Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirect in Firefox only


  • This topic is locked This topic is locked
12 replies to this topic

#1 techboy5

techboy5

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 26 December 2009 - 10:14 PM

Hello everyone,

I originally posted this request in the "Am I Infected..." forum. Garmanma and Quietman7 helped me run many tests, Topic referenced is here: http://www.bleepingcomputer.com/forums/t/277581/google-search-redirect-firefox-only/ ~ OB I will list
everything I remember below, but my Google search in Firefox only is still being redirected- as an example, I ran a Google search
for "Christmas Star Origin", clicked on a link to go to "www.thehistoryofchristmas.com/trivia/star.htm" and was redirected to a
malware site at "c.ppcxml.net" which was blocked by the browser as a malware site. However, I could just as easily be taken to a
random search site.
This has been going on for about a month. None of the other browsers, IE8 or Chrome seem to be affected.

I run Windows Server 2003, it is updated to Service Pack 2, and I keep all the MS security updates up to date, as well as all the
browser updates. Antivirus is not too strong, I use ClamWin, because it will work on Server 2003. On all my other computers, I
run Avast Home Free Edition, which won't run on Server 2003. I also run Spybot, Asquared free, and Spyware Blaster.

First, DDS.scr will not run on Server 2003, so I was unable to run that program and provide the information. However, I downloaded
and ran HiJack This, and also Root Repeal, and I can provide those log reports.

Garmanma was my first contact with this website through the forum, and had me download several programs.
I have downloaded and ran:

MBAM
Root Repeal
Win32Kdiag

Garmanma found 2 suspicious locked files in the "temp" directory. It turned out they were OK according to the viral scan we sent them to.
"LD24.tmp" and "LD25.tmp"

Quietman7 was my second contact after Garmanma. He had me download and run:

TDSSkiller (ran but didn't find or remove anything)
Kaspersky AntiVirus Scan (Would not complete a run, even in safe mode)
Kaspersky On-Line Antivirus Scan ( Would not complete in regular mode, but did complete in safe mode)
OTM (would not run under my operating system)
GooredFix

Kaspersky On-Line Scan found 5 infected mp3 and au files. Because OTM wouldn't run, we removed them with
"File Assassin" from MBAM. Removal was successful.

Another scan with MBAM, RootRepeal, Asquared Free, Sophos Anti Rootkit, Spybot, Trend "Housecall" found nothing.
Google search redirect in Firefox still happening...and here we are, in this forum.
I am attaching all the logs that I have saved with both Garmanma and Quietman7, along with the HJT log and new Root
Repeal log of the scans I ran today. I thank you all in advance for all your help.
I am using Chrome to read and respond to you in this forum, so as not to disturb anything with Firefox.
Please help!

First scan, before contacting this website:

a-squared Free - Version 4.5
Last update: 12/7/2009 11:53:10 AM

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\, E:\, F:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 12/7/2009 12:02:22 PM

Value: HKEY_USERS\S-1-5-21-1368276089-2679999987-2383034861-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Emule --> Order detected: Trace.Registry.Emule 5.0!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259545872265000 detected: Trace.TrackingCookie.stat.onestat!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259545872265001 detected: Trace.TrackingCookie.stat.onestat!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546275828000 detected: Trace.TrackingCookie.trk.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546275828001 detected: Trace.TrackingCookie.trk.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546276468001 detected: Trace.TrackingCookie.www.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546276468002 detected: Trace.TrackingCookie.www.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259547872781000 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259547872781001 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259548016890000 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259548017015000 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943278171000 detected: Trace.TrackingCookie.aol.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943292171008 detected: Trace.TrackingCookie.aol.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943305500001 detected: Trace.TrackingCookie.ar.atwola.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943405453000 detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259944011796000 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259944011796002 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259949163343002 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Local Settings\Temp\11.tmp detected: Virus.Win32.KME!IK
C:\Documents and Settings\Administrator\Local Settings\Temp\16.tmp detected: Virus.Win32.KME!IK
C:\Documents and Settings\Administrator\Local Settings\Temp\1F3.tmp detected: Virus.Win32.KME!IK
C:\Documents and Settings\Administrator\My Documents\Downloads\dvrsetup.exe/rkinstall.exe detected: Gen.AdWare!IK
C:\Documents and Settings\Administrator\My Documents\Downloads\dvrsetup.exe/rkverify.exe detected: Gen.AdWare!IK
C:\Documents and Settings\Administrator\My Documents\Downloads\JMKG 1.3 - 1.4 - 1.5.rar/JMKG 1.5 (Final).exe detected: Riskware.Keygen.Garmin!IK
C:\Documents and Settings\Administrator\My Documents\Downloads\JMKG 1.3 - 1.4 - 1.5.rar/JMGK 1.4.exe detected: Virus.Win32.Trojan!IK
C:\Documents and Settings\Administrator\My Documents\Downloads\JMKG 1.3 - 1.4 - 1.5.rar/JMKG 1.3 (Modified).exe detected: Virus.Win32.Agent.aj!IK
C:\Documents and Settings\Administrator\Shared\only by the night.mp3 detected: Trojan-Downloader.WMA.Wimad!IK
C:\Documents and Settings\Administrator\Shared\red daniel merriweather the best hits ever.mp3 detected: Trojan-Downloader.WMA.GetCodec!IK
C:\Documents and Settings\Administrator\Shared\supernova mr hudson.mp3 detected: Trojan-Downloader.WMA.GetCodec!IK
C:\Program Files\TClock\tclock.exe detected: Virus.Win32.Trojan!IK
C:\Program Files\TurboTax\Premier 2006\32bit\TTXATBTI.EXE detected: Gen.Trojan!IK
C:\Program Files\TurboTax\Premier 2006\32bit\TTXCTBTI.EXE detected: Gen.Trojan!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v0/patch.ECLiPSE.exe detected: Trojan.Win32.SuspectCRC!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v0/setup.exe detected: Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v1/setup.exe detected: Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v2/patch.by.REVENGE.exe detected: Trojan.Win32.SuspectCRC!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v2/setup.exe detected: Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v3/setup.exe detected: Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\_i111991201v0/patch.ECLiPSE.exe detected: Gen.Trojan!IK
C:\WINDOWS\system32\SysWoW32\_i111991201v0/setup.exe detected: Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\_i111991201v1/patch.[FFF].exe detected: Gen.Trojan!IK
C:\WINDOWS\system32\SysWoW32\_i111991201v2/patch.by.REVENGE.exe detected: Gen.Trojan!IK
E:\iomegahdpix\MP3s\LaptopMP3s\animistic .wma detected: Trojan-Downloader.WMA.Wimad!IK
E:\iomegahdpix\MP3s\LaptopMP3s\Eighties classic.wma detected: Trojan-Downloader.WMA.Wimad.l!IK
E:\iomegahdpix\MP3s\LaptopMP3s\is you my baby diana krall - greatest hits.wma detected: Trojan-Downloader.WMA.Wimad!IK
E:\iomegahdpix\MP3s\LaptopMP3s\only by the night.mp3 detected: Trojan-Downloader.WMA.Wimad!IK
E:\iomegahdpix\MP3s\LaptopMP3s\Rare Recording.wma detected: Trojan-Downloader.WMA.Wimad.l!IK
E:\iomegahdpix\My Documents\Serials 2000 v7.1 Splash Screen Killer.zip/S2K Splash Screen Killer Crk..exe detected: Virtool!IK
E:\iomegahdpix\My Documents\wrar32b1.exe/Default.SFX detected: Trojan-Spy.Win32.Banker.ea!IK
E:\iomegahdpix\My Documents\wrar32b1.exe/Zip.SFX detected: Trojan-Spy.Win32.Bancos.ha!IK
E:\JMKG15\JMKG 1.3 - 1.4 - 1.5.rar/JMKG 1.5 (Final).exe detected: Riskware.Keygen.Garmin!IK
E:\JMKG15\JMKG 1.3 - 1.4 - 1.5.rar/JMGK 1.4.exe detected: Virus.Win32.Trojan!IK
E:\JMKG15\JMKG 1.3 - 1.4 - 1.5.rar/JMKG 1.3 (Modified).exe detected: Virus.Win32.Agent.aj!IK
E:\JMKG15\JMKG15.rar/garmin_kgen.exe detected: Riskware.Keygen.Garmin!IK
E:\Program Files\Microsoft Office\Office\SBT\SBCM\SBCMAUT.EXE detected: Gen.Trojan!IK
F:\Program FilesE\CyberMedia Oil Change\CMFSCLNT.dll detected: Trojan.Crypt!IK

Scanned

Files: 421128
Traces: 948277
Cookies: 840
Processes: 67

Found

Files: 38
Traces: 1
Cookies: 21
Processes: 0
Registry keys: 0

Scan end: 12/7/2009 2:35:05 PM
Scan time: 2:32:43

F:\Program FilesE\CyberMedia Oil Change\CMFSCLNT.dll Quarantined Trojan.Crypt!IK
E:\iomegahdpix\My Documents\wrar32b1.exe/Zip.SFX Quarantined Trojan-Spy.Win32.Bancos.ha!IK
E:\iomegahdpix\My Documents\Serials 2000 v7.1 Splash Screen Killer.zip/S2K Splash Screen Killer Crk..exe Quarantined Virtool!IK
E:\iomegahdpix\MP3s\LaptopMP3s\Eighties classic.wma Quarantined Trojan-Downloader.WMA.Wimad.l!IK
E:\iomegahdpix\MP3s\LaptopMP3s\Rare Recording.wma Quarantined Trojan-Downloader.WMA.Wimad.l!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v0/setup.exe Quarantined Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v1/setup.exe Quarantined Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v2/setup.exe Quarantined Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\wu111991201v3/setup.exe Quarantined Downloader.Delphi!IK
C:\WINDOWS\system32\SysWoW32\_i111991201v0/setup.exe Quarantined Downloader.Delphi!IK

Quarantined

Files: 100
Traces: 0
Cookies: 0


Deleted

Files: 14
Traces: 0
Cookies: 0

Second scan 12/20/09

a-squared Free - Version 4.5
Last update: 12/19/2009 11:50:12 PM

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\, E:\, F:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 12/20/2009 12:05:59 AM

Value: HKEY_USERS\S-1-5-21-1368276089-2679999987-2383034861-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Emule --> Order detected: Trace.Registry.Emule 5.0!A2
C:\Documents and Settings\Administrator\Cookies\administrator@about[1].txt detected: Trace.TrackingCookie.about!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259545872265000 detected: Trace.TrackingCookie.stat.onestat!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259545872265001 detected: Trace.TrackingCookie.stat.onestat!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546275828001 detected: Trace.TrackingCookie.trk.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546276468001 detected: Trace.TrackingCookie.www.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546276468002 detected: Trace.TrackingCookie.www.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259547872781000 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259547872781001 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259548016890000 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259548017015000 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943278171000 detected: Trace.TrackingCookie.aol.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943292171008 detected: Trace.TrackingCookie.aol.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943305500001 detected: Trace.TrackingCookie.ar.atwola.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259943405453000 detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259944011796000 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259944011796002 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259949163343002 detected: Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1260379287296000 detected: Trace.TrackingCookie.count!A2
E:\iomegahdpix\My Documents\EvID4226Patch212-en.zip/EvID4226Patch.exe detected: Application.Incconnectionslimit!IK
E:\JMKG15\JMKG15.rar/garmin_kgen.exe detected: Riskware.Keygen.Garmin!IK

Scanned

Files: 421322
Traces: 950132
Cookies: 931
Processes: 66

Found

Files: 2
Traces: 1
Cookies: 23
Processes: 0
Registry keys: 0

Scan end: 12/20/2009 2:29:46 AM
Scan time: 2:23:47

E:\iomegahdpix\My Documents\EvID4226Patch212-en.zip/EvID4226Patch.exe Quarantined Application.Incconnectionslimit!IK
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259547872781000 Quarantined Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259547872781001 Quarantined Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259944011796000 Quarantined Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259944011796002 Quarantined Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259949163343002 Quarantined Trace.TrackingCookie.ad.yieldmanager.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546276468001 Quarantined Trace.TrackingCookie.www.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546276468002 Quarantined Trace.TrackingCookie.www.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259546275828001 Quarantined Trace.TrackingCookie.trk.pcsecurityshield.com!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259545872265000 Quarantined Trace.TrackingCookie.stat.onestat!A2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\cookies.sqlite:1259545872265001 Quarantined Trace.TrackingCookie.stat.onestat!A2
C:\Documents and Settings\Administrator\Cookies\administrator@about[1].txt Quarantined Trace.TrackingCookie.about!A2

Quarantined

Files: 1
Traces: 0
Cookies: 11

MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3340
Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

12/10/2009 12:41:46 PM
mbam-log-2009-12-10 (12-41-46).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 242611
Time elapsed: 1 hour(s), 57 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Root Repeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/10 12:52
Program Version: Version 1.3.5.0
Windows Version: Windows Server 2003 SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF55CA000 Size: 118784 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF6AC7000 Size: 36864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9E3D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\LB24.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\LB25.tmp
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\etilqs_pl8rujos9jyv8n3dgelg
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\etilqs_ryvd6zwiahodmnfo8ao9
Status: Allocation size mismatch (API: 32768, Raw: 0)

Hidden Services
-------------------
Service Name: SBCore
Image Path: %SystemRoot%\System32\sbscrexe.exe

==EOF==

Win32K log:

Running from: C:\Documents and Settings\Administrator\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\Temp\LB24.tmp

[1] 2009-12-10 08:48:37 262144 C:\WINDOWS\Temp\LB24.tmp ()



Cannot access: C:\WINDOWS\Temp\LB25.tmp

[1] 2009-12-10 08:48:37 262144 C:\WINDOWS\Temp\LB25.tmp ()





Finished!

Kaspersky On-Line Virus Scanner log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, December 18, 2009
Operating system: Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, December 18, 2009 05:27:34
Records in database: 3383989
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 131828
Threats found: 5
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 04:53:21


File name / Threat / Threats count
C:\Documents and Settings\Administrator\My Documents\memory-card-data-recovery-demo.exe Infected: not-a-virus:Monitor.Win32.KeyPressHooker.c 1
C:\Documents and Settings\Administrator\Shared\dirtee cash dizzee rascal.mp3 Infected: Trojan-Downloader.WMA.GetCodec.s 1
C:\Documents and Settings\Administrator\Shared\everybody in love jls(1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.s 1
E:\iomegahdpix\Incomplete\T-1395704-Little_Boots_Remedy.wma Infected: Trojan-Downloader.WMA.Wimad.v 1
E:\iomegahdpix\My Documents\surfpics.exe Infected: not-a-virus:AdWare.Win32.Ucmore 2
E:\iomegahdpix\My Documents\surfpics.exe Infected: not-a-virus:AdWare.Win32.Ucmore.a 1

Selected area has been scanned.

Goored Fix scan log:

GooredFix by jpshortstuff (06.12.09.1)
Log created at 10:16 on 23/12/2009 (administrator)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:27 26/04/2005]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [16:33 02/06/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [14:05 10/08/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [14:16 09/10/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [15:50 11/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [14:22 07/08/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [20:21 07/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [16:43 26/03/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [14:58 29/09/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [19:42 07/12/2009]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions\
{03148420-b2e6-11db-abbd-0800200c9a66} [16:03 29/01/2008]
{20a82645-c095-46ed-80e3-08825760534b} [15:29 03/09/2009]
{33225b31-8308-4efe-b855-b45c6b47aa12} [21:36 22/11/2009]
{DDC359D1-844A-42a7-9AA1-88A850A938A8} [16:31 03/11/2009]
{e001c731-5e37-4538-a5cb-8168736a2360} [02:03 30/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:12 06/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:20 07/12/2008]

-=E.O.F=-

Finally, here are the logs for HJT and RootRepeal for today, 12/26:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:16 PM, on 12/26/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Plextor\PlexTool.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Administrator\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKLM\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PlexUtilities] C:\Program Files\Plextor\PlexUTILITIES\PlexRadar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "F:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "F:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: CNET TechTracker.lnk = C:\Documents and Settings\Administrator\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://www.tekram.com.cn
O15 - ESC Trusted Zone: *.intuit.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://downloadcenter.samsung.com
O15 - ESC Trusted Zone: http://org.downloadcenter.samsung.com
O15 - ESC Trusted Zone: http://product.samsung.com
O15 - ESC Trusted Zone: http://www.samsung.com
O15 - ESC Trusted Zone: http://www.tekram.com
O15 - ESC Trusted Zone: http://*.turbotax.com
O15 - ESC Trusted Zone: http://feedback.windows.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.0.1
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240887647531
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Viglienzoni.local
O17 - HKLM\Software\..\Telephony: DomainName = Viglienzoni.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Viglienzoni.local
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 10570 bytes

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/26 17:19
Program Version: Version 1.3.5.0
Windows Version: Windows Server 2003 SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3F8D000 Size: 118784 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7687000 Size: 36864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAAAAD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\LBC.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\LBD.tmp
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\etilqs_apawqjsiq2kv5ihwidq2
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\etilqs_z6dzt7ge7odxgcw86cse
Status: Allocation size mismatch (API: 8192, Raw: 0)

Hidden Services
-------------------
Service Name: SBCore
Image Path: %SystemRoot%\System32\sbscrexe.exe

==EOF==

Finally, I ran MBAM quick scan, updated, for today:

Malwarebytes' Anti-Malware 1.42
Database version: 3436
Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

12/26/2009 7:11:12 PM
mbam-log-2009-12-26 (19-11-12).txt

Scan type: Quick Scan
Objects scanned: 113314
Time elapsed: 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Sorry for the long message, but I hope it was thorough enough for someone to help me.
Thanks in advance for anyone's help resolving this problem.


Techboy5

Edited by Orange Blossom, 27 December 2009 - 10:43 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 06 January 2010 - 04:07 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 techboy5

techboy5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 07 January 2010 - 08:39 PM

Hello Elise025,

Thank You in advance for your help.
If you read my post in full, you will notice that the dds script will not run on my machine.
That is because I am running Windows 2003 server OS. I receive an error message,
that the program will not run under this OS.
I tried running GMER this morning, but it just crashed the machine to a BSOD the first time,
the second time it caused the system to reboot without my intervention,
and in safe mode, it simply wouldn't run.
I'm sorry these valuable tools will not run.
I can run another course of HiJack This for you if you wish.
I'm reasonably savvy regarding computers, so if you need me to download or install some
esoteric program, I'm pretty sure I can handle it.
I have not installed any programs since those scans were run on 12/26.
I have used the computer, but have not used Firefox. I am using Chrome, and IE8,
neither of which seem to be affected by this redirect malware.
I have booted Firefox, but just to try and see if the redirect is still there- it is. After
confirming that the problem is still there (hoping against hope it would go away).
I power shutdown the computer and then reboot to use it. Needless to say, I am not
conducting any financial transactions or queries while it is in this state!
FWIW, the computer seems to run completely normal unless I boot the Firefox program.
Under Firefox, if I make a Google search, the list of results will appear normally. If I click
on any of those results, I will not get to the website the results indicate, it will take me to
some random search site, or, occasionally, to a malware site that Firefox will block.

I look forward to receiving your next instructions- Thanks again...


Techboy5

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 08 January 2010 - 02:49 AM

Sorry, the reply I posted is a standard one I post to every log to verify if it is still active.

Since there are few tools that work with your version of Windows, I would recommend you to re-install Firefox, since this will most likely fix the issue.

However I can understand you'd rather not do that if you customized it, so its up to you. Please let me know if you are willing to re-install it.



We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 techboy5

techboy5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 09 January 2010 - 01:59 AM

Hi Elise025,

I had some issues with OTL.exe; using Chrome, it didn't download to the desktop, but to the downloads folder.
I deleted it twice, and then used IE8 to download it, and was able to save it to the desktop. That is why you will
see "Run 3" in the log. Here it is:


OTL logfile created on: 1/8/2010 10:31:22 PM - Run 3
OTL by OldTimer - Version 3.1.22.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 230.00 Mb Available Physical Memory | 22.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 37.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 58.59 Gb Total Space | 28.65 Gb Free Space | 48.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 55.89 Gb Total Space | 29.23 Gb Free Space | 52.30% Space Free | Partition Type: NTFS
Drive F: | 114.49 Gb Total Space | 87.05 Gb Free Space | 76.03% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RICHS64SCREAMER
Current User Name: administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/08 22:30:54 | 00,543,232 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/11/29 13:24:09 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- c:\Program Files\a-squared Free\a2service.exe
PRC - [2009/11/05 12:06:30 | 01,108,992 | ---- | M] (CBS Interactive) -- C:\Documents and Settings\Administrator\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
PRC - [2009/11/03 12:49:02 | 00,086,016 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamTray.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/03 04:08:38 | 00,035,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PRC - [2009/09/05 00:54:42 | 00,417,792 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/08/11 21:55:29 | 01,750,528 | ---- | M] () -- C:\Program Files\Plextor\PlexUTILITIES\PlexRadar.exe
PRC - [2009/05/28 09:14:55 | 00,157,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/16 03:37:19 | 00,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2008/12/16 20:39:30 | 09,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2007/04/19 13:08:48 | 00,031,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\OWSTIMER.EXE
PRC - [2007/02/17 23:30:26 | 00,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe
PRC - [2007/02/17 02:58:10 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe
PRC - [2007/02/17 02:41:50 | 00,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 02:19:44 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/17 01:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/17 01:50:02 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/08 01:13:48 | 00,774,168 | ---- | M] () -- C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
PRC - [2007/02/08 01:12:48 | 00,488,984 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PRC - [2007/02/08 01:12:20 | 00,230,936 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2007/02/06 17:45:26 | 00,109,344 | ---- | M] (Logitech Inc.) -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2007/02/06 17:43:26 | 00,252,704 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
PRC - [2006/09/11 04:56:24 | 00,218,032 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2006/07/12 12:19:00 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/07/11 06:24:42 | 00,341,504 | ---- | M] (TiVo Inc.) -- F:\Program Files\TiVo\Desktop\TiVoNotify.exe
PRC - [2006/07/11 06:23:50 | 01,174,528 | ---- | M] (TiVo Inc.) -- C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
PRC - [2006/04/09 01:19:02 | 00,634,880 | ---- | M] (-) -- C:\Program Files\Eraser\eraser.exe
PRC - [2005/05/04 04:07:30 | 00,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PRC - [2004/12/22 01:09:44 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/10/10 22:54:06 | 00,589,824 | R--- | M] (VIA Technologies) -- C:\Program Files\VIA\RAID\raid_tool.exe
PRC - [2004/03/30 13:48:02 | 05,165,056 | ---- | M] (Plextor SA/NV) -- C:\Program Files\Plextor\PlexTool.exe
PRC - [2003/12/09 17:24:58 | 00,868,352 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
PRC - [2003/10/27 01:04:34 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
PRC - [2003/07/15 11:38:28 | 00,118,784 | ---- | M] (Roxio, Inc.) -- C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
PRC - [2003/07/15 11:38:26 | 00,319,488 | ---- | M] (Roxio, Inc.) -- C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
PRC - [2003/06/20 14:24:09 | 05,028,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\store.exe
PRC - [2003/06/03 00:14:30 | 08,735,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\mad.exe
PRC - [2003/06/03 00:14:19 | 03,117,568 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe
PRC - [2003/06/02 22:16:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2001/05/01 16:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/08 22:30:54 | 00,543,232 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2007/02/18 00:01:02 | 01,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
MOD - [2007/02/06 17:45:14 | 00,092,960 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll
MOD - [2006/07/12 12:19:00 | 01,466,368 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2006/07/12 12:19:00 | 00,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/29 13:24:09 | 01,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- c:\program files\a-squared free\a2service.exe -- (a2free)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/06/30 07:40:20 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/05/28 09:14:55 | 00,157,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS) Windows Internet Name Service (WINS)
SRV - [2009/02/16 03:37:19 | 00,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2008/12/16 20:39:30 | 09,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe -- (MSSQL$SHAREPOINT)
SRV - [2008/12/16 17:51:14 | 00,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE -- (SQLAgent$SHAREPOINT)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/04/19 13:08:48 | 00,031,584 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE -- (SPTimer)
SRV - [2007/02/17 23:30:26 | 00,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 03:07:00 | 00,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 02:58:10 | 00,037,888 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)
SRV - [2007/02/17 02:55:56 | 00,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 02:41:50 | 00,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 02:20:52 | 00,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 02:19:44 | 00,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2007/02/17 02:19:44 | 00,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)
SRV - [2007/02/17 02:19:44 | 00,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)
SRV - [2007/02/17 02:19:44 | 00,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc) Network News Transfer Protocol (NNTP)
SRV - [2007/02/17 02:19:44 | 00,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)
SRV - [2007/02/17 02:19:44 | 00,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/17 02:19:28 | 00,216,576 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/17 01:50:02 | 00,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/06 17:47:12 | 00,105,248 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/02/06 17:45:26 | 00,109,344 | ---- | M] (Logitech Inc.) [Auto | Running] -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2006/07/12 12:19:00 | 00,155,715 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/07/11 06:22:40 | 00,857,088 | ---- | M] (TiVo Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe -- (TivoBeacon2)
SRV - [2003/09/10 15:43:05 | 00,025,600 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)
SRV - [2003/06/20 14:24:09 | 05,028,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\store.exe -- (MSExchangeIS)
SRV - [2003/06/03 00:14:30 | 08,735,232 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\mad.exe -- (MSExchangeSA)
SRV - [2003/06/03 00:14:19 | 03,117,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/06/02 23:29:59 | 03,585,536 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Exchsrvr\bin\emsmta.exe -- (MSExchangeMTA)
SRV - [2003/06/02 23:23:10 | 00,339,456 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Exchsrvr\bin\srsmain.exe -- (MSExchangeSRS)
SRV - [2003/06/02 23:23:09 | 00,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Exchsrvr\bin\events.exe -- (MSExchangeES)
SRV - [2003/06/02 22:16:13 | 00,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)
SRV - [2003/03/25 12:14:56 | 00,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2003/03/25 01:50:02 | 00,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2002/12/17 16:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe -- (MSSQL$SBSMONITORING)
SRV - [2002/12/17 16:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE -- (SQLAgent$SBSMONITORING)
SRV - [2001/05/01 16:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service)


========== Driver Services (SafeList) ==========

DRV - [2009/10/22 12:54:18 | 00,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\37469832.sys -- (37469832)
DRV - [2009/10/22 12:54:18 | 00,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\05565762.sys -- (05565762)
DRV - [2009/09/25 16:59:42 | 00,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\37469831.sys -- (37469831)
DRV - [2009/09/25 16:59:42 | 00,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\05565761.sys -- (05565761)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2007/11/13 01:32:23 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/19 16:56:10 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/02/22 20:29:52 | 00,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/22 20:29:52 | 00,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/02/17 04:07:38 | 00,060,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/02/17 03:09:26 | 00,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/17 02:55:58 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007/02/17 02:54:52 | 00,020,480 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2007/02/17 01:49:38 | 00,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2007/02/17 01:31:14 | 00,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/17 01:17:02 | 00,039,424 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\amdk8.sys -- (AmdK8)
DRV - [2007/02/06 17:45:04 | 00,025,632 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2007/02/06 17:44:36 | 01,964,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/02/06 17:42:40 | 01,691,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/02/03 10:32:36 | 00,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/02/03 10:25:56 | 01,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - [2006/07/12 12:19:00 | 03,934,592 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/04/06 14:05:24 | 00,015,360 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2004/12/22 01:07:12 | 02,304,320 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/07/06 06:45:36 | 00,060,672 | R--- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viamraid.sys -- (viamraid)
DRV - [2004/05/17 21:04:16 | 00,041,984 | ---- | M] (DeviceGuys, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Dgivecp.Sys -- (DgiVecp)
DRV - [2004/04/13 04:14:12 | 00,070,144 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2003/12/09 17:24:58 | 00,259,968 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2003/12/09 17:24:58 | 00,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/12/09 17:24:58 | 00,146,560 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2003/12/09 17:24:58 | 00,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2003/12/09 17:24:58 | 00,022,777 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/12/09 17:24:58 | 00,021,993 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/06/02 22:37:52 | 00,195,744 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)
DRV - [2003/03/24 23:07:18 | 00,009,216 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2003/03/13 13:23:28 | 00,019,712 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxofwfp.sys -- (MaxtorFrontPanel1)
DRV - [2000/05/04 23:51:12 | 00,022,016 | ---- | M] (Tekram Technology Co., Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\trm3x5.sys -- (trm3x5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E DC 69 0D 66 F4 F1 43 8F 4C 72 00 47 0E 2E 6C [binary data]
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E DC 69 0D 66 F4 F1 43 8F 4C 72 00 47 0E 2E 6C [binary data]
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E DC 69 0D 66 F4 F1 43 8F 4C 72 00 47 0E 2E 6C [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E DC 69 0D 66 F4 F1 43 8F 4C 72 00 47 0E 2E 6C [binary data]
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 1E DC 69 0D 66 F4 F1 43 8F 4C 72 00 47 0E 2E 6C [binary data]
IE - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\S-1-5-21-1368276089-2679999987-2383034861-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\S-1-5-21-1368276089-2679999987-2383034861-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.8.2
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {33225b31-8308-4efe-b855-b45c6b47aa12}:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/24 10:52:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/24 10:55:06 | 00,000,000 | ---D | M]

[2008/06/12 19:31:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/12/26 17:26:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions
[2008/01/29 08:03:33 | 00,000,000 | ---D | M] (Facebook Photo Album Downloader) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions\{03148420-b2e6-11db-abbd-0800200c9a66}
[2009/12/01 09:12:00 | 00,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions\{33225b31-8308-4efe-b855-b45c6b47aa12}
[2009/11/03 08:31:58 | 00,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/11/29 18:03:05 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2009/12/26 17:26:29 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/10/19 16:56:34 | 00,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2007/02/22 20:30:05 | 00,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2007/02/22 20:30:05 | 00,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2007/08/29 13:47:44 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2008/06/17 22:43:04 | 00,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

O1 HOSTS File: (366461 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 12612 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ClamWin] C:\Program Files\ClamWin\bin\ClamTray.exe (alch)
O4 - HKLM..\Run: [DWPersistentQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe (-)
O4 - HKLM..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam10\QuickCam10.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PlexUtilities] C:\Program Files\Plextor\PlexUTILITIES\PlexRadar.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe (VIA Technologies)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [RoxioAudioCentral] C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe (Roxio, Inc.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RoxioEngineUtility] C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TivoTransfer] C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500..\Run: [Google Update] C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500..\Run: [TivoNotify] F:\Program Files\TiVo\Desktop\TiVoNotify.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500..\Run: [TivoServer] F:\Program Files\TiVo\Desktop\TiVoServer.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500..\Run: [TivoTransfer] C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe (TiVo Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\CNET TechTracker.lnk = C:\Documents and Settings\Administrator\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe (CBS Interactive)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe (Plextor SA/NV)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - E:\Program Files\Microsoft Office\Office\1033\PHDINTL.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1368276089-2679999987-2383034861-500\..Trusted Domains: 66 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/oas/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab (DLM Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1240887647531 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8467.8305787037 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Viglienzoni.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/20 17:33:50 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/09/24 06:40:56 | 00,000,069 | ---- | M] () - F:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\{e5789ed2-905f-11da-95ca-505054503030}\Shell\AutoRun\command - "" = H:\setup.exe -- File not found
O33 - MountPoints2\{f2cc72dd-dec6-11db-96cd-505054503030}\Shell - "" = AutoRun
O33 - MountPoints2\{f2cc72dd-dec6-11db-96cd-505054503030}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f2cc72dd-dec6-11db-96cd-505054503030}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk /r \??\K:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (ndows\CurrentVersion\Explorer\MountPoints2\H\S) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/08 22:30:53 | 00,543,232 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/07 07:38:20 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2010/01/07 07:38:08 | 00,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidusb.sys
[2009/12/26 21:56:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\NCH Software
[2009/12/26 21:55:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NCH Software
[2009/12/26 21:55:10 | 00,000,000 | ---D | C] -- C:\Program Files\NCH Software
[2009/12/26 21:50:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Any Video Converter Professional
[2009/12/26 21:48:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AnvSoft
[2009/12/26 18:01:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/26 17:08:39 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/26 17:08:23 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe
[2009/12/25 16:46:50 | 00,160,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2009/12/24 10:54:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/12/23 10:16:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\GooredFix Backups
[2009/12/23 10:15:34 | 00,071,848 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2009/12/19 10:38:33 | 00,425,472 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2009/12/14 14:26:36 | 00,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\0556576.sys
[2009/12/14 14:26:36 | 00,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\05565761.sys
[2009/12/14 14:26:36 | 00,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\05565762.sys
[2009/12/14 12:35:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2009/12/14 12:31:37 | 00,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\3746983.sys
[2009/12/14 12:31:37 | 00,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\37469831.sys
[2009/12/14 12:31:37 | 00,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\37469832.sys
[2009/12/14 12:04:15 | 00,134,408 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2009/12/14 11:16:06 | 60,905,936 | ---- | C] ( ) -- C:\Documents and Settings\Administrator\Desktop\setup_9.0.0.722_14.12.2009_20-38.exe
[2009/12/10 10:25:57 | 00,000,000 | ---D | C] -- C:\getservice
[2008/03/26 19:02:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple
[2006/02/27 08:32:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\TiVo Desktop
[2005/10/29 13:08:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\TiVo Desktop
[2005/04/25 20:08:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ApplicationHistory
[2005/04/25 19:54:08 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/04/25 14:49:23 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/04/25 14:49:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2005/04/25 14:49:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/01/08 22:30:54 | 00,543,232 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/08 22:30:05 | 00,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F7A98BBD-1542-463E-ACCC-72F452EA3572}.job
[2010/01/08 22:26:59 | 00,003,174 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2010/01/08 22:26:40 | 00,067,863 | ---- | M] () -- C:\WINDOWS\System32\nvwsapps.xml
[2010/01/08 22:25:28 | 00,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/08 22:25:27 | 00,013,758 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/08 22:22:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/08 22:21:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/08 22:20:50 | 09,437,184 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/01/08 22:20:05 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/01/08 22:06:02 | 00,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/08 22:05:45 | 00,002,586 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2010/01/08 21:50:01 | 00,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1368276089-2679999987-2383034861-500UA.job
[2010/01/08 21:50:01 | 00,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1368276089-2679999987-2383034861-500Core.job
[2010/01/08 09:46:05 | 00,000,428 | ---- | M] () -- C:\WINDOWS\zipgenius.xml
[2010/01/07 09:47:02 | 00,004,429 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\mainhst.zgh
[2010/01/07 08:33:12 | 80,530,6368 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/01/04 12:00:14 | 00,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{2739f9fb-b599-11d9-8527-806e6f6e6963}.job
[2009/12/31 23:10:52 | 02,475,490 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DSC01948.JPG
[2009/12/31 23:10:36 | 02,466,168 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DSC01947.JPG
[2009/12/31 23:10:12 | 02,432,590 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DSC01946.JPG
[2009/12/31 21:36:30 | 02,001,778 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DSC01945.JPG
[2009/12/31 21:35:04 | 01,960,165 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DSC01936.JPG
[2009/12/31 13:01:22 | 00,003,866 | ---- | M] () -- C:\WINDOWS\umaxuapi.ini
[2009/12/31 13:01:16 | 00,010,438 | ---- | M] () -- C:\WINDOWS\scan05a.ini
[2009/12/31 12:44:30 | 00,006,260 | ---- | M] () -- C:\WINDOWS\vista32.ini
[2009/12/26 21:56:35 | 00,000,302 | ---- | M] () -- C:\WINDOWS\tasks\videopadSevenDaysInit.job
[2009/12/26 21:55:10 | 00,000,761 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Prism Video Converter.lnk
[2009/12/26 17:19:22 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/12/26 17:08:39 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/12/23 10:15:34 | 00,071,848 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2009/12/20 12:10:51 | 00,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/12/19 23:05:29 | 00,366,461 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/19 10:38:37 | 00,425,472 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2009/12/17 05:51:52 | 00,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2009/12/15 11:24:48 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2009/12/14 11:35:31 | 60,905,936 | ---- | M] ( ) -- C:\Documents and Settings\Administrator\Desktop\setup_9.0.0.722_14.12.2009_20-38.exe
[2009/12/11 13:11:20 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Vacation2010.doc
[2009/12/10 12:50:43 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe

========== Files Created - No Company Name ==========

[2010/01/07 08:24:22 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2009/12/31 22:21:29 | 02,432,590 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DSC01946.JPG
[2009/12/31 22:21:28 | 02,475,490 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DSC01948.JPG
[2009/12/31 22:21:28 | 02,466,168 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DSC01947.JPG
[2009/12/31 22:01:43 | 01,960,165 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DSC01936.JPG
[2009/12/31 22:01:42 | 02,001,778 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DSC01945.JPG
[2009/12/26 21:56:29 | 00,000,302 | ---- | C] () -- C:\WINDOWS\tasks\videopadSevenDaysInit.job
[2009/12/26 21:55:10 | 00,000,761 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Prism Video Converter.lnk
[2009/12/26 17:19:22 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/12/26 17:08:39 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/12/20 12:10:51 | 00,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/12/11 13:11:18 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Vacation2010.doc
[2009/11/29 18:28:40 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2009/11/22 13:36:18 | 00,005,609 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000539d8bdc684C.manifest
[2009/11/22 13:36:18 | 00,002,492 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000539d8bdc684P.manifest
[2009/11/22 13:36:18 | 00,000,719 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000539d8bdc684O.manifest
[2009/11/22 13:36:18 | 00,000,011 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000539d8bdc684S.manifest
[2009/07/20 10:53:52 | 00,004,429 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\mainhst.zgh
[2008/12/14 12:34:35 | 00,299,454 | ---- | C] () -- C:\WINDOWS\ALLSIM.INI
[2008/12/14 12:34:35 | 00,061,268 | ---- | C] () -- C:\WINDOWS\BIUTILSM.INI
[2008/12/14 12:34:35 | 00,057,969 | ---- | C] () -- C:\WINDOWS\SIMSIM.INI
[2008/12/14 12:34:35 | 00,051,712 | ---- | C] () -- C:\WINDOWS\System32\ngprtserv.dll
[2008/12/14 12:34:35 | 00,000,645 | ---- | C] () -- C:\WINDOWS\Setupwizard.ini
[2008/12/14 12:34:35 | 00,000,580 | ---- | C] () -- C:\WINDOWS\Common.ini
[2007/12/30 10:28:09 | 00,029,904 | ---- | C] () -- C:\Program Files\netgear.cfg
[2007/10/19 16:54:28 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/10/19 16:54:28 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/08/26 18:45:44 | 00,438,272 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib_dec.dll
[2007/06/16 16:37:36 | 00,015,711 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\AVSDVDPlayer.m3u
[2007/04/13 09:48:12 | 00,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/22 20:29:56 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/02/06 17:45:04 | 00,025,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2007/02/06 17:42:40 | 01,691,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys
[2007/02/03 08:59:04 | 00,050,127 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/12/12 08:24:42 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/07/12 12:19:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/12 12:19:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/12 12:19:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/12 12:19:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/12 12:19:00 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/06/14 10:23:29 | 00,000,013 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameG.txt
[2006/02/25 22:43:42 | 00,004,797 | ---- | C] () -- C:\WINDOWS\GWSPRO.INI
[2006/01/18 21:53:27 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/01/18 21:53:26 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/01/02 22:43:27 | 00,000,036 | ---- | C] () -- C:\WINDOWS\phd2dll.INI
[2005/12/21 02:36:46 | 00,009,728 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2005/12/06 09:53:33 | 00,000,013 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt
[2005/11/05 08:46:26 | 00,000,537 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2005/10/05 08:12:51 | 00,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2005/08/14 20:56:33 | 00,000,004 | ---- | C] () -- C:\WINDOWS\uccspecb.sys
[2005/07/13 22:12:32 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/21 16:31:52 | 00,002,321 | ---- | C] () -- C:\WINDOWS\vista32d.ini
[2005/05/21 16:00:55 | 00,006,260 | ---- | C] () -- C:\WINDOWS\vista32.ini
[2005/05/21 16:00:55 | 00,000,189 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2005/05/21 16:00:55 | 00,000,065 | ---- | C] () -- C:\WINDOWS\umaxdrv.ini
[2005/05/21 16:00:40 | 00,131,072 | ---- | C] () -- C:\WINDOWS\u2x00_32.dll
[2005/05/21 16:00:40 | 00,106,528 | ---- | C] () -- C:\WINDOWS\u1230_32.dll
[2005/05/21 16:00:40 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\usq3400.dll
[2005/05/21 16:00:40 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\sqEp2Usb.dll
[2005/05/21 16:00:40 | 00,030,208 | ---- | C] () -- C:\WINDOWS\uxmail32.dll
[2005/05/21 16:00:40 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\SQUSBIO.dll
[2005/05/21 16:00:40 | 00,018,366 | ---- | C] () -- C:\WINDOWS\uns3400.ini
[2005/05/21 16:00:40 | 00,016,474 | ---- | C] () -- C:\WINDOWS\uns5400.ini
[2005/05/21 16:00:40 | 00,010,438 | ---- | C] () -- C:\WINDOWS\scan05a.ini
[2005/05/21 16:00:40 | 00,006,932 | ---- | C] () -- C:\WINDOWS\System32\glscan.sys
[2005/05/21 16:00:40 | 00,003,866 | ---- | C] () -- C:\WINDOWS\umaxuapi.ini
[2005/05/21 16:00:39 | 00,068,608 | ---- | C] () -- C:\WINDOWS\vufile32.dll
[2005/05/21 16:00:39 | 00,027,648 | ---- | C] () -- C:\WINDOWS\vudcli32.dll
[2005/05/21 16:00:39 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\udnt.sys
[2005/05/03 19:57:35 | 00,000,008 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.INI
[2005/04/25 22:38:31 | 00,182,784 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/04/25 21:44:31 | 00,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/04/25 19:54:13 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2005/04/25 17:53:13 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/04/25 17:32:32 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/04/25 17:02:45 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/04/25 16:56:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2005/04/25 16:55:17 | 00,017,579 | ---- | C] () -- C:\WINDOWS\System32\nntpctrs.ini
[2005/04/25 16:47:25 | 00,011,597 | ---- | C] () -- C:\WINDOWS\System32\dnsperf.ini
[2005/04/25 14:57:03 | 00,198,656 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/25 14:53:04 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2005/04/25 14:52:59 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/04/25 14:32:13 | 00,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2005/04/25 14:32:13 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2005/04/25 14:30:50 | 00,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2005/04/25 14:30:49 | 00,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2005/04/25 14:30:39 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2005/04/01 15:16:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/04/01 15:16:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/02/21 18:49:39 | 00,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2003/02/21 18:49:30 | 00,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2003/02/21 18:49:05 | 00,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2003/02/21 18:49:05 | 00,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2003/02/21 18:48:40 | 00,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2003/02/21 18:48:19 | 00,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2003/01/30 06:04:00 | 00,618,496 | ---- | C] () -- C:\WINDOWS\System32\StlpMt45.dll
[1999/01/22 10:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 00:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:661DFA1C
< End of report >


Also, OTL didn't create a new txt with each run, This is the result from the first run this morning:


OTL Extras logfile created on: 1/8/2010 9:08:51 AM - Run 1
OTL by OldTimer - Version 3.1.21.2 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 239.00 Mb Available Physical Memory | 23.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 34.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 58.59 Gb Total Space | 28.75 Gb Free Space | 49.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 55.89 Gb Total Space | 29.23 Gb Free Space | 52.30% Space Free | Partition Type: NTFS
Drive F: | 114.49 Gb Total Space | 87.05 Gb Free Space | 76.03% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RICHS64SCREAMER
Current User Name: administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with XnView] -- "E:\Program Files\XnView\xnview.exe" "%1" (XnView, http://www.xnview.com)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"4434:TCP" = 4434:TCP:*:Enabled:nVision Agent Data Server

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"4434:TCP" = 4434:TCP:*:Enabled:nVision Agent Data Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Axence\NetTools\3.2\nVision.exe" = C:\Program Files\Axence\NetTools\3.2\nVision.exe:*:Enabled:nVision -- (Axence Software, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- ()
"C:\Program Files\Axence\NetTools\3.2\nVision.exe" = C:\Program Files\Axence\NetTools\3.2\nVision.exe:*:Enabled:nVision -- (Axence Software, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Premium
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{01B82B57-2B06-458C-83B5-FC3315BC1AA9}" = Samsung CLP-500 Series
"{0552A36D-0D7E-4FF5-8FDB-6629ABA7C779}" = iTunes
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0C753D2F-C64A-44B9-8FF4-A7752D8F2EC7}" = Windows Small Business Server Admin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{2734011B-3709-45B2-A946-5A1ADB1AFCFE}" = Windows Small Business Server Documents
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{301CC8D1-FE75-41ED-9B11-41F006110950}" = Garmin City Navigator North America NT 2010.10 Update
"{31271095-CD3A-4C9F-89F6-B5F6F3B35636}" = Windows Small Business Server Remote Portal
"{314C19E0-7FA5-11D5-A6B4-0050BA724CB6}" = Vstascan
"{3248F0A8-6813-11D6-A77B-00B0D0150010}" = J2SE Runtime Environment 5.0 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3C5EA394-1033-11D2-A2CB-00C04F72F31D}" = Microsoft PhotoDraw 2000 V2
"{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}" = Easy CD & DVD Creator 6
"{471BB1D9-6F59-4093-B46D-373772D5C111}" = Far Cry Demo
"{4E839090-3B68-436A-B3CF-A2A08C38DD26}" = TiVo Desktop
"{53BE2241-531B-49FB-B03D-06C377179548}" = Windows Small Business Server IE Client App
"{57689BE0-BFA7-11DD-AD8B-0800200C9A66}" = Livestation
"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{5D622FC5-B037-4505-AD5A-60555C2A05E9}" = Microsoft Connector for POP3 Mailboxes
"{607CE53B-0999-4F3B-8FF1-DB1AA47548A8}" = Roxio PhotoSuite 5
"{64A411C9-DB09-4F01-A8D4-2D5227D7A074}" = Windows Small Business Server Licensing
"{65657C59-23A8-4974-B8E0-BA04EBD04E4F}" = Microsoft SQL Server Desktop Engine (SHAREPOINT)
"{66C8DA1B-9156-44B6-B222-2219BC6F21A9}" = Windows Small Business Server Client Setup
"{671E4E4D-4798-4F66-9C9E-C5762E73179E}" = Microsoft XML Parser
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7D2370AC-D8E6-4996-986A-19824F8A167C}" = Logitech QuickCam
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{82CA0A0C-A3EC-4167-B694-909205B2EDEC}" = muvee Plugin 1.0
"{8681E826-9DC6-4EAC-84B7-971EA795BD36}" = Microsoft Group Policy Management Console
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{88A6C12D-DED9-412B-9CC2-643F03674EDF}" = Windows Small Business Server Fax Cfg
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8EFE8B68-29E3-4F11-980B-1CDC9E21B258}" = Windows Small Business Server Connectivity
"{91140409-7000-11D3-8CFE-0150048383C9}" = Microsoft Windows SharePoint Services 2.0
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A7DEBAA4-B211-4D1A-A6B3-E52BFAAA1D0C}" = Garmin Communicator Plugin
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{ACCB890A-C291-4157-92A1-5A56D71AB047}" = Windows Small Business Server Fax
"{ACE0B250-0370-42D3-B137-16BB4BC0BD61}" = Windows Small Business Server ActiveSync
"{ADCFD3CB-BC9D-4B19-8AD7-3D2196FE9207}" = Microsoft .NET Framework 1.1 -- Device Update 2.0
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7300824-E68F-45F1-BAC1-5F15636C346F}" = Microsoft SQL Server Desktop Engine (SBSMONITORING)
"{B80CC46C-5839-4A48-B051-3CACF23A2718}_is1" = Eraser 5.8
"{BA0CA1B4-5491-11D7-97BC-00055D0CA761}" = Roxio DVDMax Player
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C60D2F28-E6D6-4CD9-98BC-5840A237C3E7}" = PlexTools Professional V2.12
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E3DD8B4D-D2B2-457A-B5D6-66B5031535A2}" = Windows Small Business Server Backup
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EB132F7D-C614-40F5-952C-ED7391638A1B}" = Windows Small Business Server Client Experience
"{EC3B598C-1151-4191-B5B4-A9072ADE6259}_is1" = ZipGenius 6 (6.0.3.1150)
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FBFAAFB3-4773-495B-B030-00ABC17A01DC}" = VistaScan
"{FFFFED3C-5E7E-4C6C-A7B9-8BAB6181852B}" = Windows Small Business Server Monitoring
"3ivx MPEG-4 5.0.1 Decoder" = 3ivx MPEG-4 5.0.1 Decoder (remove only)
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA" = Windows Small Business Server 2003
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All Media Fixer_is1" = All Media Fixer 7.8
"Applian FLV Player2.0.23" = Applian FLV Player
"ASF-AVI-RM-WMV Repair_is1" = ASF-AVI-RM-WMV Repair 1.82
"a-squared Free_is1" = a-squared Free 2.1
"Audacity_is1" = Audacity 1.2.6
"Avi Divx Wmv Real Mp3 Media Fixer Pro_is1" = Avi Divx Wmv Real Mp3 Media Fixer Pro 7.0
"Avidemux 2.4" = Avidemux 2.4
"AVS DVD Player_is1" = AVS DVD Player version 2.4
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS Video Recorder_is1" = AVS Video Recorder 2.4
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"Axence NetTools_is1" = Axence NetTools 3.2
"CCleaner" = CCleaner
"ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.95.3
"CodInstl" = Intel A/V Codecs V2.0
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Digital Video Repair" = Digital Video Repair 1.0
"DivX Content Uploader" = DivX Content Uploader
"Duplicate Photo Finder" = FirmTools Duplicate Photo Finder 1
"Easy Duplicate Finder_is1" = Easy Duplicate Finder v. 2.2.1
"Easy Video Joiner_is1" = Easy Video Joiner 5.21
"eMule" = eMule
"ffdshow" = ffdshow
"GOM Player" = GOM Player
"GSpot" = GSpot Codec Information Appliance
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Indeo® Software" = Indeo® Software
"InfraRecorder" = InfraRecorder
"InstallShield_{0552A36D-0D7E-4FF5-8FDB-6629ABA7C779}" = iTunes
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{471BB1D9-6F59-4093-B46D-373772D5C111}" = Far Cry Demo
"IrfanView" = IrfanView (remove only)
"LimeWire" = LimeWire PRO 4.12.3
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Health Monitor 2.1" = Microsoft Health Monitor 2.1
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MultiMediaNavigator" = MultiMediaNavigator
"NETGEAR Print Server Software" = NETGEAR Print Server Software
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"PlexUtil" = PlexUTILITIES 1.2.3
"Prism" = Prism Video Converter
"RealAlt_is1" = Real Alternative 1.7.5
"Samsung CLP-500 Series" = Samsung CLP-500 Series
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SpywareBlaster_is1" = SpywareBlaster 4.2
"TurboTax 2005" = TurboTax 2005
"TurboTax 2008" = TurboTax 2008
"TurboTax Premier 2007" = TurboTax Premier 2007
"TurboTax Premier Investments 2006" = TurboTax Premier Investments 2006
"UUDeview for Windows" = UUDeview for Windows
"WIC" = Windows Imaging Component
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2
"WinRAR archiver" = WinRAR archiver
"XnView_is1" = XnView 1.96.2
"XviD_is1" = XviD 1.1 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1368276089-2679999987-2383034861-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent 6.0 Beta
"BitTorrent DNA" = DNA
"CNET TechTracker" = CNET TechTracker
"Google Chrome" = Google Chrome
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/4/2009 12:32:06 AM | Computer Name = RICHS64SCREAMER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on RICHS64SCREAMER\SharePoint.
Check the database connection information and make sure that the database server
is running.

Error - 9/4/2009 12:32:12 AM | Computer Name = RICHS64SCREAMER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on RICHS64SCREAMER\SharePoint.
Check the database connection information and make sure that the database server
is running.

Error - 9/4/2009 12:32:17 AM | Computer Name = RICHS64SCREAMER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on RICHS64SCREAMER\SharePoint.
Check the database connection information and make sure that the database server
is running.

Error - 9/4/2009 12:32:49 AM | Computer Name = RICHS64SCREAMER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on RICHS64SCREAMER\SharePoint.
Check the database connection information and make sure that the database server
is running.

Error - 9/4/2009 3:16:45 AM | Computer Name = RICHS64SCREAMER | Source = MSExchangeAL | ID = 8026
Description = LDAP Bind was unsuccessful on directory richs64screamer.Viglienzoni.local
for distinguished name ''. Directory returned error:[0x51] Server Down. For more
information, click http://www.microsoft.com/contentredirect.asp.

Error - 9/4/2009 3:16:45 AM | Computer Name = RICHS64SCREAMER | Source = MSExchangeDSAccess | ID = 264246
Description = Process MAD.EXE (PID=2428). All Domain Controller Servers in use are
not responding: richs64screamer.Viglienzoni.local For more information, click http://www.microsoft.com/contentredirect.asp.

Error - 9/4/2009 3:16:45 AM | Computer Name = RICHS64SCREAMER | Source = MSExchangeDSAccess | ID = 264248
Description = Process INETINFO.EXE (PID=1576). All the DS Servers in domain are
not responding. For more information, click http://www.microsoft.com/contentredirect.asp.

Error - 9/4/2009 3:16:50 AM | Computer Name = RICHS64SCREAMER | Source = MSExchangeAL | ID = 8026
Description = LDAP Bind was unsuccessful on directory richs64screamer.Viglienzoni.local
for distinguished name ''. Directory returned error:[0x51] Server Down. For more
information, click http://www.microsoft.com/contentredirect.asp.

Error - 9/4/2009 3:16:51 AM | Computer Name = RICHS64SCREAMER | Source = MSExchangeAL | ID = 8026
Description = LDAP Bind was unsuccessful on directory richs64screamer.Viglienzoni.local
for distinguished name ''. Directory returned error:[0x51] Server Down. For more
information, click http://www.microsoft.com/contentredirect.asp.

Error - 9/4/2009 3:16:52 AM | Computer Name = RICHS64SCREAMER | Source = MSExchangeAL | ID = 8250
Description = The Win32 API call 'DsGetDCNameW' returned error code [0x862] The
specified component could not be found in the configuration information. The service
could not be initialized. Make sure that the operating system was installed properly.


For
more information, click http://www.microsoft.com/contentredirect.asp.

[ Directory Service Events ]
Error - 12/18/2009 2:30:22 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 8430 The directory service encountered an internal
failure. Internal ID: 3200c89 User Action: Make sure a global catalog is available
in the forest, and is reachable from this domain controller. You may use the nltest
utility to diagnose this problem.

Error - 12/18/2009 3:30:24 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 8430 The directory service encountered an internal
failure. Internal ID: 3200c89 User Action: Make sure a global catalog is available
in the forest, and is reachable from this domain controller. You may use the nltest
utility to diagnose this problem.

Error - 12/18/2009 4:30:26 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 8430 The directory service encountered an internal
failure. Internal ID: 3200c89 User Action: Make sure a global catalog is available
in the forest, and is reachable from this domain controller. You may use the nltest
utility to diagnose this problem.

Error - 12/18/2009 5:30:28 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 8430 The directory service encountered an internal
failure. Internal ID: 3200c89 User Action: Make sure a global catalog is available
in the forest, and is reachable from this domain controller. You may use the nltest
utility to diagnose this problem.

Error - 12/18/2009 6:30:40 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 8430 The directory service encountered an internal
failure. Internal ID: 3200c89 User Action: Make sure a global catalog is available
in the forest, and is reachable from this domain controller. You may use the nltest
utility to diagnose this problem.

Error - 12/18/2009 7:30:40 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 1355 The specified domain either does not exist
or could not be contacted. Internal ID: 3200d33 User Action: Make sure a global catalog
is available in the forest, and is reachable from this domain controller. You may
use the nltest utility to diagnose this problem.

Error - 12/18/2009 8:30:40 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 1355 The specified domain either does not exist
or could not be contacted. Internal ID: 3200c89 User Action: Make sure a global catalog
is available in the forest, and is reachable from this domain controller. You may
use the nltest utility to diagnose this problem.

Error - 12/18/2009 9:30:41 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 1355 The specified domain either does not exist
or could not be contacted. Internal ID: 3200c89 User Action: Make sure a global catalog
is available in the forest, and is reachable from this domain controller. You may
use the nltest utility to diagnose this problem.

Error - 12/18/2009 10:30:41 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 1355 The specified domain either does not exist
or could not be contacted. Internal ID: 3200d33 User Action: Make sure a global catalog
is available in the forest, and is reachable from this domain controller. You may
use the nltest utility to diagnose this problem.

Error - 12/18/2009 11:30:41 AM | Computer Name = RICHS64SCREAMER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 1355 The specified domain either does not exist
or could not be contacted. Internal ID: 3200c89 User Action: Make sure a global catalog
is available in the forest, and is reachable from this domain controller. You may
use the nltest utility to diagnose this problem.

[ DNS Server Events ]
Error - 1/3/2010 9:27:05 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 1/3/2010 9:27:05 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 1/3/2010 9:27:05 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.Viglienzoni.local. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/3/2010 9:27:05 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/3/2010 9:27:05 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone Viglienzoni.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/8/2010 12:22:56 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 1/8/2010 12:22:56 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 1/8/2010 12:22:56 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.Viglienzoni.local. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/8/2010 12:22:56 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/8/2010 12:22:56 PM | Computer Name = RICHS64SCREAMER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone Viglienzoni.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

[ System Events ]
Error - 6/30/2009 3:04:03 PM | Computer Name = RICHS64SCREAMER | Source = Print | ID = 6161
Description = The document Microsoft Word - Envelopes1 owned by administrator failed
to print on printer \\PS350899\HPLJ5L. Data type: NT EMF 1.008. Size of the spool
file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document:
0. Number of pages printed: 0. Client machine: \\RICHS64SCREAMER. Win32 error code
returned by the print processor: 259. No more data is available.

Error - 6/30/2009 3:04:18 PM | Computer Name = RICHS64SCREAMER | Source = Print | ID = 6161
Description = The document Microsoft Word - Envelopes1 owned by administrator failed
to print on printer \\PS350899\HPLJ5L. Data type: NT EMF 1.008. Size of the spool
file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document:
0. Number of pages printed: 0. Client machine: \\RICHS64SCREAMER. Win32 error code
returned by the print processor: 259. No more data is available.

Error - 6/30/2009 4:45:36 PM | Computer Name = RICHS64SCREAMER | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.201 for the Network Card with network
address 003018B14F7C has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 7/1/2009 11:04:58 AM | Computer Name = RICHS64SCREAMER | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/7/2009 9:43:02 AM | Computer Name = RICHS64SCREAMER | Source = IPSec | ID = 4292
Description = The IPSec driver has entered Block mode. IPSec will discard all inbound
and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy
exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable
the IPSec services, and then restart the computer. For detailed troubleshooting
information, review the events in the Security event log.

Error - 7/7/2009 9:43:35 AM | Computer Name = RICHS64SCREAMER | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10048

Error - 7/7/2009 9:47:18 AM | Computer Name = RICHS64SCREAMER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 6:42:40 AM on 7/7/2009 was unexpected.

Error - 7/8/2009 10:21:49 AM | Computer Name = RICHS64SCREAMER | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/12/2009 3:30:18 PM | Computer Name = RICHS64SCREAMER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 12:27:52 PM on 7/12/2009 was unexpected.

Error - 7/13/2009 10:22:41 AM | Computer Name = RICHS64SCREAMER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 12:41:18 PM on 7/12/2009 was unexpected.


< End of report >


Hope this is the information you're looking for....

Awaiting your next instructions....

You're correct, I have customized Firefox some, but if reinstalling it would fix the problem, I would certainly consider it.

Techboy5

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 09 January 2010 - 07:30 AM

Hello,

No need to re-install Firefox, I already see the problem :(

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 techboy5

techboy5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 10 January 2010 - 12:35 AM

Hi Elise025,

I have downloaded and run gooredfix.exe....
here's the log from it....

GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:35 on 09/01/2010 (administrator)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========

Deleting "C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions\{33225b31-8308-4efe-b855-b45c6b47aa12}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:27 26/04/2005]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [16:33 02/06/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [14:05 10/08/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [14:16 09/10/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [15:50 11/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [14:22 07/08/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [20:21 07/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [16:43 26/03/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [14:58 29/09/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [19:42 07/12/2009]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wr64c7ax.default\extensions\
{03148420-b2e6-11db-abbd-0800200c9a66} [16:03 29/01/2008]
{20a82645-c095-46ed-80e3-08825760534b} [15:29 03/09/2009]
{DDC359D1-844A-42a7-9AA1-88A850A938A8} [16:31 03/11/2009]
{e001c731-5e37-4538-a5cb-8168736a2360} [02:03 30/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:12 06/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:20 07/12/2008]

-=E.O.F=-


Awaiting your next instructions....

Techboy5

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 10 January 2010 - 03:40 AM

How're the redirects now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 techboy5

techboy5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 11 January 2010 - 11:01 PM

Hi Elise025,

Thank You so much. The redirects are gone, and I'm responding to you using Firefox.
Thanks again for your time and effort...

Best Wishes,

Techboy5

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 12 January 2010 - 06:42 AM

Good to hear that :)

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 techboy5

techboy5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 13 January 2010 - 12:58 PM

Hi Elise025,

Unfortunately, System Restore is not an option with Windows Server 2003.
I already follow the advice in your post.
Maybe it's time to give up on the OS and move on to Windows 7.
I hate to do it, though, Win2003 Server was a freebie from MS, and is very
stable. It's been on this computer since it was new, and I can count on one
hand how many times its crashed- perhaps three! and that's since 2003!

Anyway, thanks again for all your help. I wish you well.


Techboy5

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 13 January 2010 - 01:16 PM

Don't worry, I am not too familiar with Server 2003, so thats why I included the steps. There's no malware there, but for good measure I always instruct to reset System Restore.

Let me know if you have any more questions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:12 PM

Posted 16 January 2010 - 12:40 PM

This topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users