

Syler,
Thanks so much for the response and the help! No problem on the wait - I can see you guys are swamped and you're doing great work.
Here are the OTL logs you requested. If it matters, I got a popup window that said "Windows - No Disk exception process message c0000013 parameters 75b6bf7c 4 75b6bf 7c 75b6bf7c" I clicked through it and everything resumed scanning.

OTL.txt is here:

OTL logfile created on: 12/20/2009 11:24:16 PM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\Owner.COMPUTER\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 509.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.88 Gb Total Space | 265.61 Gb Free Space | 90.38% Space Free | Partition Type: NTFS
Drive D: | 4.20 Gb Total Space | 2.35 Gb Free Space | 55.91% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 17.59 Mb Total Space | 17.31 Mb Free Space | 98.39% Space Free | Partition Type: FAT

Computer Name: COMPUTER
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/20 23:16:31 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.COMPUTER\Desktop\OTL.exe
PRC - [2009/12/09 22:15:36 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/09 22:15:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/11 10:44:44 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/08/01 10:13:44 | 12,231,512 | ---- | M] (magicJack L.P.) -- C:\Documents and Settings\Owner.COMPUTER\Application Data\mjusbsp\magicJack.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/03 06:46:36 | 00,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/06/03 06:46:34 | 00,251,240 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2009/03/05 23:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/05 15:18:48 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/25 03:41:37 | 00,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe
PRC - [2006/05/18 14:06:20 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2006/01/15 02:05:58 | 08,744,960 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
PRC - [2005/10/12 17:16:06 | 00,172,032 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
PRC - [2005/10/12 13:30:42 | 00,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2005/10/12 13:30:24 | 00,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
PRC - [2005/09/20 12:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/09/20 12:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/08/02 17:19:16 | 00,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe
PRC - [2002/04/11 23:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/12 23:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2009/12/20 23:16:31 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.COMPUTER\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/09 22:15:36 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/03 06:46:36 | 00,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/04/02 15:10:56 | 00,656,168 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/03/05 23:04:30 | 00,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/05/25 03:41:37 | 00,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxddcoms.exe -- (lxdd_device)
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/05/18 14:06:20 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/10/12 17:16:06 | 00,172,032 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe -- (ELService)
SRV - [2005/10/12 13:30:24 | 00,086,140 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel®
SRV - [2005/08/02 17:19:16 | 00,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
SRV - [2005/01/09 19:05:37 | 00,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2002/04/11 23:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - [2009/11/11 10:44:50 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/11 10:44:48 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/11 10:44:46 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/13 12:46:22 | 00,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 12:45:34 | 00,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/07/26 15:01:00 | 01,021,832 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/07/26 15:00:00 | 00,041,728 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2006/05/18 14:04:10 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/10/12 17:15:50 | 00,007,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ELacpi.sys -- (ELacpi)
DRV - [2005/10/12 17:15:48 | 00,007,040 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELmon.sys -- (ELmon)
DRV - [2005/10/12 17:15:24 | 00,006,912 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELkbd.sys -- (ELkbd)
DRV - [2005/10/12 17:15:22 | 00,006,400 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELmou.sys -- (ELmou)
DRV - [2005/10/12 17:15:20 | 00,006,400 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELhid.sys -- (ELhid)
DRV - [2005/10/12 13:07:12 | 00,874,240 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2005/09/20 13:00:54 | 01,302,332 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/09/15 23:24:38 | 00,206,080 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinavrr.sys -- (ATIAVPCI)
DRV - [2005/06/13 15:58:04 | 00,162,816 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2005/05/13 03:54:10 | 00,020,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/03/17 10:51:16 | 01,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 10:50:36 | 00,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 10:50:32 | 00,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/02/11 23:46:00 | 00,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/10 18:30:18 | 00,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/11/10 18:27:34 | 00,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/12 18:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/10 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/03/17 13:04:14 | 00,013,059 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2003/12/19 20:15:50 | 00,015,263 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2003/01/10 15:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 23:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 23:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 23:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 23:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 23:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 22:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 22:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 22:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 22:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 22:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 22:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 22:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 22:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 22:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 22:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 14:49:32 | 00,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...P&M=GM5091E
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GM5091E
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...P&M=GM5091E
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GM5091E
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\S-1-5-21-1833223591-1423567300-862232233-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\S-1-5-21-1833223591-1423567300-862232233-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


[2009/06/19 21:13:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.COMPUTER\Application Data\Mozilla\Extensions
[2009/06/19 21:13:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.COMPUTER\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [AlwaysReady Power Message APP] C:\WINDOWS\arpwrmsg.exe (Microsoft)
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006..\Run: [cdloader] C:\Documents and Settings\Owner.COMPUTER\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Owner.COMPUTER\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1833223591-1423567300-862232233-1006\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gateway.com/support/serialharvest/gwCID.CAB (compid Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...826/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/09 19:13:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2008/07/21 07:20:07 | 00,027,992 | R--- | M] (magicJack L.P.) - G:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2008/07/21 07:20:07 | 00,016,158 | R--- | M] () - G:\autorun.ico -- [ CDFS ]
O32 - AutoRun File - [2008/07/21 07:20:07 | 00,000,308 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2008/07/21 07:20:07 | 00,706,144 | R--- | M] (magicJack L.P.) - G:\autorunu.exe -- [ CDFS ]
O32 - AutoRun File - [2008/06/10 15:12:12 | 00,000,270 | ---- | M] () - L:\autorun.inf -- [ FAT ]
O33 - MountPoints2\{ec2e66fe-5d47-11de-8d29-00167626783f}\Shell\AutoRun\command - "" = K:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{f6e3718f-e76b-11da-91a6-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{f6e3718f-e76b-11da-91a6-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (52920800314916864)

========== Files/Folders - Created Within 30 Days ==========

[2009/12/20 23:16:21 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.COMPUTER\Desktop\OTL.exe
[2009/12/19 23:02:34 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/12/09 22:47:56 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/09 22:16:07 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/09 22:16:07 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/09 22:16:07 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/09 22:16:07 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/09 22:16:07 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/08 22:38:55 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner.COMPUTER\Desktop\RootRepeal.exe
[2009/12/08 21:35:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\McAfee.com
[2009/12/04 21:58:23 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/12/04 21:58:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/11/25 08:45:25 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/14 16:29:00 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddinpa.dll
[2009/04/14 16:29:00 | 00,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddiesc.dll
[2009/04/14 16:29:00 | 00,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDDhcp.dll
[2009/04/14 16:28:59 | 01,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddserv.dll
[2009/04/14 16:28:59 | 00,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddusb1.dll
[2009/04/14 16:28:59 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddprox.dll
[2009/04/14 16:28:58 | 00,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpmui.dll
[2009/04/14 16:28:58 | 00,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddlmpm.dll
[2009/04/14 16:28:58 | 00,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpplc.dll
[2009/04/14 16:28:57 | 00,700,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddhbn3.dll
[2009/04/14 16:28:55 | 00,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomc.dll
[2009/04/14 16:28:55 | 00,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomm.dll
[2009/04/06 15:48:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/08/30 08:24:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/01/06 19:13:46 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/09/22 22:21:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2005/01/09 19:19:09 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/01/09 19:19:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/20 23:16:31 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.COMPUTER\Desktop\OTL.exe
[2009/12/20 14:54:54 | 02,824,646 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/20 14:54:54 | 01,030,278 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/20 14:54:54 | 00,004,838 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/20 14:52:45 | 00,026,191 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/20 14:51:13 | 00,001,055 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\magicJack.lnk
[2009/12/20 14:51:09 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/20 14:50:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/20 14:50:17 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/20 14:50:14 | 10,627,15392 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/20 14:49:12 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner.COMPUTER\ntuser.ini
[2009/12/20 14:49:11 | 04,718,592 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\ntuser.dat
[2009/12/18 22:01:01 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/17 17:46:52 | 00,002,515 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\Microsoft Office Word 2007.lnk
[2009/12/14 19:27:00 | 01,581,092 | -H-- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Local Settings\Application Data\IconCache.db
[2009/12/14 16:48:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/13 19:37:50 | 00,010,726 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\My Documents\Emily's music sheet.docx
[2009/12/09 22:15:35 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/09 22:15:35 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/09 22:15:35 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/09 22:15:35 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/09 22:15:34 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/09 22:07:13 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/08 22:39:25 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\settings.dat
[2009/12/08 22:39:03 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner.COMPUTER\Desktop\RootRepeal.exe
[2009/12/08 22:31:22 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\dds.scr
[2009/12/08 22:27:22 | 00,000,693 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/08 22:27:22 | 00,000,282 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/08 22:27:22 | 00,000,209 | RHS- | M] () -- C:\boot.ini
[2009/12/07 20:29:44 | 00,065,340 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\system.zip
[2009/12/07 20:29:29 | 01,286,974 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\system.nfo
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 22:38:16 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Local Settings\Application Data\housecall.guid.cache
[2009/12/01 19:29:49 | 00,011,124 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\My Documents\Lazy Chiles Rellenos.docx
[2009/11/28 15:24:55 | 00,000,001 | ---- | M] () -- C:\s
[2009/11/25 08:45:25 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\HijackThis.lnk
[2009/11/21 09:51:42 | 01,206,508 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/11/21 09:51:04 | 00,471,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/13 12:06:04 | 00,010,726 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\My Documents\Emily's music sheet.docx
[2009/12/08 22:39:25 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\settings.dat
[2009/12/08 22:31:13 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\dds.scr
[2009/12/07 20:29:44 | 00,065,340 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\system.zip
[2009/12/07 20:27:59 | 01,286,974 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\system.nfo
[2009/12/04 22:03:20 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/02 22:38:16 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Local Settings\Application Data\housecall.guid.cache
[2009/12/01 19:29:48 | 00,011,124 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\My Documents\Lazy Chiles Rellenos.docx
[2009/11/28 15:24:55 | 00,000,001 | ---- | C] () -- C:\s
[2009/11/25 08:45:25 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Desktop\HijackThis.lnk
[2009/09/08 21:07:35 | 00,017,889 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Application Data\unymybaho.dll
[2009/09/08 21:07:35 | 00,015,128 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Application Data\ymixotec._sy
[2009/09/08 21:07:35 | 00,014,227 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dyqowo.vbs
[2009/09/08 21:07:34 | 00,014,398 | ---- | C] () -- C:\Program Files\Common Files\liky._dl
[2009/09/08 21:07:34 | 00,013,587 | ---- | C] () -- C:\Program Files\Common Files\pupomifo.vbs
[2009/09/08 21:07:34 | 00,011,319 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ywubyjyp.exe
[2009/05/05 21:45:14 | 00,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdddrs.dll
[2009/05/05 21:45:14 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxddcaps.dll
[2009/05/05 21:45:13 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxddcnv4.dll
[2009/04/16 16:55:11 | 00,344,064 | R--- | C] () -- C:\WINDOWS\System32\lxddcoin.dll
[2009/04/14 16:29:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\LXDDinst.dll
[2009/04/14 16:28:57 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxddgrd.dll
[2009/02/05 10:25:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/11/12 21:31:46 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/03/13 16:29:56 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMON.DLL
[2008/03/13 16:29:56 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXF3FXPU.DLL
[2008/03/13 16:29:36 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxf3oem.dll
[2008/03/13 16:29:36 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMRC.DLL
[2007/09/16 19:29:33 | 00,000,306 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2007/07/13 15:38:53 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Insts32K.dll
[2007/06/15 20:20:37 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/02/09 19:19:11 | 00,000,107 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/02/09 19:18:58 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2007/02/09 19:18:58 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/12/17 22:11:19 | 00,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2006/12/17 22:11:19 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2006/12/17 22:11:18 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Application Data\wklnhst.dat
[2006/10/30 21:57:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2006/10/13 13:43:00 | 00,000,098 | ---- | C] () -- C:\WINDOWS\TYPEINST.INI
[2006/10/12 21:49:53 | 00,034,304 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/12 14:35:54 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/10/12 14:35:54 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/10/12 14:35:54 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/10/12 14:35:12 | 00,000,039 | ---- | C] () -- C:\WINDOWS\Disney.ini
[2006/10/12 13:38:28 | 00,000,729 | ---- | C] () -- C:\WINDOWS\E-REGTLC.INI
[2006/10/12 13:35:49 | 00,000,114 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2006/10/11 14:27:40 | 00,000,462 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2006/10/02 21:45:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2006/10/02 21:42:14 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2006/10/02 21:39:50 | 00,000,419 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2006/10/02 21:39:50 | 00,000,234 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2006/10/02 21:39:50 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2006/10/02 21:39:50 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2006/10/02 21:37:59 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/09/27 12:57:34 | 00,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2006/09/26 20:53:19 | 00,000,321 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\high.txt
[2006/09/22 22:26:38 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\Owner.COMPUTER\Local Settings\Application Data\fusioncache.dat
[2006/05/18 14:08:04 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
[2006/05/18 13:55:03 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/18 12:42:55 | 00,874,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2006/05/17 20:47:12 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxddvs.dll
[2005/08/05 23:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2005/08/02 17:19:16 | 00,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2005/01/12 11:38:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/09 17:49:16 | 00,001,272 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/01/09 17:49:16 | 00,000,520 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 09:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1998/08/16 04:00:00 | 00,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/03/19 19:36:38 | 13,413,048 | ---- | M] () -- C:\Google_Earth_BZXV.exe


< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 08:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 13:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/10/12 13:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
[2005/10/12 14:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\I386\DRV\SCS\iastor.sys
[2005/10/12 14:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys
[2005/10/12 13:08:52 | 00,508,416 | ---- | M] (Intel Corporation) MD5=7C2D98D430DD91570DB63E819B9BC7E0 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2005/10/12 13:07:12 | 00,874,240 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 13:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 13:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< >
< End of report >



Here's the Extras.txt:
OTL Extras logfile created on: 12/20/2009 11:24:16 PM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\Owner.COMPUTER\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 509.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.88 Gb Total Space | 265.61 Gb Free Space | 90.38% Space Free | Partition Type: NTFS
Drive D: | 4.20 Gb Total Space | 2.35 Gb Free Space | 55.91% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 17.59 Mb Total Space | 17.31 Mb Free Space | 98.39% Space Free | Partition Type: FAT

Computer Name: COMPUTER
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:53 PM

Posted 21 December 2009 - 10:16 AM

bbokie,

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 bbokie

bbokie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 21 December 2009 - 04:17 PM

Wow - looks like I won the jackpot of bad news....

I'll try for the cleanup and delete the few items with personal data from the machine and hope for the best.

Thanks!

Here's the combofix log:


ComboFix 09-12-20.08 - Owner 12/21/2009 14:41:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.568 [GMT -6:00]
Running from: c:\documents and settings\Owner.COMPUTER\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\dyqowo.vbs
c:\documents and settings\Owner.COMPUTER\Local Settings\Temporary Internet Files\capiga.dat
c:\program files\Common Files\pupomifo.vbs
c:\recycler\S-1-5-21-1612497004-3432354713-3807810240-500
C:\s
C:\test.txt
c:\windows\kb913800.exe
c:\windows\namodos.reg
c:\windows\ubojygudyh._sy
D:\Autorun.inf

c:\windows\system32\DRIVERS\IASTOR.SYS . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 20:58 . 2009-08-01 16:16 6256600 ---ha-w- c:\documents and settings\Owner.COMPUTER\Application Data\mjusbsp\in00000\setup.exe
2009-12-21 20:57 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Owner.COMPUTER\Application Data\mjusbsp\ar00000\install.exe
2009-12-21 07:17 . 2009-12-21 07:17 -------- d-----w- c:\documents and settings\Owner.COMPUTER\Local Settings\Application Data\Mozilla
2009-12-20 05:02 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-10 04:16 . 2009-12-10 04:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-10 04:15 . 2009-12-10 04:15 152576 ----a-w- c:\documents and settings\Owner.COMPUTER\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-10 04:14 . 2009-12-10 04:14 79488 ----a-w- c:\documents and settings\Owner.COMPUTER\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-09 03:35 . 2009-12-09 03:35 -------- d-----w- c:\windows\McAfee.com
2009-12-05 03:58 . 2009-12-05 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-05 03:58 . 2009-12-05 03:58 -------- d-----w- c:\program files\Lavasoft
2009-11-25 14:45 . 2009-11-25 14:45 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 20:58 . 2009-08-15 21:42 -------- d-----w- c:\documents and settings\Owner.COMPUTER\Application Data\mjusbsp
2009-12-21 14:52 . 2009-11-11 14:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-21 07:40 . 2009-11-11 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-21 07:18 . 2008-03-09 02:43 -------- d-----w- c:\documents and settings\Owner.COMPUTER\Application Data\Move Networks
2009-12-15 01:02 . 2009-11-17 03:07 117760 ----a-w- c:\documents and settings\Owner.COMPUTER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-12 23:05 . 2009-09-09 05:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 23:05 . 2009-11-11 02:23 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-10 04:15 . 2006-05-18 20:01 -------- d-----w- c:\program files\Java
2009-12-03 22:14 . 2009-09-09 05:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-09-09 05:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 21:39 . 2009-06-20 03:13 -------- d-----w- c:\program files\TomTom HOME 2
2009-11-21 15:51 . 2005-01-09 23:47 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 14:20 . 2008-05-06 04:22 -------- d-----w- c:\program files\McAfee
2009-11-18 03:10 . 2006-05-18 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-17 03:06 . 2009-11-17 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-17 03:06 . 2009-11-17 03:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-17 03:06 . 2009-11-17 03:06 -------- d-----w- c:\documents and settings\Owner.COMPUTER\Application Data\SUPERAntiSpyware.com
2009-11-17 03:06 . 2009-11-17 03:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-17 02:10 . 2009-11-17 02:09 -------- d-----w- c:\program files\CCleaner
2009-11-14 19:21 . 2009-11-14 19:21 143976 ----a-w- c:\documents and settings\Owner.COMPUTER\Application Data\Move Networks\uninstall.exe
2009-11-14 19:21 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Owner.COMPUTER\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-14 19:21 . 2009-11-14 19:21 1794456 ----a-w- c:\documents and settings\Owner.COMPUTER\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-11-10 20:59 . 2006-10-13 19:50 16 ----a-w- c:\windows\popcinfo.dat
2009-10-29 07:46 . 2005-01-09 23:48 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-01-09 23:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-01-09 23:47 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2005-01-09 23:48 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-01-09 23:48 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Owner.COMPUTER\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-13 10:30 . 2005-01-09 23:48 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-01-09 23:48 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-01-09 23:48 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-30 18:11 . 2009-11-18 03:12 288096 ----a-r- c:\documents and settings\Owner.COMPUTER\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-09-09 03:07 . 2009-09-09 03:07 14398 ----a-w- c:\program files\Common Files\liky._dl
.

------- Sigcheck -------

[-] 2006-10-19 03:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2005-08-04 09:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-08-04 09:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[7] 2004-08-10 19:00 . 6EAA72FD9EF993EC1FA9A06DE65105DA . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-06-03 251240]
"cdloader"="c:\documents and settings\Owner.COMPUTER\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-01-15 8744960]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-10 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Owner.COMPUTER\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Documents and Settings\\Owner.COMPUTER\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/3/2009 6:46 AM 92008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/msk/en-us/msk7/default.asp?affid=370-16
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner.COMPUTER\Application Data\Mozilla\Firefox\Profiles\mr0hotgt.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\documents and settings\Owner.COMPUTER\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe
AddRemove-M928366 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 15:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F1E50C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76b2f28
\Driver\ACPI -> ACPI.sys @ 0xf74c5cb8
\Driver\atapi -> atapi.sys @ 0xf7324852
\Driver\iaStor -> IASTOR.SYS @ 0xf738db58
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7230bb0
PacketIndicateHandler -> NDIS.sys @ 0xf723da21
SendHandler -> NDIS.sys @ 0xf721b87b
user & kernel MBR OK
copy of MBR has been found in sector 59 !
copy of MBR has been found in sector 0x02542D6C1
malicious code @ sector 0x02542D6C4 !
PE file found in sector at 0x02542D6DA !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1833223591-1423567300-862232233-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(964)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3500)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-12-21 15:12:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 21:12

Pre-Run: 285,137,154,048 bytes free
Post-Run: 285,258,399,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 76A94D5AE7DA2D2F3FA17B0E673559BE

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:53 PM

Posted 21 December 2009 - 05:08 PM

Please do the following.

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

cmd /c copy /v C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys C:\iaStor.sys

  • The command prompt should pop up and say 1 file(s) copied.
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

unite.jpg


#7 bbokie

bbokie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 21 December 2009 - 10:12 PM

Completed, although I got the same warning box that popped up earlier: "Windows-no disk Exception processing message C0000013 Parameters 75b6bf76 47s...."

Here is the log avenger produced



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\iaStor.sys" not found!
File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:53 PM

Posted 22 December 2009 - 04:41 PM

Please do this next step and let me know if it says 1 file(s) copied.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

cmd /k copy /v C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys C:\iaStor.sys

  • The command prompt should pop up and say 1 file(s) copied.

unite.jpg


#9 bbokie

bbokie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2009 - 06:14 PM

tried and it says "systen cannot find the specified file"

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:53 PM

Posted 22 December 2009 - 08:15 PM

Sorry that's my fault, try this instead, if it say's 1 file(s) copied run the avenger steps here, again.

cmd /k copy /v "C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys" C:\iaStor.sys

unite.jpg


#11 bbokie

bbokie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2009 - 08:53 PM

the file copied and avenger ran fine this time. Still got the "Windows No Disk exception processing...." message.




Here's the log:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:53 PM

Posted 22 December 2009 - 09:05 PM

No need to worry about the error message, please do this next.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

cmd /c mbr -t& start mbr.log

  • A file called mbr.log will pop up please post it in your reply.

unite.jpg


#13 bbokie

bbokie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2009 - 09:12 PM

Here it is:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F6650C]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 59 !
copy of MBR has been found in sector 0x02542D6C1
malicious code @ sector 0x02542D6C4 !
PE file found in sector at 0x02542D6DA !

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:53 PM

Posted 22 December 2009 - 09:29 PM

It's still there so let's try this scanner.

Please download Hitman Pro 3.5 and save it to your Desktop.

Double click HitmanPro35.exe and select run.
Click Next then accept the licence agreement and click Next again.
Hitman Pro will now scan your computer.
If it finds anything in the scan results click Next.
You will then be asked for product activation, select Activate free licence then ok.
Click Next and if asked to delete on reboot, click Next again then Reboot.

unite.jpg


#15 bbokie

bbokie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2009 - 09:40 PM

It didn't come up with anything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users