Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked following e.exe attack


  • This topic is locked This topic is locked
25 replies to this topic

#1 Mark_B

Mark_B

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 13 December 2009 - 02:36 PM

My browser has been hijacked for 4 days now, since I was online and an e.exe process started attacking the system. I closed this down in the task manager, which caused a blue screen crash. Since then the browser has been redirecting websearch links to other browsers and advertising sites. I've tried using Spybot, PC Guard, AVG, Avira and Adaware to fix, all to no avail. I've just performed the DDS log checks, but there's a problem with RootRepeal. I downloaded it from this site and ran it as instructed, when it seemed to hang for about 15 minutes, after which I decided to shut it down and try again. But since doing this, it comes up with errors when I try to launch it and attempting to scan with it causes it to crash now. I can't uninstall it, and I can't copy over it with a new version as it says I don't have admin priveleges to do so. Anyway, here's the DDS logs, any help is much appreciated.


DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 18:33:44.93 on 13/12/2009
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.837 [GMT 0:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: AntispywareBot *enabled* (Updated) {01D8CE9F-753F-42E4-8AB9-EE0A6A48049E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehtray.exe
C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EPSON Stylus DX9400F Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticfe.exe /fu "c:\windows\temp\E_SD673.tmp" /EF "HKCU"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\user\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-11 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-10 207792]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-11 11608]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-12-11 15360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-11 56816]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-10 112592]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-4 809296]
R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2007-12-11 216064]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1184912]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-27 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-18 21504]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-10 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-10 1141712]

=============== Created Last 30 ================

2009-12-11 13:00:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-11 10:48:53 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-11 10:48:50 0 d-----w- c:\programdata\Avira
2009-12-11 10:48:50 0 d-----w- c:\program files\Avira
2009-12-11 10:43:59 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-11 10:43:15 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-11 10:42:48 0 d-----w- c:\programdata\Lavasoft
2009-12-11 10:42:48 0 d-----w- c:\program files\Lavasoft
2009-12-10 22:56:09 0 d-----w- c:\programdata\WindowsSearch
2009-12-10 20:21:16 883 ----a-w- c:\windows\RegSDImport.xml
2009-12-10 20:21:16 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-10 20:21:16 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-10 20:21:16 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-10 20:21:16 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-10 20:21:16 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-10 20:21:16 131 ----a-w- c:\windows\IDB.zip
2009-12-10 20:21:16 1152444 ----a-w- c:\windows\UDB.zip
2009-12-10 20:16:45 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-10 20:16:45 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-10 20:16:45 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-10 20:16:32 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-10 20:16:32 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-10 20:16:32 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-10 20:16:32 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-10 20:16:20 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-10 20:16:20 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-10 20:16:17 0 d-----w- c:\users\user\appdata\roaming\PC Tools
2009-12-10 20:16:17 0 d-----w- c:\programdata\PC Tools
2009-12-10 20:16:17 0 d-----w- c:\program files\Spyware Doctor
2009-12-10 20:16:17 0 d-----w- c:\program files\common files\PC Tools
2009-12-10 19:59:36 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-10 18:10:46 0 d-----w- c:\program files\AVG
2009-12-10 15:37:06 60092 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-10 15:36:58 4406560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-10 15:34:36 36 ----a-w- c:\windows\system32\????????????????????????????????????g
2009-12-10 15:10:55 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 15:10:55 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 15:10:55 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-04 21:08:31 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-27 15:15:40 0 d-----w- c:\programdata\BioWare
2009-11-27 15:13:24 0 d-----w- c:\windows\system32\AGEIA
2009-11-27 15:13:10 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-27 14:57:31 0 d-----w- c:\program files\Dragon Age
2009-11-27 14:57:31 0 d-----w- c:\program files\common files\BioWare
2009-11-25 13:41:10 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 09:22:16 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 09:22:16 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 09:22:14 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-23 12:59:39 202 ----a-w- c:\windows\wininit.ini
2009-11-23 12:24:03 0 d-----w- c:\windows\system32\lowsec
2009-11-18 09:11:24 0 d-----w- c:\program files\Windows Portable Devices
2009-11-18 09:11:04 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-17 18:06:48 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-11-17 18:05:16 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-17 18:05:16 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-17 18:05:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll

==================== Find3M ====================

2009-12-10 15:34:04 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-10 15:34:04 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-10 15:34:04 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-10 14:30:10 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 09:11:20 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-06 10:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 18:05:36 167064 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-02 18:05:34 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-10-20 18:41:34 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-10-07 11:36:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2008-08-02 13:28:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:36:39.62 ============

I've attached the crash logs from RootRepeal

Attached Files


Edited by Mark_B, 13 December 2009 - 04:05 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 14 December 2009 - 09:04 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 24 December 2009 - 08:52 AM

As there has been no response, this topic will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 26 December 2009 - 07:27 PM

Topic reopened.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Mark_B

Mark_B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 27 December 2009 - 05:32 AM

Hi Sam,

Thanks for getting back to me so quickly on this. OTL logs are below (I did get an error message while running the OTL scan, saying there was no disk in drive 3, but I was able to continue the scan by pressing "Try Again"). When I ran gmer the program shut down about a minute into the scan, and when I tried to reopen gmer I got a blue screen crash, though hidden desktop.ini files have appeared on the desktop and throughout my folders. Incidentally, since my original post I've tried a few other things, including Malwarebytes, which picked up backdoorbot on this PC.

OTL logfile created on: 27/12/2009 09:53:46 - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Users\User\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18865)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 445.76 Gb Total Space | 266.98 Gb Free Space | 59.89% Space Free | Partition Type: NTFS
Drive D: | 7.67 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KOMODO-PC
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/27 09:51:56 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
PRC - [2009/11/21 06:42:38 | 00,638,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/28 03:27:42 | 26,784,939 | ---- | M] () -- C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/16 12:20:16 | 25,604,904 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2009/07/16 12:20:16 | 00,077,360 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe
PRC - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/27 12:20:30 | 02,303,216 | ---- | M] (Virgin Broadband) -- C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/04/11 06:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/07/07 09:42:02 | 00,809,296 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/01/19 07:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2007/12/15 13:49:48 | 01,261,568 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/12/15 13:49:47 | 00,086,016 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE
PRC - [2007/04/03 10:30:56 | 00,995,328 | ---- | M] (AzureWave.com) -- C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
PRC - [2007/02/16 18:49:50 | 00,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2006/11/21 17:08:58 | 00,813,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe


========== Modules (SafeList) ==========

MOD - [2009/12/27 09:51:56 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
MOD - [2009/04/11 06:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/25 01:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/29 14:29:12 | 00,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/07/26 06:43:14 | 00,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/07 09:42:02 | 00,809,296 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/03/06 18:09:20 | 00,066,872 | ---- | M] () [Disabled | Stopped] -- C:\Windows\System32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2008/01/19 07:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/15 13:49:47 | 00,086,016 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
SRV - [2007/02/16 18:49:50 | 00,411,168 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2006/11/02 12:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 04:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9C 83 C5 B4 07 7C CA 01 [binary data]
IE - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\S-1-5-21-590085791-1565443666-2831366945-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\S-1-5-21-590085791-1565443666-2831366945-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: (362894 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 12473 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Broadbandadvisor.exe] C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe (Virgin Broadband)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-590085791-1565443666-2831366945-1000..\Run: [EPSON Stylus DX9400F Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATICFE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-590085791-1565443666-2831366945-1000..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-590085791-1565443666-2831366945-1000\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\Windows\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/07/16 22:13:07 | 01,246,440 | R--- | M] (BioWare) - D:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2009/04/14 03:17:18 | 00,000,058 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{2f930dfd-a70d-11dc-8e18-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2f930dfd-a70d-11dc-8e18-806e6f6e6963}\Shell\AutoRun\command - "" = D:\autorun.exe -- [2009/07/16 22:13:07 | 01,246,440 | R--- | M] (BioWare)
O33 - MountPoints2\{b157767a-ae60-11dc-ab62-001d603908b1}\Shell\AutoRun\command - "" = G:\.\_autorun\autorun_win.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/08/02 13:22:01 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2009/12/27 09:51:50 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2009/12/26 16:20:52 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/15 14:01:26 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/12/15 14:01:15 | 00,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\SUPERAntiSpyware.com
[2009/12/15 14:01:15 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/15 12:31:25 | 00,028,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys
[2009/12/15 12:31:24 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/12/15 10:06:11 | 00,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Malwarebytes
[2009/12/15 10:06:07 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/15 10:06:06 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/12/15 10:06:05 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/15 10:06:05 | 00,000,000 | ---D | C] -- C:\Program Files\123
[2009/12/13 18:49:09 | 00,472,064 | ---- | C] ( ) -- C:\Users\User\Desktop\RootRepeal.exe

========== Files - Modified Within 14 Days ==========

[2009/12/27 09:52:18 | 06,291,456 | -HS- | M] () -- C:\Users\User\ntuser.dat
[2009/12/27 09:51:56 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2009/12/27 09:37:08 | 00,000,250 | ---- | M] () -- C:\Windows\tasks\RtlVistaStart.job
[2009/12/27 09:37:07 | 00,005,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/27 09:37:07 | 00,005,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/27 09:37:06 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/27 09:36:59 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/27 09:36:53 | 21,465,57952 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/27 00:38:18 | 00,524,288 | -HS- | M] () -- C:\Users\User\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
[2009/12/27 00:38:18 | 00,065,536 | -HS- | M] () -- C:\Users\User\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/12/26 17:27:24 | 02,772,931 | -H-- | M] () -- C:\Users\User\AppData\Local\IconCache.db
[2009/12/26 12:11:13 | 00,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D283DB90-0219-4A90-A316-2402C541DF92}.job
[2009/12/16 08:27:50 | 06,084,949 | ---- | M] () -- C:\Users\User\Desktop\Counters_&_Character_Sheets.rar
[2009/12/16 08:25:07 | 07,228,210 | ---- | M] () -- C:\Users\User\Desktop\Playtesters.rar
[2009/12/15 10:06:10 | 00,000,697 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 08:49:58 | 00,707,452 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/14 08:49:58 | 00,611,174 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/14 08:49:58 | 00,109,982 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/13 19:16:14 | 00,139,621 | ---- | M] () -- C:\Users\User\Desktop\RootRepeal.dmp
[2009/12/13 18:49:15 | 00,472,064 | ---- | M] ( ) -- C:\Users\User\Desktop\RootRepeal.exe
[2009/12/13 18:32:16 | 00,524,288 | ---- | M] () -- C:\Users\User\Desktop\dds.scr
[2009/12/13 14:03:34 | 00,056,816 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys

========== Files Created - No Company Name ==========

[2009/12/16 08:27:49 | 06,084,949 | ---- | C] () -- C:\Users\User\Desktop\Counters_&_Character_Sheets.rar
[2009/12/15 16:44:34 | 21,465,57952 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/15 10:06:10 | 00,000,697 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/13 19:16:10 | 00,139,621 | ---- | C] () -- C:\Users\User\Desktop\RootRepeal.dmp
[2009/12/13 18:32:08 | 00,524,288 | ---- | C] () -- C:\Users\User\Desktop\dds.scr
[2009/11/23 12:59:39 | 00,000,202 | ---- | C] () -- C:\Windows\wininit.ini
[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/10/20 17:43:32 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/05/06 18:02:00 | 00,000,092 | ---- | C] () -- C:\Users\User\AppData\Local\fusioncache.dat
[2008/10/07 09:13:30 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/03/06 18:09:38 | 00,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2008/03/06 18:09:38 | 00,022,328 | ---- | C] () -- C:\Users\User\AppData\Roaming\PnkBstrK.sys
[2008/01/10 19:35:52 | 00,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2008/01/10 18:30:39 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/12/18 19:46:58 | 00,663,552 | ---- | C] () -- C:\Windows\System32\libeay32_1-1-0_DDR.dll
[2007/12/18 19:46:58 | 00,532,594 | ---- | C] () -- C:\Windows\System32\xerces-c_1_40_0_DDR.dll
[2007/12/18 19:46:58 | 00,307,329 | ---- | C] () -- C:\Windows\System32\BJBase_2-2-2_DDR.dll
[2007/12/18 19:46:58 | 00,159,744 | ---- | C] () -- C:\Windows\System32\ssleay32_1-1-0_DDR.dll
[2007/12/18 19:46:57 | 00,524,377 | ---- | C] () -- C:\Windows\System32\stlport_4_0_0_DDR.dll
[2007/12/18 19:12:04 | 00,000,319 | ---- | C] () -- C:\Windows\game.ini
[2007/12/17 22:03:25 | 00,003,584 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/17 13:31:32 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2007/12/11 16:19:53 | 00,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys
[2007/12/11 15:09:03 | 00,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2007/12/11 15:09:01 | 00,015,123 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2007/12/11 15:08:52 | 00,010,288 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2007/12/10 11:55:51 | 00,001,356 | ---- | C] () -- C:\Users\User\AppData\Local\d3d9caps.dat
[2006/11/02 12:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 07:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2003/01/07 07:05:08 | 00,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1997/09/30 14:30:02 | 00,122,880 | ---- | C] () -- C:\Windows\System32\lfkodak.dll

========== LOP Check ==========

[2008/03/07 13:34:42 | 00,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Alfac
[2008/05/30 14:55:20 | 00,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Bioshock
[2009/12/27 09:37:12 | 00,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Dropbox
[2008/08/03 14:25:01 | 00,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\My Games
[2009/05/06 18:45:32 | 00,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Turbine
[2009/12/10 17:52:28 | 00,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Virgin Broadband
[2009/12/27 09:37:08 | 00,000,250 | ---- | M] () -- C:\Windows\Tasks\RtlVistaStart.job
[2009/12/27 00:38:36 | 00,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/12/26 12:11:13 | 00,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{D283DB90-0219-4A90-A316-2402C541DF92}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/19 07:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/19 07:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 07:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 07:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 09:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 09:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/12/20 22:07:42 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 06:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 06:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 07:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 07:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 09:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/02/14 18:41:39 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/02/14 18:41:39 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/02/14 18:41:39 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 09:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 09:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/19 07:42:51 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 07:42:51 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 09:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 09:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 09:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 06:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 06:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/19 07:35:36 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 09:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 09:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 07:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 07:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/19 07:36:19 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 09:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 06:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 06:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

========== Files - Unicode (All) ==========
[2009/12/10 15:34:36 | 00,000,036 | ---- | M] ()(C:\Windows\System32\????????????????????????????????????g) -- C:\Windows\System32\㩃停潲牧浡䘠汩獥噜物楧牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
[2009/12/10 15:34:36 | 00,000,036 | ---- | C] ()(C:\Windows\System32\????????????????????????????????????g) -- C:\Windows\System32\㩃停潲牧浡䘠汩獥噜物楧牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g

========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:8C35AEA7
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >

OTL Extras logfile created on: 27/12/2009 09:53:46 - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Users\User\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18865)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 445.76 Gb Total Space | 266.98 Gb Free Space | 59.89% Space Free | Partition Type: NTFS
Drive D: | 7.67 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KOMODO-PC
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SystemRoot%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-590085791-1565443666-2831366945-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00E2DA3C-7119-4E7B-A83A-72AC04C58931}" = protocol=17 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysis.exe |
"{0C3241F9-04DF-4856-9B37-F7583468E2A1}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{18C071D8-7FAE-41E5-BD61-A73DF66C92D0}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{19D7E50B-8201-4F89-9165-A0D0DEC1F859}" = protocol=6 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic.exe |
"{1ADEEB78-7A83-460B-B600-26D0BC31A634}" = protocol=6 | dir=in | app=c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\civ4warlords.exe |
"{1F69C7FE-0E59-4233-AF94-365E99C6FB8D}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{20F00CB9-BB16-4523-ACD0-B17C20AC7F55}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2684FDD5-CEE7-47CD-80E8-E57D5CD59542}" = protocol=17 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_online.exe |
"{37D8B980-4DB2-49E3-8B0F-73DD3796F81F}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{3997DA21-FBCB-4695-A665-9D479142973C}" = protocol=17 | dir=in | app=c:\program files\dragon age\bin_ship\daupdatersvc.service.exe |
"{3EE61733-D81F-4C34-8127-6FCECBE9A808}" = protocol=17 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysisdedicatedserver.exe |
"{493049E4-9EC3-4E57-844B-B741F46C23D7}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe |
"{4F123EF5-5602-4154-B5A0-34E592684AE7}" = protocol=6 | dir=in | app=c:\program files\dragon age\bin_ship\daorigins.exe |
"{529CA1D8-8D37-4A50-A2B3-F0DFF40C20FF}" = protocol=6 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysisdedicatedserver.exe |
"{56592B14-FF1F-4F62-9839-BD009CE670EB}" = protocol=17 | dir=in | app=c:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{61BC60B9-8EDD-470B-BC8D-5F9097DCF97D}" = protocol=17 | dir=in | app=c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\civilization4.exe |
"{68252002-42D1-44B3-B967-5DFA9CFA7A34}" = protocol=17 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_ds.exe |
"{6B9B8B33-30D0-4BD3-8112-1DBEF4949936}" = protocol=6 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_online.exe |
"{7366DBFF-5618-470B-82C8-AFCEEBD30308}" = protocol=17 | dir=in | app=c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\civ4warlords.exe |
"{7455065D-C924-4E49-8D21-37069647AE44}" = protocol=17 | dir=in | app=c:\program files\dragon age\bin_ship\daorigins.exe |
"{75087D16-195E-4ADF-AAF9-D261A8CC1A59}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{7690FA6E-6370-4048-B3BD-2F0A3B1A0FD3}" = protocol=6 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_ds.exe |
"{7A674BE8-3079-4B35-8985-4C6E9E16A0AC}" = protocol=17 | dir=in | app=c:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"{855599F6-AF15-4C86-9B13-29600541A071}" = protocol=6 | dir=in | app=c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\civ4beyondsword.exe |
"{8BBB5973-DFFE-4F23-8A05-12C0DBC6D8E7}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{8F33BF35-9FEB-4A7A-835C-FE2B763ED6E0}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{91583AAD-5B44-4647-9C24-BC466F2C8E25}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{92DB7F81-508D-4061-9F19-06266BC24D9D}" = protocol=17 | dir=in | app=c:\program files\dragon age\daoriginslauncher.exe |
"{9BF4949D-9CF6-4263-A7D9-07A2B4BAAE99}" = protocol=6 | dir=in | app=c:\program files\dragon age\daoriginslauncher.exe |
"{AA67B5CC-4693-4559-8ED9-ACD6D97EDD52}" = protocol=6 | dir=in | app=c:\program files\thq\gas powered games\gpgnet\gpg.multiplayer.client.exe |
"{C0B1CA34-32A2-40E0-A046-C77D9C89D6E4}" = protocol=6 | dir=in | app=c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\civilization4.exe |
"{C23EA440-2BF2-4A4C-BF99-B95CFED8BFF3}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{C6D37CD3-4EB2-40A3-8483-4C5271BE06E1}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C819D164-023D-4B27-8A9E-75E034033C31}" = protocol=6 | dir=in | app=c:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"{CA9F0EBC-EBEB-4567-8D38-0F5C2FB51553}" = protocol=17 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic.exe |
"{D3382EC9-E3E4-4906-B1C3-2DA4F99EA097}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe |
"{D38650E8-134F-4CCF-AF93-A336CF263041}" = protocol=6 | dir=in | app=c:\program files\dragon age\bin_ship\daupdatersvc.service.exe |
"{DBB341ED-3E1E-402A-9E05-43F0DD87C529}" = protocol=17 | dir=in | app=c:\program files\activision\call of duty 4 - modern warfare\iw3mp.exe |
"{E8FB39D3-311A-443A-9C90-42F8CF29FCFE}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E9EF9761-DE76-4E9B-A37B-6C3A690B9136}" = protocol=6 | dir=in | app=c:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{F48348BB-2171-46C8-B5EC-2EE758E2287F}" = protocol=6 | dir=in | app=c:\program files\activision\call of duty 4 - modern warfare\iw3mp.exe |
"{FA466DF5-A750-493E-8C0B-278DAAC1DFF8}" = protocol=17 | dir=in | app=c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\civ4beyondsword.exe |
"{FDCC79C2-95CE-4B58-B420-7957E8F06D2C}" = protocol=17 | dir=in | app=c:\program files\thq\gas powered games\gpgnet\gpg.multiplayer.client.exe |
"{FDF23C77-FEE0-4990-AF21-512EFD0D9B53}" = protocol=6 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysis.exe |
"TCP Query User{434FA475-2E50-43BE-8D58-DEABD8DD9FEB}C:\program files\steam\steamapps\common\dawn of war 2\dow2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"TCP Query User{4F9B4338-AC9F-4B31-BB5F-B0247C3F1BBE}C:\program files\thq\dawn of war - soulstorm\soulstorm.exe" = protocol=6 | dir=in | app=c:\program files\thq\dawn of war - soulstorm\soulstorm.exe |
"TCP Query User{61D847BC-F104-4214-8E00-E0BDE92D9E87}C:\program files\electronic arts\dead space\dead space.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\dead space\dead space.exe |
"TCP Query User{906A4351-8DAC-4C99-A187-75E58816F05C}C:\program files\thq\dawn of war - dark crusade\darkcrusade.exe" = protocol=6 | dir=in | app=c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe |
"TCP Query User{99F5FFB3-8A1B-458B-9C1B-8365B5639559}C:\program files\thq\dawn of war - dark crusade\darkcrusade.exe" = protocol=6 | dir=in | app=c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe |
"TCP Query User{AEA991EF-45CE-4118-9879-CB5222CDE015}C:\program files\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"TCP Query User{C12310D8-C8E8-4265-94E3-B8B0D9D05DBE}C:\program files\thq\dawn of war - soulstorm\soulstorm.exe" = protocol=6 | dir=in | app=c:\program files\thq\dawn of war - soulstorm\soulstorm.exe |
"TCP Query User{CCDF8F05-DAAD-493B-A4C4-8722DEFA6657}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{66806041-EE7F-4A89-B40A-FFEF6672E4A9}C:\program files\steam\steamapps\common\dawn of war 2\dow2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"UDP Query User{8D2AF394-AAFB-47DA-87A5-77B4D6F1C6EB}C:\program files\thq\dawn of war - dark crusade\darkcrusade.exe" = protocol=17 | dir=in | app=c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe |
"UDP Query User{A8FF1705-F518-45A1-9511-CDB3518F29DF}C:\program files\thq\dawn of war - soulstorm\soulstorm.exe" = protocol=17 | dir=in | app=c:\program files\thq\dawn of war - soulstorm\soulstorm.exe |
"UDP Query User{B44048FA-C3B0-4094-90FC-FC98FECE0018}C:\program files\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"UDP Query User{B57B980E-6CA0-4F41-8F70-6B68F4D78184}C:\program files\electronic arts\dead space\dead space.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\dead space\dead space.exe |
"UDP Query User{C7004DB3-1BA7-4332-9361-A88A754B7BA1}C:\program files\thq\dawn of war - dark crusade\darkcrusade.exe" = protocol=17 | dir=in | app=c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe |
"UDP Query User{C7370CE8-FD17-48BA-917B-1D37A2700F19}C:\program files\thq\dawn of war - soulstorm\soulstorm.exe" = protocol=17 | dir=in | app=c:\program files\thq\dawn of war - soulstorm\soulstorm.exe |
"UDP Query User{D147DD2A-74F1-48E6-AF3F-DBEEE05D48AB}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis®
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}" = NVIDIA PureVideo Decoder
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{14C87AA7-08E6-419F-A165-998EBE5023D7}" = Oblivion - Knights of the Nine
"{16D919E6-F019-4E15-BFBE-4A85EF19DA57}" = Oblivion - Spell Tomes
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{20533183-D42D-4261-A125-956736FBEA8C}" = Dawn of War - Soulstorm
"{25724802-CC14-4B90-9F3B-3D6955EE27B1}" = Company of Heroes
"{2DF7B278-D3B6-40A4-B25C-0E7149F439EA}" = 3DMark05
"{2F2E3D62-8B8C-448F-8900-451325E50948}" = Oblivion - Wizard's Tower
"{30D1F3D2-54CF-481D-A005-F94B0E98FEEC}" = Sid Meier's Civilization 4 Complete
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3ABEBD00-299D-4DCA-967F-B912163AB5EA}" = Oblivion - Horse Armor Pack
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}" = Acronis True Image Home
"{4BE15737-07C5-4705-9DFC-D9D533939942}" = NVIDIA Media Center Extensions
"{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}" = Oblivion - Vile Lair
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5435FF3C-48CF-4B34-85E1-2C95673EB254}" = Dawn of War - Soulstorm
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7E4B7FD9-4ECE-4298-A910-3160B7918059}" = CryEngine®2 Sandbox™2
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{95398D6D-E2A6-45BC-A9B2-C8C1D9D00E6E}" = DECAdry Express Business Cards 4
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1C962E2-2426-49C6-A38B-9A07E40D607C}" = Microsoft Games for Windows - LIVE
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A5D4E41C-2583-46FE-9B99-62496F85C5F3}" = RPS CRT
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{BE686891-3C56-4714-AFEF-341A7867BA80}" = ASUS WiFi-AP Solo
"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{E5D52570-5EF1-4576-A434-6CCD92268F0F}" = Google SketchUp 7
"{EC425CFC-EE78-4A91-AA25-3BFA65B75364}" = Oblivion - Orrery
"{EF295F5C-7B57-47AA-8889-6B3E8E214E89}" = Oblivion - Mehrunes Razor
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F11ADC64-C89E-47F4-A0B3-3665FF859397}" = World in Conflict
"{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade
"{FFFFFD17-B460-41EB-93F1-C48ABAD63828}" = Oblivion - Thieves Den
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BroadJump Client Foundation" = BroadJump Client Foundation
"BurnInTest_is1" = BurnInTest v5.3 Pro
"CDisplay_is1" = CDisplay 1.8
"EPSON Printer and Utilities" = EPSON Printer Software
"Host OpenAL (ADI)" = Host OpenAL (ADI)
"InstallShield_{95398D6D-E2A6-45BC-A9B2-C8C1D9D00E6E}" = DECAdry Express Business Cards 4
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NVIDIA Drivers" = NVIDIA Drivers
"PerformanceTest_is1" = PerformanceTest v6.1
"PunkBusterSvc" = PunkBuster Services
"RadialpointClientGateway_is1" = Virgin Broadband advisor 1.5.24
"S.T.A.L.K.E.R. - Shadow of Chernobyl_is1" = S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0005]
"Steam App 15620" = Warhammer 40,000: Dawn of War II
"SystemRequirementsLab" = System Requirements Lab
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-590085791-1565443666-2831366945-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/07/2009 13:33:54 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/07/2009 16:06:59 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/07/2009 19:36:12 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 12/07/2009 11:40:07 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 14/07/2009 08:04:19 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 14/07/2009 13:39:28 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 19/07/2009 06:07:50 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 20/07/2009 07:30:09 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 20/07/2009 07:30:54 | Computer Name = KOMODO-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6001.18248 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: cdc Start Time: 01ca092d51b60324 Termination Time: 0

Error - 20/07/2009 13:10:13 | Computer Name = KOMODO-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ System Events ]
Error - 26/12/2009 10:12:39 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26/12/2009 12:26:51 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26/12/2009 12:26:55 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26/12/2009 16:26:04 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26/12/2009 16:26:10 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 26/12/2009 16:28:01 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 26/12/2009 16:28:06 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 27/12/2009 05:37:09 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 27/12/2009 05:37:13 | Computer Name = KOMODO-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 27/12/2009 05:38:27 | Computer Name = KOMODO-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 81.108.28.207 for the Network Card with network
address 00064F4E4B1C has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).


< End of report >

Cheers :(

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 27 December 2009 - 10:34 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Mark_B

Mark_B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 27 December 2009 - 02:49 PM

Hi Sam,

Here's the Combofix log. Interestingly, I had to reboot before I could open any documents, or run Internet Explorer or Outlook following the scan. I recieved error messages that said registry keys had been marked for deletion when I tried.

ComboFix 09-12-26.05 - User 27/12/2009 19:20:27.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1214 [GMT 0:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-27 19:27 . 2009-12-27 19:28 -------- d-----w- c:\users\User\AppData\Local\temp
2009-12-27 19:27 . 2009-12-27 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-15 14:01 . 2009-12-15 14:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-15 14:01 . 2009-12-26 16:20 -------- d-----w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com
2009-12-15 14:01 . 2009-12-26 16:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 12:31 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-15 12:31 . 2009-12-15 12:31 -------- d-----w- c:\program files\Panda Security
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-12-15 10:06 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\programdata\Malwarebytes
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\program files\123
2009-12-15 10:06 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 10:48 . 2009-12-13 14:03 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-11 10:48 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-11 10:48 . 2009-12-11 10:48 -------- d-----w- c:\programdata\Avira
2009-12-11 10:48 . 2009-12-11 10:48 -------- d-----w- c:\program files\Avira
2009-12-11 10:42 . 2009-12-15 10:20 -------- d-----w- c:\programdata\Lavasoft
2009-12-10 22:56 . 2009-12-10 22:56 -------- d-----w- c:\programdata\WindowsSearch
2009-12-10 20:26 . 2009-12-10 20:26 -------- d-----w- c:\users\User\AppData\Local\Threat Expert
2009-12-10 19:59 . 2009-12-10 19:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-10 19:38 . 2009-12-10 19:38 -------- d-----w- c:\users\User\AppData\Local\WindowsUpdate
2009-12-10 18:10 . 2009-12-10 18:10 -------- d-----w- c:\program files\AVG
2009-12-10 15:36 . 2009-12-10 17:53 4406560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-10 15:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 15:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 15:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-04 21:08 . 2009-09-04 17:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 19:24 . 2009-09-03 08:49 -------- d-----w- c:\users\User\AppData\Roaming\Skype
2009-12-27 16:07 . 2009-09-03 08:53 -------- d-----w- c:\users\User\AppData\Roaming\skypePM
2009-12-27 10:17 . 2009-08-26 08:51 -------- d-----w- c:\users\User\AppData\Roaming\Dropbox
2009-12-26 16:24 . 2007-12-11 19:11 -------- d-----w- c:\programdata\Nero
2009-12-26 16:20 . 2009-11-27 15:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-20 22:07 . 2009-10-20 17:43 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-15 14:51 . 2008-03-06 17:54 -------- d-----w- c:\program files\Electronic Arts
2009-12-10 22:19 . 2007-12-10 11:55 1356 ----a-w- c:\users\User\AppData\Local\d3d9caps.dat
2009-12-10 17:53 . 2009-12-10 15:37 60092 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-10 17:52 . 2008-01-04 18:33 -------- d-----w- c:\programdata\Virgin Broadband
2009-12-10 17:52 . 2009-06-13 18:54 -------- d-----w- c:\program files\Virgin Broadband
2009-12-10 17:52 . 2008-01-04 18:33 -------- d-----w- c:\users\User\AppData\Roaming\Virgin Broadband
2009-12-10 15:32 . 2007-12-11 14:17 -------- d-----w- c:\program files\InstallShield Installation Information
2009-12-10 15:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 14:29 . 2009-01-04 11:52 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-07 16:45 . 2009-06-06 12:32 -------- d-----w- c:\program files\Steam
2009-11-27 15:15 . 2009-11-27 15:15 -------- d-----w- c:\programdata\BioWare
2009-11-27 15:13 . 2009-11-27 15:13 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-27 15:13 . 2007-12-17 22:30 -------- d-----w- c:\programdata\Media Center Programs
2009-11-27 15:13 . 2009-11-27 14:57 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-27 15:07 . 2009-11-27 14:57 -------- d-----w- c:\program files\Dragon Age
2009-11-23 12:43 . 2009-01-04 11:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 06:40 . 2009-12-10 14:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 14:51 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 14:51 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 14:51 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 09:11 . 2009-11-18 09:11 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-18 09:11 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 09:11 . 2009-11-18 09:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 18:16 . 2009-11-05 18:16 -------- d-----w- c:\program files\iTunes
2009-11-05 18:16 . 2009-11-05 18:16 -------- d-----w- c:\program files\iPod
2009-11-05 18:16 . 2008-07-18 20:47 -------- d-----w- c:\programdata\Apple Computer
2009-11-05 18:16 . 2008-07-18 20:46 -------- d-----w- c:\program files\Common Files\Apple
2009-11-05 18:10 . 2009-11-05 18:10 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-02 20:42 . 2009-10-03 10:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-19 13:53 . 2007-12-10 11:56 92248 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-08 21:08 . 2009-11-17 18:05 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08 . 2009-11-17 18:05 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:07 . 2009-11-17 18:05 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 11:36 . 2009-12-10 14:51 243712 ----a-w- c:\windows\system32\rastls.dll
2009-10-01 01:02 . 2009-11-17 18:06 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-17 18:06 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 18:06 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-17 18:06 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-17 18:06 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 18:06 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-17 18:06 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-17 18:06 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-17 18:06 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-17 18:06 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-17 18:06 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-17 18:06 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-15 1261568]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2009-8-28 26784939]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-02-16 18:49 149024 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-02-16 18:57 1945960 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 14:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2003-01-27 17:16 376912 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
2009-05-27 12:20 2303216 ----a-w- c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 20:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-15 13:49 1261568 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundTray]
2007-05-21 14:53 49152 ----a-w- c:\program files\Analog Devices\SoundMAX\SoundTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-06 22:58 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-02-16 18:45 1169776 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:91,ed,91,6b,28,52,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-590085791-1565443666-2831366945-1000]
"EnableNotificationsRef"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [15/12/2009 12:31 28552]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [11/12/2007 15:09 15360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/12/2009 10:48 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [04/01/2009 11:52 809296]
R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187.sys [11/12/2007 15:09 216064]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [27/11/2009 15:07 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [18/07/2008 22:21 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp--FreedomNeedsReboot - c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe
MSConfigStartUp-PCguard - c:\program files\Virgin Broadband\PCguard\Rps.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 19:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

[0] 0x00005C53

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84EC3618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x881c3d24
\Driver\ACPI -> acpi.sys @ 0x82891d68
\Driver\atapi -> ataport.SYS @ 0x829a6a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-590085791-1565443666-2831366945-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f6,c1,44,90,d0,ac,4e,39,a9,fd,29,a9,26,a8,8b,dc,b1,15,9b,d5,b8,58,00,
9f,42,d5,58,a5,eb,46,60,88,32,dd,fd,c9,96,4a,8e,5c,66,80,56,84,1f,a3,12,c3,\
"??"=hex:eb,3b,14,9f,68,c2,c4,fb,4e,5d,47,b8,89,9d,f8,94

[HKEY_USERS\S-1-5-21-590085791-1565443666-2831366945-1000\Software\SecuROM\License information*]
"datasecu"=hex:d4,05,b3,28,85,77,54,ef,58,83,e3,0c,87,03,12,a8,ec,bc,87,a7,79,
dd,5c,c1,c2,01,62,45,f6,de,72,aa,81,dc,96,d8,0a,4f,4e,49,cc,fa,18,af,d4,b4,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(4464)
c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll
.
Completion time: 2009-12-27 19:31:23
ComboFix-quarantined-files.txt 2009-12-27 19:31

Pre-Run: 286,452,686,848 bytes free
Post-Run: 286,646,362,112 bytes free

- - End Of File - - 8CA188B6B3D3F9DC429D99AE6315556C

Thanks,

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 28 December 2009 - 09:56 AM

Please visit the online Virustotal Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\drivers\atapi.sys


  • The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Mark_B

Mark_B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 28 December 2009 - 10:46 AM

Okay, here's what it came up with:

File has already been analysed:
MD5: 1f05b78ab91c9075565a9d8a4b880bc4
First received: 2009.05.17 14:20:52 UTC
Date: 2009.12.26 17:55:51 UTC [+1D]
Results: 1/41
Permalink: analisis/737be9f9376dab0ccdfed93ea6d67f0c432367ea63cd772a453485be769af3bd-1261850151

In case you need it, here's what's listed under the link:

File atapi.sys received on 2009.12.26 17:55:51 (UTC)
Current status: finished

Result: 1/41 (2.44%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.26 -
AhnLab-V3 5.0.0.2 2009.12.26 -
AntiVir 7.9.1.122 2009.12.26 -
Antiy-AVL 2.0.3.7 2009.12.25 -
Authentium 5.2.0.5 2009.12.26 -
Avast 4.8.1351.0 2009.12.26 -
AVG 8.5.0.430 2009.12.26 -
BitDefender 7.2 2009.12.26 -
CAT-QuickHeal 10.00 2009.12.26 -
ClamAV 0.94.1 2009.12.26 -
Comodo 3376 2009.12.26 -
DrWeb 5.0.1.12222 2009.12.26 -
eSafe 7.0.17.0 2009.12.24 -
eTrust-Vet 35.1.7198 2009.12.25 -
F-Prot 4.5.1.85 2009.12.26 -
F-Secure 9.0.15370.0 2009.12.26 -
Fortinet 4.0.14.0 2009.12.26 -
GData 19 2009.12.26 -
Ikarus T3.1.1.79.0 2009.12.26 -
Jiangmin 13.0.900 2009.12.26 -
K7AntiVirus 7.10.931 2009.12.26 -
Kaspersky 7.0.0.125 2009.12.26 -
McAfee 5843 2009.12.26 -
McAfee+Artemis 5843 2009.12.26 -
McAfee-GW-Edition 6.8.5 2009.12.26 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5302 2009.12.26 -
NOD32 4716 2009.12.25 -
Norman 6.04.03 2009.12.26 -
nProtect 2009.1.8.0 2009.12.26 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.26 -
Prevx 3.0 2009.12.26 -
Rising 22.27.05.04 2009.12.26 -
Sophos 4.49.0 2009.12.26 -
Sunbelt 3.2.1858.2 2009.12.26 -
Symantec 1.4.4.12 2009.12.26 -
TheHacker 6.5.0.3.111 2009.12.25 -
TrendMicro 9.120.0.1004 2009.12.26 -
VBA32 3.12.12.0 2009.12.26 -
ViRobot 2009.12.26.2109 2009.12.26 -
VirusBuster 5.0.21.0 2009.12.26 -
Additional information
File size: 19944 bytes
MD5 : 1f05b78ab91c9075565a9d8a4b880bc4
SHA1 : 218442cd7afecbc8d102c4e31d9ef3528642191b
SHA256: 737be9f9376dab0ccdfed93ea6d67f0c432367ea63cd772a453485be769af3bd
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5005
timedatestamp.....: 0x49E01EED (Sat Apr 11 06:39:09 2009)
machinetype.......: 0x14C (Intel I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x19B0 0x1A00 6.30 4ac8c9f82cf23d85316bd85d3d8e4efb
.rdata 0x3000 0xAE 0x200 1.49 3d541e69f96e97a837841ad289adeac7
.data 0x4000 0xC 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x5000 0x364 0x400 4.51 f238fffd3a9917d72f4888f4276b3b06
.rsrc 0x6000 0x3F8 0x400 3.38 5c8a106a7c9416fb469c83dfab844abd
.reloc 0x7000 0x8A 0x200 1.37 064d7db7c16955d4dc6d3f7afb703e06

( 2 imports )

> ataport.sys: AtaPortNotification, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortMoveMemory, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortUshort, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> ntoskrnl.exe: KeTickCount

( 0 exports )

TrID : File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: 384:zzY0Vgd1RrKzBpWk4UwWFSn8G6FuT+quHpBjbOjBMwzt8:zz/Vgd1gzQUSuBxkMwzt8
PEiD : -
RDS : NSRL Reference Data Set
-

BTW, I tried out the browser last night, after running combofix, and the redirect has been fixed so thanks ever so much for that :(

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 28 December 2009 - 11:02 AM

Good! The virus scan of that file confirms it's clean. Mcafee always detects it as malware.
How is your computer behaving otherwise? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Mark_B

Mark_B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 28 December 2009 - 12:05 PM

Cool. Unfortunately, the redirects are back. I've just tried the browser again, before finalising a reply to you, and bam! problem's back :(

I dunno if it helps, but when it happens, an icon sometimes appears in the address bar (like the icons most websites now have). The icon is like a blue, tapeworm looking thing in the shape of a number 2.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 28 December 2009 - 06:56 PM

Please run Combofix again and post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Mark_B

Mark_B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 29 December 2009 - 04:38 AM

Hey Sam,

New combofix log:

ComboFix 09-12-28.05 - User 29/12/2009 9:16.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1182 [GMT 0:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 09:23 . 2009-12-29 09:23 -------- d-----w- c:\users\User\AppData\Local\temp
2009-12-29 09:23 . 2009-12-29 09:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-29 09:23 . 2009-12-29 09:23 -------- d-----w- c:\users\Mark B\AppData\Local\temp
2009-12-29 09:23 . 2009-12-29 09:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-15 14:01 . 2009-12-15 14:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-15 14:01 . 2009-12-26 16:20 -------- d-----w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com
2009-12-15 14:01 . 2009-12-26 16:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 12:31 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-15 12:31 . 2009-12-15 12:31 -------- d-----w- c:\program files\Panda Security
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-12-15 10:06 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\programdata\Malwarebytes
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\program files\123
2009-12-15 10:06 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 10:48 . 2009-12-13 14:03 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-11 10:48 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-11 10:48 . 2009-12-11 10:48 -------- d-----w- c:\programdata\Avira
2009-12-11 10:48 . 2009-12-11 10:48 -------- d-----w- c:\program files\Avira
2009-12-11 10:42 . 2009-12-15 10:20 -------- d-----w- c:\programdata\Lavasoft
2009-12-10 22:56 . 2009-12-10 22:56 -------- d-----w- c:\programdata\WindowsSearch
2009-12-10 20:26 . 2009-12-10 20:26 -------- d-----w- c:\users\User\AppData\Local\Threat Expert
2009-12-10 19:59 . 2009-12-10 19:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-10 19:38 . 2009-12-10 19:38 -------- d-----w- c:\users\User\AppData\Local\WindowsUpdate
2009-12-10 18:10 . 2009-12-10 18:10 -------- d-----w- c:\program files\AVG
2009-12-10 15:36 . 2009-12-10 17:53 4406560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-10 15:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 15:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 15:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-04 21:08 . 2009-09-04 17:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 09:09 . 2009-09-03 08:49 -------- d-----w- c:\users\User\AppData\Roaming\Skype
2009-12-29 09:08 . 2009-09-03 08:53 -------- d-----w- c:\users\User\AppData\Roaming\skypePM
2009-12-29 09:08 . 2009-08-26 08:51 -------- d-----w- c:\users\User\AppData\Roaming\Dropbox
2009-12-26 16:24 . 2007-12-11 19:11 -------- d-----w- c:\programdata\Nero
2009-12-26 16:20 . 2009-11-27 15:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-20 22:07 . 2009-10-20 17:43 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-15 14:51 . 2008-03-06 17:54 -------- d-----w- c:\program files\Electronic Arts
2009-12-10 22:19 . 2007-12-10 11:55 1356 ----a-w- c:\users\User\AppData\Local\d3d9caps.dat
2009-12-10 17:53 . 2009-12-10 15:37 60092 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-10 17:52 . 2008-01-04 18:33 -------- d-----w- c:\programdata\Virgin Broadband
2009-12-10 17:52 . 2009-06-13 18:54 -------- d-----w- c:\program files\Virgin Broadband
2009-12-10 17:52 . 2008-01-04 18:33 -------- d-----w- c:\users\User\AppData\Roaming\Virgin Broadband
2009-12-10 15:32 . 2007-12-11 14:17 -------- d-----w- c:\program files\InstallShield Installation Information
2009-12-10 15:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 14:29 . 2009-01-04 11:52 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-07 16:45 . 2009-06-06 12:32 -------- d-----w- c:\program files\Steam
2009-11-27 15:15 . 2009-11-27 15:15 -------- d-----w- c:\programdata\BioWare
2009-11-27 15:13 . 2009-11-27 15:13 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-27 15:13 . 2007-12-17 22:30 -------- d-----w- c:\programdata\Media Center Programs
2009-11-27 15:13 . 2009-11-27 14:57 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-27 15:07 . 2009-11-27 14:57 -------- d-----w- c:\program files\Dragon Age
2009-11-23 12:43 . 2009-01-04 11:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 06:40 . 2009-12-10 14:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 14:51 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 14:51 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 14:51 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 09:11 . 2009-11-18 09:11 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-18 09:11 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 09:11 . 2009-11-18 09:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 18:16 . 2009-11-05 18:16 -------- d-----w- c:\program files\iTunes
2009-11-05 18:16 . 2009-11-05 18:16 -------- d-----w- c:\program files\iPod
2009-11-05 18:16 . 2008-07-18 20:47 -------- d-----w- c:\programdata\Apple Computer
2009-11-05 18:16 . 2008-07-18 20:46 -------- d-----w- c:\program files\Common Files\Apple
2009-11-05 18:10 . 2009-11-05 18:10 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-02 20:42 . 2009-10-03 10:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-19 13:53 . 2007-12-10 11:56 92248 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-08 21:08 . 2009-11-17 18:05 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08 . 2009-11-17 18:05 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:07 . 2009-11-17 18:05 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 11:36 . 2009-12-10 14:51 243712 ----a-w- c:\windows\system32\rastls.dll
2009-10-01 01:02 . 2009-11-17 18:06 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-17 18:06 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 18:06 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-17 18:06 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-17 18:06 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 18:06 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-17 18:06 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-17 18:06 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-17 18:06 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-17 18:06 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-17 18:06 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-17 18:06 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-27_19.28.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-10 12:44 . 2009-12-29 09:09 54526 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-12-10 12:44 . 2009-12-27 09:38 54526 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-12-29 09:09 81598 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-10 12:44 . 2009-12-29 09:09 17180 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-590085791-1565443666-2831366945-1000_UserData.bin
- 2006-11-02 13:02 . 2009-12-27 12:08 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-12-29 09:08 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-12-29 09:08 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-12-27 12:08 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-11 20:52 . 2009-12-29 09:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-11 20:52 . 2009-12-27 10:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-11 20:52 . 2009-12-27 10:16 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-11 20:52 . 2009-12-29 09:08 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-11 20:52 . 2009-12-29 09:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-11 20:52 . 2009-12-27 10:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-27 09:37 . 2009-12-27 10:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-29 09:08 . 2009-12-29 09:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-27 09:37 . 2009-12-27 10:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-29 09:08 . 2009-12-29 09:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-08-05 13:29 . 2009-12-27 18:33 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-08-05 13:29 . 2009-12-29 09:08 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2006-11-02 13:02 . 2009-12-29 09:08 278528 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-15 1261568]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2009-8-28 26784939]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-02-16 18:49 149024 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-02-16 18:57 1945960 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 14:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2003-01-27 17:16 376912 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
2009-05-27 12:20 2303216 ----a-w- c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 20:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-15 13:49 1261568 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundTray]
2007-05-21 14:53 49152 ----a-w- c:\program files\Analog Devices\SoundMAX\SoundTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-06 22:58 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-02-16 18:45 1169776 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:91,ed,91,6b,28,52,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-590085791-1565443666-2831366945-1000]
"EnableNotificationsRef"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [15/12/2009 12:31 28552]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [11/12/2007 15:09 15360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/12/2009 10:48 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [04/01/2009 11:52 809296]
R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187.sys [11/12/2007 15:09 216064]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [27/11/2009 15:07 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [18/07/2008 22:21 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 09:23
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84EAF618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87fc3d24
\Driver\ACPI -> acpi.sys @ 0x8069ed68
\Driver\atapi -> ataport.SYS @ 0x807b3a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-590085791-1565443666-2831366945-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f6,c1,44,90,d0,ac,4e,39,a9,fd,29,a9,26,a8,8b,dc,b1,15,9b,d5,b8,58,00,
9f,42,d5,58,a5,eb,46,60,88,32,dd,fd,c9,96,4a,8e,5c,66,80,56,84,1f,a3,12,c3,\
"??"=hex:eb,3b,14,9f,68,c2,c4,fb,4e,5d,47,b8,89,9d,f8,94

[HKEY_USERS\S-1-5-21-590085791-1565443666-2831366945-1000\Software\SecuROM\License information*]
"datasecu"=hex:d4,05,b3,28,85,77,54,ef,58,83,e3,0c,87,03,12,a8,ec,bc,87,a7,79,
dd,5c,c1,c2,01,62,45,f6,de,72,aa,81,dc,96,d8,0a,4f,4e,49,cc,fa,18,af,d4,b4,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(3428)
c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll
.
Completion time: 2009-12-29 09:26:37
ComboFix-quarantined-files.txt 2009-12-29 09:26
ComboFix2.txt 2009-12-27 19:31

Pre-Run: 286,617,366,528 bytes free
Post-Run: 286,598,197,248 bytes free

- - End Of File - - F36082ED5EB4AE36322FFF9F5AB4CE42

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:52 PM

Posted 30 December 2009 - 02:35 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

FCopy::
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | C:\Windows\System32\drivers\atapi.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Let me know if you are still being redirected after this step.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Mark_B

Mark_B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 30 December 2009 - 06:48 PM

Sorry Sam, still doing the redirects. Here's the log:

ComboFix 09-12-29.06 - User 30/12/2009 23:32:17.3.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1341 [GMT 0:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --> c:\windows\System32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-30 23:39 . 2009-12-30 23:39 -------- d-----w- c:\users\User\AppData\Local\temp
2009-12-30 23:39 . 2009-12-30 23:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-30 23:39 . 2009-12-30 23:39 -------- d-----w- c:\users\Mark B\AppData\Local\temp
2009-12-30 23:39 . 2009-12-30 23:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-15 14:01 . 2009-12-15 14:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-15 14:01 . 2009-12-26 16:20 -------- d-----w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com
2009-12-15 14:01 . 2009-12-26 16:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 12:31 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-15 12:31 . 2009-12-15 12:31 -------- d-----w- c:\program files\Panda Security
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-12-15 10:06 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\programdata\Malwarebytes
2009-12-15 10:06 . 2009-12-15 10:06 -------- d-----w- c:\program files\123
2009-12-15 10:06 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 10:48 . 2009-12-13 14:03 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-11 10:48 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-11 10:48 . 2009-12-11 10:48 -------- d-----w- c:\programdata\Avira
2009-12-11 10:48 . 2009-12-11 10:48 -------- d-----w- c:\program files\Avira
2009-12-11 10:42 . 2009-12-15 10:20 -------- d-----w- c:\programdata\Lavasoft
2009-12-10 22:56 . 2009-12-10 22:56 -------- d-----w- c:\programdata\WindowsSearch
2009-12-10 20:26 . 2009-12-10 20:26 -------- d-----w- c:\users\User\AppData\Local\Threat Expert
2009-12-10 19:59 . 2009-12-10 19:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-10 19:38 . 2009-12-10 19:38 -------- d-----w- c:\users\User\AppData\Local\WindowsUpdate
2009-12-10 18:10 . 2009-12-10 18:10 -------- d-----w- c:\program files\AVG
2009-12-10 15:36 . 2009-12-10 17:53 4406560 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-10 15:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 15:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 15:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-04 21:08 . 2009-09-04 17:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 23:32 . 2009-10-20 17:43 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-30 23:25 . 2009-09-03 08:49 -------- d-----w- c:\users\User\AppData\Roaming\Skype
2009-12-30 23:24 . 2009-08-26 08:51 -------- d-----w- c:\users\User\AppData\Roaming\Dropbox
2009-12-30 18:00 . 2009-09-03 08:53 -------- d-----w- c:\users\User\AppData\Roaming\skypePM
2009-12-26 16:24 . 2007-12-11 19:11 -------- d-----w- c:\programdata\Nero
2009-12-26 16:20 . 2009-11-27 15:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-15 14:51 . 2008-03-06 17:54 -------- d-----w- c:\program files\Electronic Arts
2009-12-10 22:19 . 2007-12-10 11:55 1356 ----a-w- c:\users\User\AppData\Local\d3d9caps.dat
2009-12-10 17:53 . 2009-12-10 15:37 60092 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-10 17:52 . 2008-01-04 18:33 -------- d-----w- c:\programdata\Virgin Broadband
2009-12-10 17:52 . 2009-06-13 18:54 -------- d-----w- c:\program files\Virgin Broadband
2009-12-10 17:52 . 2008-01-04 18:33 -------- d-----w- c:\users\User\AppData\Roaming\Virgin Broadband
2009-12-10 15:32 . 2007-12-11 14:17 -------- d-----w- c:\program files\InstallShield Installation Information
2009-12-10 15:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 14:29 . 2009-01-04 11:52 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-07 16:45 . 2009-06-06 12:32 -------- d-----w- c:\program files\Steam
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-27 15:15 . 2009-11-27 15:15 -------- d-----w- c:\programdata\BioWare
2009-11-27 15:13 . 2009-11-27 15:13 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-27 15:13 . 2007-12-17 22:30 -------- d-----w- c:\programdata\Media Center Programs
2009-11-27 15:13 . 2009-11-27 14:57 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-27 15:07 . 2009-11-27 14:57 -------- d-----w- c:\program files\Dragon Age
2009-11-23 12:43 . 2009-01-04 11:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 06:40 . 2009-12-10 14:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 14:51 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 14:51 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 14:51 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 09:11 . 2009-11-18 09:11 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-18 09:11 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 09:11 . 2009-11-18 09:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 18:16 . 2009-11-05 18:16 -------- d-----w- c:\program files\iTunes
2009-11-05 18:16 . 2009-11-05 18:16 -------- d-----w- c:\program files\iPod
2009-11-05 18:16 . 2008-07-18 20:47 -------- d-----w- c:\programdata\Apple Computer
2009-11-05 18:16 . 2008-07-18 20:46 -------- d-----w- c:\program files\Common Files\Apple
2009-11-05 18:10 . 2009-11-05 18:10 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-02 20:42 . 2009-10-03 10:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-19 13:53 . 2007-12-10 11:56 92248 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-08 21:08 . 2009-11-17 18:05 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08 . 2009-11-17 18:05 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:07 . 2009-11-17 18:05 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 11:36 . 2009-12-10 14:51 243712 ----a-w- c:\windows\system32\rastls.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-27_19.28.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-10 12:44 . 2009-12-30 23:25 54526 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-12-10 12:44 . 2009-12-27 09:38 54526 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-12-30 23:25 81622 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-10 12:44 . 2009-12-30 23:25 17196 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-590085791-1565443666-2831366945-1000_UserData.bin
+ 2006-11-02 13:02 . 2009-12-30 23:23 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-12-27 12:08 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-12-30 23:23 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-12-27 12:08 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-05 16:30 . 2009-12-30 09:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-05 16:30 . 2009-12-08 16:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-05 16:30 . 2009-12-30 09:10 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-05 16:30 . 2009-12-08 16:55 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-05 16:30 . 2009-12-30 09:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-08-05 16:30 . 2009-12-08 16:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-11 20:52 . 2009-12-30 23:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-11 20:52 . 2009-12-27 10:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-11 20:52 . 2009-12-27 10:16 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-11 20:52 . 2009-12-30 23:23 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-11 20:52 . 2009-12-27 10:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-11 20:52 . 2009-12-30 23:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-30 23:23 . 2009-12-30 23:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-27 09:37 . 2009-12-27 10:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-27 09:37 . 2009-12-27 10:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-30 23:23 . 2009-12-30 23:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-12-30 09:07 611174 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-12-14 08:49 611174 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-12-30 09:07 109982 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-12-14 08:49 109982 c:\windows\System32\perfc009.dat
- 2009-08-05 13:29 . 2009-12-27 18:33 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-08-05 13:29 . 2009-12-30 23:23 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2006-11-02 13:02 . 2009-12-30 23:23 278528 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-15 1261568]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2009-8-28 26784939]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-02-16 18:49 149024 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-02-16 18:57 1945960 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 14:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2003-01-27 17:16 376912 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
2009-05-27 12:20 2303216 ----a-w- c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 20:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-15 13:49 1261568 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundTray]
2007-05-21 14:53 49152 ----a-w- c:\program files\Analog Devices\SoundMAX\SoundTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-06 22:58 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-02-16 18:45 1169776 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:91,ed,91,6b,28,52,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-590085791-1565443666-2831366945-1000]
"EnableNotificationsRef"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [15/12/2009 12:31 28552]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [11/12/2007 15:09 15360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/12/2009 10:48 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [04/01/2009 11:52 809296]
R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187.sys [11/12/2007 15:09 216064]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [27/11/2009 15:07 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [18/07/2008 22:21 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2007-12-11 10:30]

2009-12-30 c:\windows\Tasks\User_Feed_Synchronization-{D283DB90-0219-4A90-A316-2402C541DF92}.job
- c:\windows\system32\msfeedssync.exe [2009-12-10 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 23:39
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84EC3618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87fc0d24
\Driver\ACPI -> acpi.sys @ 0x80695d68
\Driver\atapi -> ataport.SYS @ 0x807aaa2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-590085791-1565443666-2831366945-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f6,c1,44,90,d0,ac,4e,39,a9,fd,29,a9,26,a8,8b,dc,b1,15,9b,d5,b8,58,00,
9f,42,d5,58,a5,eb,46,60,88,32,dd,fd,c9,96,4a,8e,5c,66,80,56,84,1f,a3,12,c3,\
"??"=hex:eb,3b,14,9f,68,c2,c4,fb,4e,5d,47,b8,89,9d,f8,94

[HKEY_USERS\S-1-5-21-590085791-1565443666-2831366945-1000\Software\SecuROM\License information*]
"datasecu"=hex:d4,05,b3,28,85,77,54,ef,58,83,e3,0c,87,03,12,a8,ec,bc,87,a7,79,
dd,5c,c1,c2,01,62,45,f6,de,72,aa,81,dc,96,d8,0a,4f,4e,49,cc,fa,18,af,d4,b4,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(2076)
c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll
.
Completion time: 2009-12-30 23:42:18
ComboFix-quarantined-files.txt 2009-12-30 23:42
ComboFix2.txt 2009-12-29 09:26
ComboFix3.txt 2009-12-27 19:31

Pre-Run: 286,583,263,232 bytes free
Post-Run: 286,569,975,808 bytes free

- - End Of File - - F7DCA95432A90B85E926B942FCCD4F04




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users