Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google search redirect malware


  • This topic is locked This topic is locked
17 replies to this topic

#1 ecosteve

ecosteve

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 05 January 2010 - 04:55 PM

Hello,

I've had the Google redirect problem for almost a week now. I got one of the scareware fake antivirus attacks either at the same time, but that's all under control now. I've scanned my system with Trend Micro Internet Security, SpyBot, SpywareGuard, SpywareBlaster, MBAM, HTL and SuperAntiSpyware -- each one seems to catch something new, but I still have the same browser problem. Any help solving this problem would be MUCH appreciated!

The DDS text is pasted below, and I've attached the other two requested text files. Thanks in advance!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 15:12:52.40 on Tue 01/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.168 [GMT -6:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\vo6eea86.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPE2Host.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-1-4 36368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-8-31 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-8-31 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-1-4 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-1-4 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-6 135664]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys --> c:\windows\system32\drivers\ADM851X.SYS [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 sasrfcService;sasrfc Service;c:\program files\sas institute\sas\v8\access\sasexe\sasrfc.exe [2008-5-1 41984]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-01-05 19:22:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-05 19:21:29 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-05 19:21:29 0 d-----w- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2010-01-05 19:17:35 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-05 15:57:34 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-05 15:56:17 0 d-----w- c:\program files\Lavasoft
2010-01-05 14:34:54 0 d-----w- c:\program files\VS Revo Group
2010-01-05 14:17:26 0 d-----w- c:\program files\DrWebCureit
2010-01-05 14:10:00 0 d-----w- c:\program files\SpywareBlaster
2010-01-05 04:59:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2010-01-05 04:58:26 0 d-----w- c:\program files\Trend Micro
2010-01-05 04:48:45 661808 ----a-w- c:\windows\system32\UfWSC.cpl
2010-01-05 04:48:39 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-05 04:48:39 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-05 04:48:39 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-05 04:48:39 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-12-31 14:11:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 14:11:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-31 14:03:08 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-31 12:30:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 12:30:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 12:30:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 00:59:18 0 d-----w- c:\docume~1\steve\applic~1\Malwarebytes
2009-12-31 00:59:14 0 d-----w- c:\windows\pss
2009-12-31 00:58:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-31 00:35:42 0 d--h--w- c:\windows\system32\GroupPolicy
2009-12-30 23:25:28 773120 ----a-w- c:\windows\system32\drivers\vydbwvcg.sys
2009-12-13 16:08:41 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
2009-12-13 16:07:54 0 d-----w- c:\program files\Juniper Networks
2009-12-13 16:06:22 0 d-----w- c:\docume~1\steve\applic~1\Juniper Networks
2009-12-13 16:06:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Juniper Networks

==================== Find3M ====================

2010-01-05 04:48:39 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-05 04:48:39 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-05 04:48:39 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-04 14:08:34 81959 ----a-w- c:\windows\system32\nvModes.dat
2009-11-12 21:51:30 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2009-11-12 21:51:18 1721784 ----a-w- c:\windows\system32\inetclnt.dll
2009-11-04 16:51:12 1817590 ----a-w- c:\program files\PCord.zip
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-07 23:05:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-18 12:52:01 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-18 12:52:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-09-18 12:52:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:15:17.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:46 PM

Posted 13 January 2010 - 09:14 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 ecosteve

ecosteve
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 14 January 2010 - 10:37 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti



#4 ecosteve

ecosteve
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 14 January 2010 - 10:43 PM

Hi -- here's the text from OTL. Thanks for your time!
___________________________________
from OTL.exe text:

OTL logfile created on: 1/14/2010 9:22:29 PM - Run 1
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 147.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 20.05 Gb Free Space | 21.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.55 Gb Total Space | 0.87 Gb Free Space | 11.48% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: INSPIRON8600
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/14 21:03:20 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
PRC - [2010/01/04 22:48:28 | 01,020,248 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
PRC - [2010/01/04 22:48:26 | 00,715,368 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
PRC - [2009/11/06 15:25:29 | 00,135,664 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2009/10/07 17:05:54 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/07 17:05:54 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/04/02 14:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/04/02 14:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/26 13:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/20 16:34:48 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
PRC - [2009/01/23 01:46:56 | 00,431,472 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2008/12/12 09:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/23 00:08:13 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/17 08:08:46 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2008/04/15 00:40:39 | 00,032,256 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/21 09:28:36 | 00,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 09:19:58 | 00,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 09:19:40 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 09:17:42 | 00,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 09:16:48 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 09:13:26 | 00,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/02/21 09:10:00 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2006/06/29 10:13:32 | 01,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/06/29 10:12:34 | 00,376,832 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2005/10/07 12:13:38 | 00,176,128 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2005/07/27 14:41:08 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2005/07/19 15:32:18 | 00,221,184 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE
PRC - [2005/06/08 13:14:44 | 00,217,088 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\LogiTray.exe
PRC - [2005/06/08 12:44:56 | 00,192,512 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\FxSvr2.exe
PRC - [2004/10/26 10:01:00 | 00,127,044 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2004/06/28 21:56:12 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
PRC - [2004/04/11 18:15:14 | 00,290,816 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\Media Experience\PCMService.exe
PRC - [2004/03/14 23:04:00 | 00,122,933 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe
PRC - [2003/08/29 02:59:24 | 00,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe


========== Modules (SafeList) ==========

MOD - [2010/01/14 21:03:20 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/04 22:48:27 | 00,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)
SRV - [2010/01/04 22:48:27 | 00,497,008 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw)
SRV - [2010/01/04 22:48:27 | 00,345,352 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2010/01/04 22:48:26 | 00,715,368 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)
SRV - [2009/11/06 15:25:29 | 00,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/07 17:05:54 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/04/02 14:10:56 | 00,656,168 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/03/26 13:31:20 | 00,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/20 16:34:48 | 00,183,280 | ---- | M] (Google) [Auto | Running] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/01/23 01:46:56 | 00,431,472 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/12/12 09:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/04/17 08:08:46 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/10/25 13:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 09:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/02/21 09:28:36 | 00,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/02/21 09:19:40 | 00,294,912 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/02/21 09:16:48 | 00,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/02/21 09:10:00 | 00,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/11/08 14:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 14:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2006/06/29 10:12:34 | 00,376,832 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2005/11/13 23:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/26 10:01:00 | 00,127,044 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2000/05/20 03:00:00 | 00,041,984 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe -- (sasrfcService)


========== Driver Services (SafeList) ==========

DRV - [2010/01/07 14:12:24 | 00,000,000 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\vydbwvcg.sys -- (vydbwvcg)
DRV - [2010/01/04 22:48:39 | 01,223,832 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vsapint.sys -- (vsapint)
DRV - [2010/01/04 22:48:39 | 00,225,808 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2010/01/04 22:48:39 | 00,158,224 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/01/04 22:48:39 | 00,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2010/01/04 22:48:39 | 00,059,920 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/01/04 22:48:39 | 00,050,704 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/01/04 22:48:39 | 00,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2009/11/23 08:43:30 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 08:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 08:43:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/08/31 20:54:54 | 00,339,984 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2009/04/21 11:02:40 | 00,021,425 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2009/03/26 13:23:46 | 00,036,864 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/03/19 14:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/01/23 01:27:22 | 00,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/11/20 13:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/17 08:07:52 | 00,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/04/13 12:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/03/29 16:36:28 | 00,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2008/01/07 13:36:00 | 02,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/02/21 09:16:12 | 00,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/01/18 16:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/09/28 18:57:18 | 00,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2005/08/12 15:50:46 | 00,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/05/27 03:46:22 | 00,913,280 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302AV.SYS -- (PID_08A0) QuickCam IM(PID_08A0)
DRV - [2005/05/27 03:38:00 | 00,007,136 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2005/05/27 03:31:28 | 00,022,016 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2005/01/26 10:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2004/12/13 15:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6)
DRV - [2004/11/15 13:37:52 | 00,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2004/10/26 10:01:00 | 02,830,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/03/14 23:04:00 | 00,100,597 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/03/14 23:04:00 | 00,098,580 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/03/14 23:04:00 | 00,085,972 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/03/14 23:04:00 | 00,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/03/14 23:04:00 | 00,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/03/14 23:04:00 | 00,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/03/14 23:04:00 | 00,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/03/14 23:04:00 | 00,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/03/14 23:04:00 | 00,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/02/27 00:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/02/13 01:21:00 | 00,086,160 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/01/14 17:18:16 | 00,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/01/14 17:18:04 | 00,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2003/09/26 08:41:10 | 00,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/08/29 02:59:24 | 01,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2001/08/22 06:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-823518204-688789844-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-823518204-688789844-1343024091-1003\S-1-5-21-823518204-688789844-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-823518204-688789844-1343024091-1003\S-1-5-21-823518204-688789844-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:4.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.4.6
FF - prefs.js..extensions.enabledItems: {4a428302-5267-4749-bb22-459b3236695f}:3.03

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/07/13 11:20:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/30 18:06:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/21 19:09:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/22 12:11:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/08/27 15:47:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Extensions
[2010/01/14 08:36:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions
[2008/08/27 15:50:12 | 00,000,000 | ---D | M] (Modern Modoki) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{4a428302-5267-4749-bb22-459b3236695f}
[2008/05/02 10:04:17 | 00,000,000 | ---D | M] (Aquatint Black) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{526fd696-27a0-11dc-8314-0800200c9a66}
[2010/01/11 09:27:59 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/13 18:20:38 | 00,000,000 | ---D | M] (SearchPreview) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
[2009/12/13 18:20:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\foxmarks@kei.com
[2008/05/13 19:04:53 | 00,001,632 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\searchplugins\weathercom.xml
[2008/05/13 19:05:23 | 00,001,032 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\searchplugins\wikipedia-eng.xml
[2010/01/14 08:36:25 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/05/22 12:38:44 | 00,102,400 | ---- | M] (ESRI ) -- C:\Program Files\Mozilla Firefox\plugins\NPE2Host.dll
[2005/12/05 20:31:00 | 00,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2008/05/14 22:33:00 | 00,000,905 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\conduit.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/01 14:29:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{558d6e08-4df2-11de-ad1c-001143626cc2}\Shell - "" = AutoRun
O33 - MountPoints2\{558d6e08-4df2-11de-ad1c-001143626cc2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{558d6e08-4df2-11de-ad1c-001143626cc2}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{9b870701-1aa7-11dd-aaa8-001143626cc2}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/14 21:03:19 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/01/05 15:14:50 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Steve\Desktop\RootRepeal.exe
[2010/01/05 13:22:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/05 13:21:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
[2010/01/05 13:21:29 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/05 13:17:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/05 12:40:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Desktop\ListDlls
[2010/01/05 09:57:34 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/01/05 09:56:17 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/01/05 09:56:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/01/05 08:34:54 | 00,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/01/05 08:17:26 | 00,000,000 | ---D | C] -- C:\Program Files\DrWebCureit
[2010/01/05 08:10:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/05 08:10:00 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/01/04 22:59:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2010/01/04 22:58:26 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/04 22:48:45 | 00,661,808 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\UfWSC.cpl
[2010/01/04 22:48:39 | 01,223,832 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\vsapint.sys
[2010/01/04 22:48:39 | 00,225,808 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmxpflt.sys
[2010/01/04 22:48:39 | 00,089,872 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/01/04 22:48:39 | 00,036,368 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmpreflt.sys
[2009/12/31 08:11:24 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/31 08:11:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/12/31 06:30:05 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/31 06:30:03 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/31 06:30:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/30 20:09:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2009/12/30 19:02:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/12/30 18:59:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Application Data\Malwarebytes
[2009/12/30 18:59:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/30 18:58:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/30 18:35:42 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/12/28 19:55:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Local Settings\Application Data\Move Networks
[2009/12/18 08:37:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Desktop\synonym_db
[2009/12/06 15:32:24 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/06 15:30:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/06 15:25:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/08/03 22:30:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/09/25 20:36:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/06/30 14:00:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/01 15:25:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2008/05/01 15:25:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Intel
[2008/05/01 14:33:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/14 21:30:04 | 00,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/14 21:22:11 | 00,081,959 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/01/14 21:22:10 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/14 21:22:06 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/01/14 21:22:04 | 00,017,112 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/14 21:22:00 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/01/14 21:21:59 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/14 21:21:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/14 21:21:44 | 53,612,9536 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/14 21:20:33 | 09,699,328 | -H-- | M] () -- C:\Documents and Settings\Steve\NTUSER.DAT
[2010/01/14 21:20:33 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Steve\ntuser.ini
[2010/01/14 21:19:18 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003UA.job
[2010/01/14 21:17:47 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/14 21:03:20 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/01/14 18:19:01 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003Core.job
[2010/01/14 10:36:24 | 00,081,959 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/01/12 12:38:08 | 00,323,303 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Olson 1996 Ecol.pdf
[2010/01/12 12:05:10 | 00,209,717 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Ricklefs 2008 AmNat.pdf
[2010/01/12 11:30:17 | 01,938,750 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Pickett & McDonnell 1989 TREE.pdf
[2010/01/12 11:19:10 | 00,332,047 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hubbell etal 1999 Science.pdf
[2010/01/12 11:10:49 | 03,304,291 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Simberloff 1976 Ecology.pdf
[2010/01/12 11:07:03 | 00,765,626 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Simberloff & Wilson 1969 Ecology.pdf
[2010/01/12 10:34:12 | 00,631,638 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Tilman etal 1996 Nature.pdf
[2010/01/12 10:02:21 | 00,407,319 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hubbell 1997 CoralReefs.pdf
[2010/01/12 09:59:48 | 00,919,917 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1961 AmNat.pdf
[2010/01/12 09:41:44 | 00,295,727 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1959 AmNat.pdf
[2010/01/12 09:38:39 | 01,952,874 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Clark & Clark 1984 AmNat.pdf
[2010/01/11 21:37:47 | 00,389,923 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Morin 1984 Ecol.pdf
[2010/01/11 19:30:33 | 00,260,863 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hairston 1980 Ecol.pdf
[2010/01/11 19:28:18 | 00,733,429 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Pacala & Roughgarden 1982 Science.pdf
[2010/01/11 19:09:28 | 02,380,151 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Cody 1991 Vegetatio.pdf
[2010/01/11 18:15:18 | 03,222,933 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Schoener 1974 Science.pdf
[2010/01/11 17:33:53 | 00,422,297 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Gleason 1917 BullTorrBotClub.pdf
[2010/01/11 17:31:23 | 00,753,874 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Finegan 1984 Nature.pdf
[2010/01/07 14:12:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\vydbwvcg.sys
[2010/01/06 14:22:36 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\2009 Postdoc TAR.xls
[2010/01/06 12:07:20 | 00,000,017 | -H-- | M] () -- C:\WINDOWS\System32\servdat.slm
[2010/01/06 11:09:12 | 00,000,014 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2010/01/05 15:17:50 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\settings.dat
[2010/01/05 15:14:50 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Steve\Desktop\RootRepeal.exe
[2010/01/05 15:12:03 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\dds.scr
[2010/01/04 22:48:45 | 00,661,808 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\UfWSC.cpl
[2010/01/04 22:48:39 | 01,223,832 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\vsapint.sys
[2010/01/04 22:48:39 | 00,225,808 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmxpflt.sys
[2010/01/04 22:48:39 | 00,158,224 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/01/04 22:48:39 | 00,089,872 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/01/04 22:48:39 | 00,059,920 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2010/01/04 22:48:39 | 00,050,704 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2010/01/04 22:48:39 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmpreflt.sys
[2009/12/31 11:07:51 | 04,321,392 | -H-- | M] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\IconCache.db
[2009/12/31 08:03:08 | 00,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/12/30 19:16:20 | 00,000,623 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/30 19:16:20 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/30 19:16:20 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/16 18:30:23 | 01,954,040 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\LeClere 1994 NatTaxJ.pdf
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/14 16:35:45 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/12 12:38:08 | 00,323,303 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Olson 1996 Ecol.pdf
[2010/01/12 12:05:10 | 00,209,717 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Ricklefs 2008 AmNat.pdf
[2010/01/12 11:30:17 | 01,938,750 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Pickett & McDonnell 1989 TREE.pdf
[2010/01/12 11:19:10 | 00,332,047 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hubbell etal 1999 Science.pdf
[2010/01/12 11:10:48 | 03,304,291 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Simberloff 1976 Ecology.pdf
[2010/01/12 11:07:03 | 00,765,626 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Simberloff & Wilson 1969 Ecology.pdf
[2010/01/12 10:34:12 | 00,631,638 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Tilman etal 1996 Nature.pdf
[2010/01/12 10:02:21 | 00,407,319 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hubbell 1997 CoralReefs.pdf
[2010/01/12 09:59:48 | 00,919,917 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1961 AmNat.pdf
[2010/01/12 09:41:44 | 00,295,727 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1959 AmNat.pdf
[2010/01/12 09:38:39 | 01,952,874 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Clark & Clark 1984 AmNat.pdf
[2010/01/11 21:37:47 | 00,389,923 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Morin 1984 Ecol.pdf
[2010/01/11 19:30:33 | 00,260,863 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hairston 1980 Ecol.pdf
[2010/01/11 19:28:18 | 00,733,429 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Pacala & Roughgarden 1982 Science.pdf
[2010/01/11 19:09:28 | 02,380,151 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Cody 1991 Vegetatio.pdf
[2010/01/11 18:15:17 | 03,222,933 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Schoener 1974 Science.pdf
[2010/01/11 17:33:53 | 00,422,297 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Gleason 1917 BullTorrBotClub.pdf
[2010/01/11 17:31:23 | 00,753,874 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Finegan 1984 Nature.pdf
[2010/01/06 14:22:36 | 00,036,864 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\2009 Postdoc TAR.xls
[2010/01/05 15:17:50 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\settings.dat
[2010/01/05 15:12:02 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\dds.scr
[2009/12/31 08:03:08 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/12/30 18:51:09 | 53,612,9536 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/30 17:25:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\vydbwvcg.sys
[2009/12/16 18:30:23 | 01,954,040 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\LeClere 1994 NatTaxJ.pdf
[2009/12/05 21:30:22 | 00,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/11/04 10:51:08 | 01,817,590 | ---- | C] () -- C:\Program Files\PCord.zip
[2009/09/16 09:12:50 | 00,000,049 | ---- | C] () -- C:\WINDOWS\wxls32.ini
[2009/08/30 11:17:16 | 00,000,098 | ---- | C] () -- C:\WINDOWS\bh-hzht-aicarik.ini
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/01 14:34:04 | 00,000,171 | ---- | C] () -- C:\WINDOWS\HIGHED32.INI
[2009/05/27 22:29:04 | 00,000,523 | ---- | C] () -- C:\WINDOWS\LisWin32.ini
[2009/05/27 22:29:04 | 00,000,076 | ---- | C] () -- C:\WINDOWS\LISWIN32S.INI
[2008/10/26 20:05:50 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/21 20:44:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2008/06/16 23:10:33 | 00,015,872 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/12 19:35:37 | 00,009,255 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/05/12 07:37:15 | 00,000,770 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Installer.log
[2008/05/01 21:13:50 | 00,016,160 | ---- | C] () -- C:\WINDOWS\System32\sasperf.dll
[2008/05/01 17:03:30 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2008/05/01 17:03:30 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2008/05/01 17:03:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2008/05/01 17:03:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
[2008/05/01 17:00:25 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2008/05/01 17:00:25 | 00,000,342 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2008/05/01 16:49:11 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2008/05/01 16:41:59 | 00,033,280 | ---- | C] () -- C:\WINDOWS\System32\SP32W.DLL
[2008/05/01 16:41:56 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\DLWBC31.DLL
[2008/05/01 16:00:09 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/01 15:20:15 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2008/04/17 08:08:56 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/04/17 08:08:44 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2004/03/26 16:59:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 13:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 11:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 05:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >


_____________________________
from Extras.txt:


OTL Extras logfile created on: 1/14/2010 9:22:29 PM - Run 1
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 147.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 20.05 Gb Free Space | 21.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.55 Gb Total Space | 0.87 Gb Free Space | 11.48% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: INSPIRON8600
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"10000:TCP" = 10000:TCP:*:Enabled:VPN1
"4500:UDP" = 4500:UDP:*:Enabled:VPN2
"62515:UDP" = 62515:UDP:*:Enabled:VPN3
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Ruckus Player\Ruckus.exe" = C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Cooktop 2.5\xcooktop.exe" = C:\Program Files\Cooktop 2.5\xcooktop.exe:*:Enabled:Cooktop -- (Victor Pavlov - Cooktop@MindSpring.com)
"C:\WINDOWS\TEMP\dibi.tmp\svchost.exe" = C:\WINDOWS\TEMP\dibi.tmp\svchost.exe:*:Enabled:svchost -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03B1BBDC-7FAA-4A03-9988-A85428BAD382}" = Sun ODF Plugin for Microsoft Office 3.0
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{3215EBED-1D06-42fb-A05C-A752A46FB24C}" = Canon MP530
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4C271126-C295-4828-A901-5910AE0C258B}" = Cisco Systems VPN Client 5.0.03.0530
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{56DF5C9E-6392-46D3-B366-297B14E1DAAF}" = Bonjour Core for Windows
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security
"{790993EE-42FF-4D74-8770-FD6DB582A435}_is1" = DeadLine Equation Solver
"{7B18E7E2-AFCA-4CBE-8CD5-3613315AB262}" = ArcGIS Explorer
"{7DA83DDA-0EB0-11D6-A937-00C04F091145}" = SigmaPlot 8.0
"{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{878C2374-D034-11D3-87D1-00C04F38F645}" = sasshcmp
"{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}" = EndNote X1
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9A3EABC0-CA06-11D4-BF77-00104B130C19}" = EPSON TWAIN 5
"{9D2B0322-44AE-460E-9283-4D2D7A9205AE}" = Trend Micro Internet Security
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A09501A9-EE89-4961-83E1-AF6581F118A5}" = SPSS 15.0 for Windows Graduate Student Version
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8C51F05-1DB0-4CB7-9974-39763C93D941}" = LISREL 8.80 for Windows (Student Edition)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}" = Nikon View 6
"{AC76BA86-1033-0000-7760-100000000002}" = Adobe Acrobat 7.0 Professional
"{AF971E35-DE5A-4213-948D-1BB326382A18}" = Cooktop 2.5
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43048A9-742C-4DAD-90D2-E3B53C9DB825}" = Logitech QuickCam Software
"{C4D26D60-7B43-4CE9-AE19-A380D9DF126B}" = Garmin MapSource
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E6A64398-84A0-4499-B44B-2DBD3D1E9E7E}" = TaxCut Georgia 2008
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe Acrobat 7.0 Professional - V" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ArcSoft Software Suite" = ArcSoft Software Suite
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Canon MP530 User Registration" = Canon MP530 User Registration
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ImageJ_is1" = ImageJ 1.42q
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"InterActual Player" = InterActual Player
"Intkey" = Intkey
"ISI ResearchSoft - Export Helper" = ISI ResearchSoft - Export Helper
"Juniper Network Connect 6.3.0" = Juniper Networks Network Connect 6.3.0
"Logitech Print Service" = Logitech Print Service
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapSource" = MapSource
"Mesquite" = Mesquite
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2008b" = Microsoft Money Plus
"Mozilla Firefox (3.0.16)" = Mozilla Firefox (3.0.16)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"MP Navigator 2.2" = Canon MP Navigator 2.2
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OpenStat_is1" = OpenStat Version 14.09.09
"Pcord4" = Pcord4
"Picasa 3" = Picasa 3
"PopTools_is1" = PopTools
"ProInst" = Intel® PROSet/Wireless Software
"QcDrv" = Logitech® Camera Driver
"R for Windows 2.9.0_is1" = R for Windows 2.9.0
"RealPlayer 6.0" = RealPlayer
"Revo Uninstaller" = Revo Uninstaller 1.85
"SAS v8" = The SAS System V8
"SecureW2 EAP Suite" = SecureW2 EAP Suite 1.0.6 for Windows
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SYSTAT 10.2" = SYSTAT 10.2
"VLC media player" = VideoLAN VLC media player 0.8.6h
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-823518204-688789844-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/6/2010 3:07:25 PM | Computer Name = INSPIRON8600 | Source = Application Hang | ID = 1002
Description = Hanging application Acrobat.exe, version 7.0.8.218, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/6/2010 3:09:45 PM | Computer Name = INSPIRON8600 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3623, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/6/2010 3:09:48 PM | Computer Name = INSPIRON8600 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3623, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/6/2010 5:25:28 PM | Computer Name = INSPIRON8600 | Source = Google Update | ID = 20
Description =

Error - 1/7/2010 10:28:48 AM | Computer Name = INSPIRON8600 | Source = Application Error | ID = 1000
Description = Faulting application SfCtlCom.exe, version 17.50.0.1366, faulting
module SfFnDbMg.dll, version 17.50.0.1366, fault address 0x000067f0.

Error - 1/7/2010 10:39:18 AM | Computer Name = INSPIRON8600 | Source = Google Update | ID = 20
Description =

Error - 1/7/2010 10:47:43 AM | Computer Name = INSPIRON8600 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
shlwapi.dll, version 6.0.2900.5512, fault address 0x0002c4a8.

Error - 1/7/2010 11:40:05 AM | Computer Name = INSPIRON8600 | Source = Google Update | ID = 20
Description =

Error - 1/7/2010 12:37:07 PM | Computer Name = INSPIRON8600 | Source = Google Update | ID = 20
Description =

Error - 1/7/2010 12:53:30 PM | Computer Name = INSPIRON8600 | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Excel.

[ System Events ]
Error - 1/6/2010 9:10:50 PM | Computer Name = INSPIRON8600 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/6/2010 9:42:55 PM | Computer Name = INSPIRON8600 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/6/2010 10:05:10 PM | Computer Name = INSPIRON8600 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.100 for the Network Card with network
address 000E35636E7A has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 1/6/2010 10:05:25 PM | Computer Name = INSPIRON8600 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/6/2010 10:05:25 PM | Computer Name = INSPIRON8600 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/6/2010 11:07:43 PM | Computer Name = INSPIRON8600 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/7/2010 10:21:05 AM | Computer Name = INSPIRON8600 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/7/2010 10:21:05 AM | Computer Name = INSPIRON8600 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/7/2010 10:29:00 AM | Computer Name = INSPIRON8600 | Source = Service Control Manager | ID = 7034
Description = The Trend Micro Central Control Component service terminated unexpectedly.
It has done this 1 time(s).

Error - 1/7/2010 10:29:22 AM | Computer Name = INSPIRON8600 | Source = DCOM | ID = 10010
Description = The server {1A65BAB7-30B1-4FB7-BC13-D00C28FCF605} did not register
with DCOM within the required timeout.


< End of report >

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:46 PM

Posted 14 January 2010 - 10:47 PM

Hi,

please run a scan with gmer as well:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 ecosteve

ecosteve
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 January 2010 - 09:31 AM

Okay, I ran GMER overnight last night. Here's the text from the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-14 23:31:57
Windows 5.1.2600 Service Pack 3
Running: hjl51qx5.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\pfrcrfoc.sys


---- System - GMER 1.0.15 ----

SSDT FF98FCE0 ZwCreateKey
SSDT FF990E80 ZwCreateMutant
SSDT FF98F1E0 ZwCreateProcess
SSDT FF98F4A0 ZwCreateProcessEx
SSDT FF990B40 ZwCreateThread
SSDT FF990260 ZwDeleteKey
SSDT FF990520 ZwDeleteValueKey
SSDT FF990CE0 ZwLoadDriver
SSDT FF98F760 ZwOpenProcess
SSDT FF991020 ZwSetSystemInformation
SSDT FF98FFA0 ZwSetValueKey
SSDT FF98FA20 ZwTerminateProcess
SSDT FF9909A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF85D77A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[468] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00A0000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 82EF5618

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{746CBDCA-F9CA-C3FF-3CE3-F565517754F4}

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:46 PM

Posted 15 January 2010 - 04:32 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 ecosteve

ecosteve
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 January 2010 - 10:42 PM

Myrti,

I went ahead and did the combofix scan. It seems like the google redirect may be fixed, so I'm cautiously optimistic. I may still do the system restore just to be on the safe side, though... The combofix log is below -- I'm interested to find out if you see anything suspicious still here.

________________________________

ComboFix 10-01-15.01 - Steve 01/15/2010 20:15:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.240 [GMT -6:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\driVERs\vydbwvcg.sys
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_SSHNAS
-------\Legacy_WINSTS
-------\Legacy_vydbwvcg
-------\Service_vydbwvcg


((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-15 03:18 . 2010-01-15 03:18 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-14 22:35 . 2010-01-15 03:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-14 14:21 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 19:22 . 2010-01-05 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-05 19:21 . 2010-01-05 19:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-05 19:21 . 2010-01-05 19:21 -------- d-----w- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2010-01-05 19:17 . 2010-01-05 19:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-05 15:57 . 2010-01-05 15:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-05 15:56 . 2010-01-05 15:56 -------- d-----w- c:\program files\Lavasoft
2010-01-05 15:56 . 2010-01-05 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-05 14:34 . 2010-01-05 14:34 -------- d-----w- c:\program files\VS Revo Group
2010-01-05 14:17 . 2010-01-05 14:17 -------- d-----w- c:\program files\DrWebCureit
2010-01-05 14:10 . 2010-01-05 17:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-05 14:10 . 2010-01-05 14:10 -------- d-----w- c:\program files\SpywareBlaster
2010-01-05 04:59 . 2010-01-05 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-05 04:58 . 2010-01-05 14:35 -------- d-----w- c:\program files\Trend Micro
2010-01-05 04:48 . 2010-01-05 04:48 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-05 04:48 . 2010-01-05 04:48 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-05 04:48 . 2010-01-05 04:48 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-05 04:48 . 2010-01-05 04:48 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-12-31 14:11 . 2010-01-05 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 14:11 . 2010-01-05 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-31 14:03 . 2009-12-31 14:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-31 12:30 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 12:30 . 2009-12-31 14:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 12:30 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 00:59 . 2009-12-31 00:59 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-12-31 00:58 . 2009-12-31 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 00:51 . 2009-12-31 00:51 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google
2009-12-31 00:51 . 2009-12-31 00:51 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-12-31 00:51 . 2009-12-31 00:51 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY
2009-12-31 00:35 . 2009-12-31 00:35 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-12-31 00:31 . 2009-12-31 00:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-12-31 00:06 . 2009-12-31 00:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-29 01:55 . 2009-12-29 01:56 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 01:43 . 2008-05-01 23:00 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-15 17:33 . 2008-05-01 22:55 -------- d-----w- c:\documents and settings\Steve\Application Data\EndNote
2010-01-15 16:59 . 2008-05-01 21:27 81959 ----a-w- c:\windows\system32\nvModes.dat
2010-01-15 15:12 . 2008-05-06 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-06 17:09 . 2008-05-01 23:00 -------- d-----w- c:\program files\SPSS GP
2010-01-05 14:44 . 2008-05-02 03:46 -------- d-----w- c:\program files\Emergent Music LLC
2010-01-05 04:48 . 2009-09-01 03:04 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-05 04:48 . 2009-09-01 03:04 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-05 04:48 . 2009-09-01 03:04 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 14:27 . 2008-05-03 03:23 -------- d-----w- c:\documents and settings\Steve\Application Data\Move Networks
2009-12-22 20:33 . 2008-05-06 13:27 -------- d-----w- c:\program files\Google
2009-12-14 03:23 . 2008-07-23 12:27 -------- d-----w- c:\documents and settings\Steve\Application Data\U3
2009-12-13 16:08 . 2009-12-13 16:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Juniper Networks
2009-12-13 16:08 . 2009-12-13 16:07 -------- d-----w- c:\program files\Juniper Networks
2009-12-13 16:06 . 2009-12-13 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-12-06 03:48 . 2009-12-06 03:46 -------- d-----w- c:\program files\Microsoft Money Plus
2009-12-06 03:46 . 2008-05-01 22:16 -------- d-----w- c:\program files\Microsoft Money
2009-12-06 03:32 . 2009-12-06 03:32 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2009-12-06 03:32 . 2008-05-01 21:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-06 03:31 . 2009-12-06 03:30 -------- d-----w- c:\program files\Quicken
2009-12-06 03:30 . 2009-12-06 03:30 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-06 03:30 . 2009-12-06 03:30 -------- d-----w- c:\documents and settings\Steve\Application Data\Intuit
2009-12-06 03:28 . 2009-12-06 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-12-01 21:45 . 2009-10-05 22:32 -------- d-----w- c:\program files\Phylocom 4.1
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 21:51 . 2009-12-06 03:31 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2009-11-12 21:51 . 2009-11-12 21:51 1721784 ----a-w- c:\windows\system32\inetclnt.dll
2009-11-04 16:51 . 2009-11-04 16:51 1817590 ----a-w- c:\program files\PCord.zip
2009-10-29 07:46 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-05 1020248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-5-1 25214]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-02 23:18 133104 ----atw- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 18:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-10-26 16:01 4632576 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cooktop 2.5\\xcooktop.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10000:TCP"= 10000:TCP:VPN1
"4500:UDP"= 4500:UDP:VPN2
"62515:UDP"= 62515:UDP:VPN3

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [1/4/2010 10:48 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/31/2009 8:54 PM 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/31/2009 9:04 PM 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [1/4/2010 11:01 PM 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/4/2010 11:01 PM 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2009 3:25 PM 135664]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS --> c:\windows\system32\DRIVERS\ADM851X.SYS [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 sasrfcService;sasrfc Service;c:\program files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe [5/1/2008 9:14 PM 41984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-06 22:34]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-06 21:25]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-06 21:25]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 23:18]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Steve\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPE2Host.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-winupdate86 - c:\windows\system32\winupdate86.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-15 20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-688789844-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{746CBDCA-F9CA-C3FF-3CE3-F565517754F4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F13\4&61f3b4b&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_09da&Pid_0006\7&13ba520c&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1608)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
.
**************************************************************************
.
Completion time: 2010-01-15 20:40:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 02:40

Pre-Run: 21,564,551,168 bytes free
Post-Run: 23,913,177,088 bytes free

- - End Of File - - 0786149CB2004F3D9C8F281197AB7827

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:46 PM

Posted 16 January 2010 - 06:08 AM

Hi,

this is looking a lot better, there is a small left over, I would like to be removed:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\ndisdrv.sys
Driver::
ndisdrv


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 ecosteve

ecosteve
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 16 January 2010 - 07:41 PM

Myrti,

Just did the second run with ComboFix. Here's the log:

_____________________

ComboFix 10-01-16.02 - Steve 01/16/2010 18:08:15.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.264 [GMT -6:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\system32\ndisdrv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISDRV
-------\Service_ndisdrv


((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-14 22:35 . 2010-01-15 03:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-14 14:21 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 19:22 . 2010-01-05 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-05 19:21 . 2010-01-05 19:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-05 19:21 . 2010-01-05 19:21 -------- d-----w- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2010-01-05 19:17 . 2010-01-05 19:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-05 15:57 . 2010-01-05 15:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-05 15:56 . 2010-01-05 15:56 -------- d-----w- c:\program files\Lavasoft
2010-01-05 15:56 . 2010-01-05 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-05 14:34 . 2010-01-05 14:34 -------- d-----w- c:\program files\VS Revo Group
2010-01-05 14:17 . 2010-01-05 14:17 -------- d-----w- c:\program files\DrWebCureit
2010-01-05 14:10 . 2010-01-05 17:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-05 14:10 . 2010-01-05 14:10 -------- d-----w- c:\program files\SpywareBlaster
2010-01-05 04:59 . 2010-01-05 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-05 04:58 . 2010-01-05 14:35 -------- d-----w- c:\program files\Trend Micro
2010-01-05 04:48 . 2010-01-05 04:48 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-05 04:48 . 2010-01-05 04:48 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-05 04:48 . 2010-01-05 04:48 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-05 04:48 . 2010-01-05 04:48 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-12-31 14:11 . 2010-01-05 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 14:11 . 2010-01-05 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-31 14:03 . 2009-12-31 14:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-31 12:30 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 12:30 . 2009-12-31 14:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 12:30 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 00:59 . 2009-12-31 00:59 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-12-31 00:58 . 2009-12-31 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 00:51 . 2009-12-31 00:51 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google
2009-12-31 00:51 . 2009-12-31 00:51 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-12-31 00:51 . 2009-12-31 00:51 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY
2009-12-31 00:35 . 2009-12-31 00:35 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-12-31 00:31 . 2009-12-31 00:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-12-31 00:06 . 2009-12-31 00:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-29 01:55 . 2009-12-29 01:56 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 23:55 . 2008-05-01 23:00 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-16 23:52 . 2008-05-06 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-15 17:33 . 2008-05-01 22:55 -------- d-----w- c:\documents and settings\Steve\Application Data\EndNote
2010-01-15 16:59 . 2008-05-01 21:27 81959 ----a-w- c:\windows\system32\nvModes.dat
2010-01-06 17:09 . 2008-05-01 23:00 -------- d-----w- c:\program files\SPSS GP
2010-01-05 14:44 . 2008-05-02 03:46 -------- d-----w- c:\program files\Emergent Music LLC
2010-01-05 04:48 . 2009-09-01 03:04 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-05 04:48 . 2009-09-01 03:04 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-05 04:48 . 2009-09-01 03:04 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 14:27 . 2008-05-03 03:23 -------- d-----w- c:\documents and settings\Steve\Application Data\Move Networks
2009-12-22 20:33 . 2008-05-06 13:27 -------- d-----w- c:\program files\Google
2009-12-14 03:23 . 2008-07-23 12:27 -------- d-----w- c:\documents and settings\Steve\Application Data\U3
2009-12-13 16:08 . 2009-12-13 16:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Juniper Networks
2009-12-13 16:08 . 2009-12-13 16:07 -------- d-----w- c:\program files\Juniper Networks
2009-12-13 16:06 . 2009-12-13 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-12-06 03:48 . 2009-12-06 03:46 -------- d-----w- c:\program files\Microsoft Money Plus
2009-12-06 03:46 . 2008-05-01 22:16 -------- d-----w- c:\program files\Microsoft Money
2009-12-06 03:32 . 2009-12-06 03:32 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2009-12-06 03:32 . 2008-05-01 21:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-06 03:31 . 2009-12-06 03:30 -------- d-----w- c:\program files\Quicken
2009-12-06 03:30 . 2009-12-06 03:30 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-06 03:30 . 2009-12-06 03:30 -------- d-----w- c:\documents and settings\Steve\Application Data\Intuit
2009-12-06 03:28 . 2009-12-06 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-12-01 21:45 . 2009-10-05 22:32 -------- d-----w- c:\program files\Phylocom 4.1
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 21:51 . 2009-12-06 03:31 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2009-11-12 21:51 . 2009-11-12 21:51 1721784 ----a-w- c:\windows\system32\inetclnt.dll
2009-11-04 16:51 . 2009-11-04 16:51 1817590 ----a-w- c:\program files\PCord.zip
2009-10-29 07:46 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-05 1020248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-5-1 25214]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-02 23:18 133104 ----atw- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 18:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-10-26 16:01 4632576 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cooktop 2.5\\xcooktop.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10000:TCP"= 10000:TCP:VPN1
"4500:UDP"= 4500:UDP:VPN2
"62515:UDP"= 62515:UDP:VPN3

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [1/4/2010 10:48 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/31/2009 8:54 PM 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/31/2009 9:04 PM 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [1/4/2010 11:01 PM 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/4/2010 11:01 PM 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2009 3:25 PM 135664]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS --> c:\windows\system32\DRIVERS\ADM851X.SYS [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 sasrfcService;sasrfc Service;c:\program files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe [5/1/2008 9:14 PM 41984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-06 22:34]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-06 21:25]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-06 21:25]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 23:18]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Steve\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPE2Host.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-688789844-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{746CBDCA-F9CA-C3FF-3CE3-F565517754F4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F13\4&61f3b4b&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_09da&Pid_0006\7&13ba520c&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1608)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
.
**************************************************************************
.
Completion time: 2010-01-16 18:29:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 00:29
ComboFix2.txt 2010-01-16 02:40

Pre-Run: 23,908,794,368 bytes free
Post-Run: 23,876,362,240 bytes free

- - End Of File - - 8A674341B97E2DE0508568D44181476D

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:46 PM

Posted 16 January 2010 - 07:48 PM

Hi,

that log looks fine to me. How is your PC doing?

Please also provide a new log from OTL (only OTL.txt will be created)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 ecosteve

ecosteve
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 17 January 2010 - 01:43 AM

Myrti,

Everything seems to be back to normal. Thanks SO much for your help! Is there anything else I should be keeping an eye out for, just in case the system didn't get entirely cleaned?

Here's the most recent OTL log:

OTL logfile created on: 1/17/2010 12:30:01 AM - Run 2
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 194.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 21.95 Gb Free Space | 23.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: INSPIRON8600
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/14 21:03:20 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
PRC - [2010/01/04 22:48:28 | 01,020,248 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
PRC - [2010/01/04 22:48:27 | 00,689,416 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
PRC - [2010/01/04 22:48:27 | 00,497,008 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
PRC - [2010/01/04 22:48:27 | 00,345,352 | ---- | M] () -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2010/01/04 22:48:26 | 00,715,368 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
PRC - [2009/12/21 19:09:11 | 00,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/12 20:14:08 | 00,496,936 | ---- | M] (Juniper Networks) -- C:\Documents and Settings\Steve\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe
PRC - [2009/10/07 17:05:54 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/07 17:05:54 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/04/02 14:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/04/02 14:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/26 13:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/01/23 01:46:56 | 00,431,472 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2008/12/12 09:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/23 00:08:13 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/17 08:08:46 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/21 09:28:36 | 00,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 09:19:58 | 00,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 09:19:40 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 09:17:42 | 00,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 09:16:48 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 09:13:26 | 00,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/02/21 09:10:00 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2006/06/29 10:13:32 | 01,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/06/29 10:12:34 | 00,376,832 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2005/10/07 12:13:38 | 00,176,128 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2005/07/27 14:41:08 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2005/07/19 15:32:18 | 00,221,184 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE
PRC - [2005/06/08 13:14:44 | 00,217,088 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\LogiTray.exe
PRC - [2005/06/08 12:44:56 | 00,192,512 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\FxSvr2.exe
PRC - [2004/10/26 10:01:00 | 00,127,044 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2004/06/28 21:56:12 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
PRC - [2004/04/11 18:15:14 | 00,290,816 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\Media Experience\PCMService.exe
PRC - [2004/03/14 23:04:00 | 00,122,933 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe
PRC - [2003/08/29 02:59:24 | 00,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe


========== Modules (SafeList) ==========

MOD - [2010/01/14 21:03:20 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
MOD - [2006/06/29 10:13:50 | 00,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/04 22:48:27 | 00,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)
SRV - [2010/01/04 22:48:27 | 00,497,008 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw)
SRV - [2010/01/04 22:48:27 | 00,345,352 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2010/01/04 22:48:26 | 00,715,368 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)
SRV - [2009/11/06 15:25:29 | 00,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/07 17:05:54 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/04/02 14:10:56 | 00,656,168 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/03/26 13:31:20 | 00,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/20 16:34:48 | 00,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/01/23 01:46:56 | 00,431,472 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/12/12 09:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/04/17 08:08:46 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/10/25 13:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 09:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/02/21 09:28:36 | 00,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/02/21 09:19:40 | 00,294,912 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/02/21 09:16:48 | 00,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/02/21 09:10:00 | 00,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/11/08 14:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 14:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) [Auto | Stopped] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2006/06/29 10:12:34 | 00,376,832 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2005/11/13 23:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/26 10:01:00 | 00,127,044 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2000/05/20 03:00:00 | 00,041,984 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe -- (sasrfcService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/01/04 22:48:39 | 01,223,832 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vsapint.sys -- (vsapint)
DRV - [2010/01/04 22:48:39 | 00,225,808 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2010/01/04 22:48:39 | 00,158,224 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/01/04 22:48:39 | 00,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2010/01/04 22:48:39 | 00,059,920 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/01/04 22:48:39 | 00,050,704 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/01/04 22:48:39 | 00,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2009/11/23 08:43:30 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 08:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 08:43:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/08/31 20:54:54 | 00,339,984 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2009/04/21 11:02:40 | 00,021,425 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2009/03/26 13:23:46 | 00,036,864 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/03/19 14:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/01/23 01:27:22 | 00,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/11/20 13:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/17 08:07:52 | 00,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/04/13 12:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/03/29 16:36:28 | 00,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2008/01/07 13:36:00 | 02,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/02/21 09:16:12 | 00,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/01/18 16:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/09/28 18:57:18 | 00,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2005/08/12 15:50:46 | 00,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/05/27 03:46:22 | 00,913,280 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302AV.SYS -- (PID_08A0) QuickCam IM(PID_08A0)
DRV - [2005/05/27 03:38:00 | 00,007,136 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2005/05/27 03:31:28 | 00,022,016 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2005/01/26 10:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2004/12/13 15:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6)
DRV - [2004/11/15 13:37:52 | 00,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2004/10/26 10:01:00 | 02,830,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/03/14 23:04:00 | 00,100,597 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/03/14 23:04:00 | 00,098,580 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/03/14 23:04:00 | 00,085,972 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/03/14 23:04:00 | 00,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/03/14 23:04:00 | 00,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/03/14 23:04:00 | 00,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/03/14 23:04:00 | 00,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/03/14 23:04:00 | 00,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/03/14 23:04:00 | 00,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/02/27 00:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/02/13 01:21:00 | 00,086,160 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/01/14 17:18:16 | 00,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/01/14 17:18:04 | 00,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2003/09/26 08:41:10 | 00,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/08/29 02:59:24 | 01,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2001/08/22 06:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-823518204-688789844-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-823518204-688789844-1343024091-1003\S-1-5-21-823518204-688789844-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-823518204-688789844-1343024091-1003\S-1-5-21-823518204-688789844-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:4.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.4.6
FF - prefs.js..extensions.enabledItems: {4a428302-5267-4749-bb22-459b3236695f}:3.03

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/07/13 11:20:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/30 18:06:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/21 19:09:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/22 12:11:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/08/27 15:47:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Extensions
[2010/01/16 18:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions
[2008/08/27 15:50:12 | 00,000,000 | ---D | M] (Modern Modoki) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{4a428302-5267-4749-bb22-459b3236695f}
[2008/05/02 10:04:17 | 00,000,000 | ---D | M] (Aquatint Black) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{526fd696-27a0-11dc-8314-0800200c9a66}
[2010/01/11 09:27:59 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/13 18:20:38 | 00,000,000 | ---D | M] (SearchPreview) -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
[2009/12/13 18:20:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\extensions\foxmarks@kei.com
[2008/05/13 19:04:53 | 00,001,632 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\searchplugins\weathercom.xml
[2008/05/13 19:05:23 | 00,001,032 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\vo6eea86.default\searchplugins\wikipedia-eng.xml
[2010/01/16 18:45:43 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/05/22 12:38:44 | 00,102,400 | ---- | M] (ESRI ) -- C:\Program Files\Mozilla Firefox\plugins\NPE2Host.dll
[2005/12/05 20:31:00 | 00,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2008/05/14 22:33:00 | 00,000,905 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\conduit.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-823518204-688789844-1343024091-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-823518204-688789844-1343024091-1003\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/01 14:29:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/15 19:51:40 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/15 19:49:24 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/15 19:49:24 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/15 19:49:24 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/15 19:49:24 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/15 19:49:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/15 19:47:03 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/14 21:03:19 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/01/14 08:21:15 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/05 15:14:50 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Steve\Desktop\RootRepeal.exe
[2010/01/05 13:22:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/05 13:21:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
[2010/01/05 13:21:29 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/05 13:17:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/05 12:40:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Desktop\ListDlls
[2010/01/05 09:57:34 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/01/05 09:56:17 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/01/05 09:56:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/01/05 08:34:54 | 00,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/01/05 08:17:26 | 00,000,000 | ---D | C] -- C:\Program Files\DrWebCureit
[2010/01/05 08:10:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/05 08:10:00 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/01/04 22:59:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2010/01/04 22:58:26 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/04 22:48:45 | 00,661,808 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\UfWSC.cpl
[2010/01/04 22:48:39 | 01,223,832 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\vsapint.sys
[2010/01/04 22:48:39 | 00,225,808 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmxpflt.sys
[2010/01/04 22:48:39 | 00,089,872 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/01/04 22:48:39 | 00,036,368 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmpreflt.sys
[2009/12/31 08:11:24 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/31 08:11:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/12/31 06:30:05 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/31 06:30:03 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/31 06:30:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/30 20:09:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2009/12/30 19:02:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/12/30 18:59:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Application Data\Malwarebytes
[2009/12/30 18:59:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/30 18:58:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/30 18:35:42 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/12/28 19:55:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Local Settings\Application Data\Move Networks
[2009/12/18 08:37:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Desktop\synonym_db
[2009/12/06 15:32:24 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/06 15:30:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/06 15:25:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/08/03 22:30:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/09/25 20:36:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/06/30 14:00:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/01 15:25:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2008/05/01 15:25:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Intel
[2008/05/01 14:33:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/17 00:30:00 | 00,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/17 00:19:13 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003UA.job
[2010/01/16 23:06:46 | 00,081,959 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/01/16 18:21:48 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/01/16 18:21:46 | 00,017,112 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/16 18:19:42 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/16 18:19:38 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/16 18:19:27 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/16 18:19:25 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/16 18:19:18 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/01/16 18:19:07 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/16 18:19:01 | 53,612,9536 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/16 18:18:24 | 09,699,328 | -H-- | M] () -- C:\Documents and Settings\Steve\NTUSER.DAT
[2010/01/16 18:17:41 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Steve\ntuser.ini
[2010/01/16 18:06:19 | 03,827,053 | R--- | M] () -- C:\Documents and Settings\Steve\Desktop\ComboFix.exe
[2010/01/15 19:51:53 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/15 18:19:02 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-688789844-1343024091-1003Core.job
[2010/01/15 10:59:04 | 00,081,959 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/01/15 08:18:38 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/14 21:53:38 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\hjl51qx5.exe
[2010/01/14 21:17:47 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/14 21:03:20 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/01/12 12:38:08 | 00,323,303 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Olson 1996 Ecol.pdf
[2010/01/12 12:05:10 | 00,209,717 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Ricklefs 2008 AmNat.pdf
[2010/01/12 11:30:17 | 01,938,750 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Pickett & McDonnell 1989 TREE.pdf
[2010/01/12 11:19:10 | 00,332,047 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hubbell etal 1999 Science.pdf
[2010/01/12 11:10:49 | 03,304,291 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Simberloff 1976 Ecology.pdf
[2010/01/12 11:07:03 | 00,765,626 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Simberloff & Wilson 1969 Ecology.pdf
[2010/01/12 10:34:12 | 00,631,638 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Tilman etal 1996 Nature.pdf
[2010/01/12 10:02:21 | 00,407,319 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hubbell 1997 CoralReefs.pdf
[2010/01/12 09:59:48 | 00,919,917 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1961 AmNat.pdf
[2010/01/12 09:41:44 | 00,295,727 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1959 AmNat.pdf
[2010/01/12 09:38:39 | 01,952,874 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Clark & Clark 1984 AmNat.pdf
[2010/01/11 21:37:47 | 00,389,923 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Morin 1984 Ecol.pdf
[2010/01/11 19:30:33 | 00,260,863 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Hairston 1980 Ecol.pdf
[2010/01/11 19:28:18 | 00,733,429 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Pacala & Roughgarden 1982 Science.pdf
[2010/01/11 19:09:28 | 02,380,151 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Cody 1991 Vegetatio.pdf
[2010/01/11 18:15:18 | 03,222,933 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Schoener 1974 Science.pdf
[2010/01/11 17:33:53 | 00,422,297 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Gleason 1917 BullTorrBotClub.pdf
[2010/01/11 17:31:23 | 00,753,874 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Finegan 1984 Nature.pdf
[2010/01/06 14:22:36 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\2009 Postdoc TAR.xls
[2010/01/06 12:07:20 | 00,000,017 | -H-- | M] () -- C:\WINDOWS\System32\servdat.slm
[2010/01/06 11:09:12 | 00,000,014 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2010/01/05 15:17:50 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\settings.dat
[2010/01/05 15:14:50 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Steve\Desktop\RootRepeal.exe
[2010/01/05 15:12:03 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\dds.scr
[2010/01/04 22:48:45 | 00,661,808 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\UfWSC.cpl
[2010/01/04 22:48:39 | 01,223,832 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\vsapint.sys
[2010/01/04 22:48:39 | 00,225,808 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmxpflt.sys
[2010/01/04 22:48:39 | 00,158,224 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/01/04 22:48:39 | 00,089,872 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/01/04 22:48:39 | 00,059,920 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2010/01/04 22:48:39 | 00,050,704 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2010/01/04 22:48:39 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmpreflt.sys
[2009/12/31 11:07:51 | 04,321,392 | -H-- | M] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\IconCache.db
[2009/12/31 08:03:08 | 00,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/12/30 19:16:20 | 00,000,623 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/30 19:16:20 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/15 19:51:52 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2010/01/15 19:51:42 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010/01/15 19:49:24 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/15 19:49:24 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/15 19:49:24 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/15 19:49:24 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/15 19:49:24 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/15 19:45:28 | 03,827,053 | R--- | C] () -- C:\Documents and Settings\Steve\Desktop\ComboFix.exe
[2010/01/14 21:53:37 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\hjl51qx5.exe
[2010/01/14 16:35:45 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/12 12:38:08 | 00,323,303 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Olson 1996 Ecol.pdf
[2010/01/12 12:05:10 | 00,209,717 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Ricklefs 2008 AmNat.pdf
[2010/01/12 11:30:17 | 01,938,750 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Pickett & McDonnell 1989 TREE.pdf
[2010/01/12 11:19:10 | 00,332,047 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hubbell etal 1999 Science.pdf
[2010/01/12 11:10:48 | 03,304,291 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Simberloff 1976 Ecology.pdf
[2010/01/12 11:07:03 | 00,765,626 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Simberloff & Wilson 1969 Ecology.pdf
[2010/01/12 10:34:12 | 00,631,638 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Tilman etal 1996 Nature.pdf
[2010/01/12 10:02:21 | 00,407,319 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hubbell 1997 CoralReefs.pdf
[2010/01/12 09:59:48 | 00,919,917 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1961 AmNat.pdf
[2010/01/12 09:41:44 | 00,295,727 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hutchinson 1959 AmNat.pdf
[2010/01/12 09:38:39 | 01,952,874 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Clark & Clark 1984 AmNat.pdf
[2010/01/11 21:37:47 | 00,389,923 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Morin 1984 Ecol.pdf
[2010/01/11 19:30:33 | 00,260,863 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Hairston 1980 Ecol.pdf
[2010/01/11 19:28:18 | 00,733,429 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Pacala & Roughgarden 1982 Science.pdf
[2010/01/11 19:09:28 | 02,380,151 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Cody 1991 Vegetatio.pdf
[2010/01/11 18:15:17 | 03,222,933 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Schoener 1974 Science.pdf
[2010/01/11 17:33:53 | 00,422,297 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Gleason 1917 BullTorrBotClub.pdf
[2010/01/11 17:31:23 | 00,753,874 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Finegan 1984 Nature.pdf
[2010/01/06 14:22:36 | 00,036,864 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\2009 Postdoc TAR.xls
[2010/01/05 15:17:50 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\settings.dat
[2010/01/05 15:12:02 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\dds.scr
[2009/12/31 08:03:08 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/12/30 18:51:09 | 53,612,9536 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/05 21:30:22 | 00,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/11/04 10:51:08 | 01,817,590 | ---- | C] () -- C:\Program Files\PCord.zip
[2009/09/16 09:12:50 | 00,000,049 | ---- | C] () -- C:\WINDOWS\wxls32.ini
[2009/08/30 11:17:16 | 00,000,098 | ---- | C] () -- C:\WINDOWS\bh-hzht-aicarik.ini
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/01 14:34:04 | 00,000,171 | ---- | C] () -- C:\WINDOWS\HIGHED32.INI
[2009/05/27 22:29:04 | 00,000,523 | ---- | C] () -- C:\WINDOWS\LisWin32.ini
[2009/05/27 22:29:04 | 00,000,076 | ---- | C] () -- C:\WINDOWS\LISWIN32S.INI
[2008/10/26 20:05:50 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/21 20:44:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2008/06/16 23:10:33 | 00,015,872 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/12 19:35:37 | 00,009,255 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/05/12 07:37:15 | 00,000,770 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Installer.log
[2008/05/01 21:13:50 | 00,016,160 | ---- | C] () -- C:\WINDOWS\System32\sasperf.dll
[2008/05/01 17:03:30 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2008/05/01 17:03:30 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2008/05/01 17:00:25 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2008/05/01 17:00:25 | 00,000,342 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2008/05/01 16:49:11 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2008/05/01 16:41:59 | 00,033,280 | ---- | C] () -- C:\WINDOWS\System32\SP32W.DLL
[2008/05/01 16:41:56 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\DLWBC31.DLL
[2008/05/01 16:00:09 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/01 15:20:15 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2008/04/17 08:08:56 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/04/17 08:08:44 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2004/03/26 16:59:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 13:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 11:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 05:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:46 PM

Posted 17 January 2010 - 07:57 AM

Hi,

happy to hear that everything is back to normal. The main symptom of this infection are the google redirects, so as long as they are gone there is a high chance that the rootkit is gone as well.

We are going to check if there isn't any malware on your system though:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 ecosteve

ecosteve
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 17 January 2010 - 09:24 PM

Myrti,

Here's the log from the ESET scan. Any thoughts on these? Thanks again!

_______________________

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.RF virus deleted - quarantined
C:\System Volume Information\_restore{B9EE1E4A-2633-4D3F-AD78-C772A7397049}\RP7\A0002549.exe a variant of Win32/Kryptik.BIM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9EE1E4A-2633-4D3F-AD78-C772A7397049}\RP7\A0003673.exe a variant of Win32/Refpron.DO trojan deleted - quarantined
C:\System Volume Information\_restore{B9EE1E4A-2633-4D3F-AD78-C772A7397049}\RP7\A0003674.exe a variant of Win32/Kryptik.BKE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9EE1E4A-2633-4D3F-AD78-C772A7397049}\RP7\A0003693.exe a variant of Win32/Kryptik.BKE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9EE1E4A-2633-4D3F-AD78-C772A7397049}\RP7\A0003697.exe a variant of Win32/Kryptik.BKE trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus deleted - quarantined

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:46 PM

Posted 18 January 2010 - 06:45 AM

Hi,

this looks good. How is your PC doing?

If you're not having any problems anymore I would like you to update your software:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Let me know if you have any problem with that.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users