Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Catastropic Redirect problem - Search Engine/browser


  • This topic is locked This topic is locked
23 replies to this topic

#1 stedmakr

stedmakr

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 07 January 2010 - 10:49 PM

I've been referred from the "Am I Infected Forum" Topic referenced is here: http://www.bleepingcomputer.com/forums/t/282704/catastropic-redirect-problem-search-enginebrowser/ ~ OB

I run XP(SP3). When I access google or bing from a browser I get a different web site than the one that I entered. Until I disconnected from the internet I also received multiple high threat warnings from Norton Internet Security 2009 stating that it is blocking threats. I run norton internet security all the time. It was running when I picked up this virus/malware. I ran a full system scan and it did not find a virus. I've also run Malwarebytes' anti-malware program and it also does not show a virus. I have disconnected the affected computer from the internet. In the other forum I was directed to use several tools that locked up.

Dr. Web locked up
ATF and SAS ran without a problem
Malwarebytes ran and didn't find anything
Kaspersky's TDSSKiller locked up


I'd like to salvage the drive if possible. I believe that my back up was about 90% of the data that I need.

Any assistance that is possible would be very helpful.

Thanks,

Keith

DDS (Ver_09-12-01.01) - NTFSx86
Run by Keith at 21:49:05.87 on Thu 01/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -5:00]

AV: ThreatFire *On-access scanning disabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PS3 Media Server\win32\service\wrapper.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TiVo\Desktop\TiVoBeacon.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Documents and Settings\Keith\Local Settings\Application Data\Autobahn\autobahn.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe
C:\Documents and Settings\Keith\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
mRun: [UpdatePDRShortCut] "d:\program files\cyberlink\powerdirector\powerdirector\muitransfer\muistartmenu.exe" "d:\program files\cyberlink\powerdirector\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\keith\startm~1\programs\startup\autobahn.lnk - c:\documents and settings\keith\local settings\application data\autobahn\autobahn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com
Trusted Zone: turbotax.com
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\579w1nny.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-8 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-8 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-8 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091217.002\IDSXpx86.sys [2009-12-18 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-8 117640]
R2 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2009-2-7 217088]
R2 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2009-11-2 1098968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-3-19 2688]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-28 38224]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100102.020\NAVENG.SYS [2010-1-3 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100102.020\NAVEX15.SYS [2010-1-3 1323568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-3-22 184320]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
S4 gmxfwsvc;Onlineeye Firewall Service;"c:\program files\onlineeye\gmxffcsrv.exe" -service --> c:\program files\onlineeye\gmxffcsrv.exe [?]
S4 gupdate1c9ef965109422a;Google Update Service (gupdate1c9ef965109422a);c:\program files\google\update\GoogleUpdate.exe [2009-6-17 133104]

=============== Created Last 30 ================

2010-01-05 22:55:54 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-03 12:18:31 0 d-----w- c:\program files\ESET
2010-01-02 23:07:43 96512 ----a-w- c:\windows\system32\drivers\SET4.tmp
2010-01-02 21:18:50 96512 ----a-w- c:\windows\system32\drivers\SET6.tmp
2010-01-02 12:42:59 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-02 12:42:47 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-02 12:42:47 0 d-----w- c:\docume~1\keith\applic~1\SUPERAntiSpyware.com
2009-12-30 00:14:00 0 d-----w- c:\program files\Trend Micro
2009-12-28 15:07:45 0 d-----w- c:\docume~1\keith\applic~1\Malwarebytes
2009-12-28 15:07:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 15:07:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 15:07:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-28 15:07:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 22:17:49 218 ----a-w- c:\documents and settings\keith\.recently-used.xbel
2009-12-18 02:43:30 0 d-sh--w- c:\documents and settings\keith\IECompatCache
2009-12-18 00:15:59 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-29 13:49:36 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-29 13:49:34 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-24 14:07:34 148876 ----a-w- c:\windows\fonts\AdobeFnt08.lst
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-03-09 23:19:34 183 ----a-w- c:\program files\work.url
2008-02-17 12:51:02 108 --sha-r- c:\windows\neoqaz2.dll
2008-09-12 23:57:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 21:50:54.12 ===============

Attached Files


Edited by Orange Blossom, 07 January 2010 - 10:52 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 14 January 2010 - 03:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 14 January 2010 - 09:54 PM

Myrta,
Thanks for your assistance. I'd like to fixt this problem if possible.

Keith


OTL.txt
OTL logfile created on: 1/14/2010 9:41:48 PM - Run 1
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Peggy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 3069 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.95 Gb Total Space | 89.18 Gb Free Space | 61.10% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 158.09 Gb Free Space | 67.88% Space Free | Partition Type: NTFS
Drive E: | 960.72 Mb Total Space | 907.36 Mb Free Space | 94.45% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KEITH-8400
Current User Name: Peggy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/14 21:38:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peggy\Desktop\OTL.exe
PRC - [2009/11/02 13:17:00 | 01,098,968 | ---- | M] (TiVo Inc.) -- C:\Program Files\TiVo\Desktop\TiVoBeacon.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/11 04:17:31 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe
PRC - [2009/09/21 15:36:12 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/22 02:21:19 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PRC - [2009/06/17 16:45:47 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2009/05/08 09:35:50 | 02,780,432 | ---- | M] () -- C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
PRC - [2009/05/08 09:34:08 | 00,559,888 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2009/04/30 15:01:10 | 00,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2009/02/07 13:05:52 | 00,217,088 | ---- | M] () -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe
PRC - [2009/01/29 14:01:36 | 23,975,720 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2009/01/10 06:21:52 | 00,842,752 | ---- | M] (ZabKat) -- C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/09 15:20:25 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/10/14 21:38:56 | 00,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/04/14 04:42:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/30 22:14:06 | 01,769,472 | ---- | M] (PFU LIMITED) -- C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
PRC - [2006/03/30 09:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2002/04/12 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\BRSVC01A.EXE
PRC - [2001/12/13 00:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\BRSS01A.EXE


========== Modules (SafeList) ==========

MOD - [2010/01/14 21:38:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peggy\Desktop\OTL.exe
MOD - [2009/08/22 02:21:16 | 00,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\asOEHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ThreatFire)
SRV - File not found [Disabled | Stopped] -- -- (gmxfwsvc)
SRV - [2009/11/02 13:17:00 | 01,098,968 | ---- | M] (TiVo Inc.) [Auto | Running] -- C:\Program Files\TiVo\Desktop\TiVoBeacon.exe -- (TivoBeacon2)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/08/22 02:21:19 | 00,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2009/06/17 16:45:47 | 00,133,104 | ---- | M] (Google Inc.) [Disabled | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9ef965109422a) Google Update Service (gupdate1c9ef965109422a)
SRV - [2009/04/30 15:01:10 | 00,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2009/02/07 13:05:52 | 00,217,088 | ---- | M] () [Auto | Running] -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe -- (PS3 Media Server)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/09 15:20:25 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/06/15 14:34:20 | 00,071,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2008/03/09 19:46:38 | 00,126,976 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\UAService.exe -- (UserAccess)
SRV - [2007/10/09 11:42:04 | 00,184,320 | ---- | M] (SoundMovieServer) [On_Demand | Stopped] -- C:\WINDOWS\System32\snmvtsvc.exe -- (SoundMovieServer)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/03/30 09:15:44 | 00,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/02/09 21:05:00 | 00,520,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2006/02/09 20:51:48 | 00,405,504 | ---- | M] (ATI Technologies Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2002/04/12 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\BRSVC01A.EXE -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/10/28 17:37:22 | 00,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/09/10 17:02:02 | 00,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/09/08 19:55:29 | 00,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\ccHPx86.sys -- (ccHP)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/08/26 03:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/26 03:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/25 03:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100102.020\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/08/25 03:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100102.020\NAVENG.SYS -- (NAVENG)
DRV - [2009/08/22 02:21:19 | 00,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1007020.00B\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/22 02:21:19 | 00,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/22 02:21:19 | 00,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/08/22 02:21:19 | 00,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/22 02:21:19 | 00,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMFW.SYS -- (SYMFW)
DRV - [2009/08/22 02:21:19 | 00,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1007020.00B\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/22 02:21:19 | 00,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/08/22 02:21:19 | 00,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/08/22 02:21:06 | 00,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/08/22 02:21:06 | 00,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/04/30 22:03:30 | 00,023,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2009/04/30 22:03:08 | 06,754,712 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2009/04/30 22:01:36 | 00,265,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/04/30 15:00:12 | 00,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/07/26 14:26:22 | 00,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/04/13 23:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/11/29 17:30:24 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/11/27 19:05:26 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/09 16:04:56 | 00,513,152 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys -- (SndTDriverV32)
DRV - [2007/10/09 11:52:18 | 00,002,688 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MovRVDrv32.sys -- (MovRVDrv32)
DRV - [2006/02/28 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2006/02/09 20:57:46 | 01,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/01/27 15:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2004/09/17 09:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/23 14:49:30 | 00,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2002/04/11 13:47:52 | 00,011,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2000/07/24 01:01:00 | 00,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-329068152-776561741-839522115-1004\S-1-5-21-329068152-776561741-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/28 00:16:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/18 18:38:22 | 00,000,000 | ---D | M]

[2008/06/20 12:33:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peggy\Application Data\Mozilla\Extensions
[2009/12/18 16:03:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peggy\Application Data\Mozilla\Firefox\Profiles\ll4thyvp.default\extensions
[2010/01/14 18:54:43 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/02/15 13:55:00 | 00,044,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2008/02/15 13:55:00 | 00,107,936 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2008/02/15 13:54:59 | 00,057,248 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

O1 HOSTS File: (370721 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 12779 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-329068152-776561741-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-329068152-776561741-839522115-1004\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdatePDRShortCut] d:\Program Files\CyberLink\PowerDirector\PowerDirector\MUITransfer\MUIStartMenu.exe File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-329068152-776561741-839522115-1004..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk = C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\Keith\Start Menu\Programs\Startup\autobahn.lnk = C:\Documents and Settings\Keith\Local Settings\Application Data\Autobahn\autobahn.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-329068152-776561741-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-329068152-776561741-839522115-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-329068152-776561741-839522115-1004\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Costa Rica\IMG_0262.JPG
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Peggy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/25 13:00:50 | 00,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{053c843a-633c-11dd-bf7a-00111129fd11}\Shell\AutoRun\command - "" = G:\setupSNK.exe -- File not found
O33 - MountPoints2\{ba356a97-5b89-11de-801b-00111129fd11}\Shell\AutoRun\command - "" = G:\.\Vado\Vado.exe -- File not found
O33 - MountPoints2\{ecf48529-890a-11de-802d-00111129fd11}\Shell\AutoRun\command - "" = G:\.\Vado\Vado.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/14 21:40:53 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Peggy\Desktop\OTL.exe
[2010/01/03 07:18:31 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/01/02 10:51:44 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Peggy\Desktop\ATF-Cleaner.exe
[2010/01/02 10:31:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peggy\Application Data\SUPERAntiSpyware.com
[2010/01/02 07:42:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/02 07:42:47 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/29 19:14:00 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/29 09:00:29 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/28 10:07:20 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/28 10:07:17 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/28 10:07:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/28 10:07:16 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/28 00:03:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/12/24 09:23:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peggy\Application Data\U3
[2009/12/17 19:15:59 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/10/30 12:50:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\DivX
[2009/10/30 09:21:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/30 09:15:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2009/10/30 09:01:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/10/25 19:20:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2009/10/24 21:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/06/30 20:38:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/06/17 16:55:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/10/04 21:09:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Avanquest
[2008/06/16 18:17:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
[2008/03/21 12:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\TiVo Desktop
[2007/12/10 12:24:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/11/25 13:00:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/11/25 13:00:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/14 21:38:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peggy\Desktop\OTL.exe
[2010/01/14 20:58:05 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/14 18:57:04 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/14 18:55:01 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/14 18:54:36 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/14 18:54:13 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/14 18:54:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/14 18:54:04 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/10 20:37:31 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/01/08 00:00:26 | 00,000,193 | ---- | M] () -- C:\WINDOWS\vuepro32.ini
[2010/01/06 22:26:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/05 22:01:15 | 00,016,904 | ---- | M] () -- C:\WINDOWS\System32\drivers\KLMD.sys
[2010/01/03 03:00:00 | 00,000,276 | ---- | M] () -- C:\WINDOWS\tasks\DietPower 4.4 Updates.job
[2010/01/02 13:15:41 | 07,864,320 | ---- | M] () -- C:\Documents and Settings\Peggy\ntuser.dat
[2010/01/02 12:58:02 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Peggy\ntuser.ini
[2010/01/02 10:51:45 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Peggy\Desktop\ATF-Cleaner.exe
[2010/01/02 10:29:37 | 07,451,168 | ---- | M] () -- C:\Documents and Settings\Peggy\Desktop\SUPERAntiSpyware.exe
[2010/01/02 07:42:52 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/29 08:49:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2009/12/29 08:49:34 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2009/12/28 10:45:37 | 00,370,721 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/28 10:07:25 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/25 19:24:32 | 00,012,292 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\.DS_Store
[2009/12/25 06:36:15 | 00,529,501 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\unisudoku.dmg
[2009/12/25 06:30:40 | 25,842,136 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MacJong.zip
[2009/12/24 09:39:55 | 00,000,505 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/24 09:39:55 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/24 09:39:55 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/12/24 09:08:23 | 00,018,058 | ---- | M] () -- C:\Documents and Settings\Peggy\Desktop\Wadsworth Letter.pdf
[2009/12/24 08:20:26 | 13,817,211 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MJS.dmg
[2009/12/24 08:19:52 | 16,819,667 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MJS2(2).dmg
[2009/12/24 08:18:51 | 01,683,688 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\solitaire.sit.hqx.hqx
[2009/12/24 08:18:39 | 01,278,543 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\SolitaireTillDawn401.sit.hqx
[2009/12/24 08:17:50 | 18,683,551 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\sd2demo_mac.hqx
[2009/12/24 08:17:39 | 07,330,715 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MahjongPalace.sit
[2009/12/24 08:11:47 | 03,387,808 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\SudokuSusser.Mac.dmg
[2009/12/24 08:04:13 | 16,819,667 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MJS2.dmg
[2009/12/24 08:03:02 | 07,298,584 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\mahjongepic-setup.dmg
[2009/12/24 08:00:03 | 04,452,853 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\mikescards.zip
[2009/12/24 07:56:18 | 10,827,549 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\solitaireepic-setup.dmg
[2009/12/24 07:52:20 | 07,786,415 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\sol_demo.dmg
[2009/12/24 07:45:40 | 32,248,045 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\SoliLuxe-Full-Free-120.zip
[2009/12/23 12:41:57 | 00,749,568 | ---- | M] () -- C:\Documents and Settings\Peggy\Desktop\Wadsworth - Salary Verification Letter.doc
[2009/12/16 19:29:05 | 00,002,493 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\001 File Joiner & Splitter 4.0.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/05 17:55:54 | 00,016,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\KLMD.sys
[2010/01/02 10:29:11 | 07,451,168 | ---- | C] () -- C:\Documents and Settings\Peggy\Desktop\SUPERAntiSpyware.exe
[2010/01/02 07:42:51 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/28 10:07:25 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/25 06:36:15 | 00,529,501 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\unisudoku.dmg
[2009/12/25 06:27:41 | 25,842,136 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MacJong.zip
[2009/12/24 09:08:23 | 00,018,058 | ---- | C] () -- C:\Documents and Settings\Peggy\Desktop\Wadsworth Letter.pdf
[2009/12/24 08:19:58 | 13,817,211 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MJS.dmg
[2009/12/24 08:19:23 | 16,819,667 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MJS2(2).dmg
[2009/12/24 08:18:48 | 01,683,688 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\solitaire.sit.hqx.hqx
[2009/12/24 08:18:26 | 01,278,543 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\SolitaireTillDawn401.sit.hqx
[2009/12/24 08:17:07 | 07,330,715 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MahjongPalace.sit
[2009/12/24 08:15:45 | 18,683,551 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\sd2demo_mac.hqx
[2009/12/24 08:11:34 | 03,387,808 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\SudokuSusser.Mac.dmg
[2009/12/24 08:03:48 | 16,819,667 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MJS2.dmg
[2009/12/24 08:02:51 | 07,298,584 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\mahjongepic-setup.dmg
[2009/12/24 07:59:41 | 04,452,853 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\mikescards.zip
[2009/12/24 07:55:58 | 10,827,549 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\solitaireepic-setup.dmg
[2009/12/24 07:52:08 | 07,786,415 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\sol_demo.dmg
[2009/12/24 07:44:44 | 32,248,045 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\SoliLuxe-Full-Free-120.zip
[2009/12/23 12:41:52 | 00,749,568 | ---- | C] () -- C:\Documents and Settings\Peggy\Desktop\Wadsworth - Salary Verification Letter.doc
[2009/10/26 17:41:55 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
[2009/10/25 14:58:38 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/10/25 14:58:38 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/10/25 01:31:12 | 00,014,848 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/09 06:46:40 | 00,000,123 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/05/08 09:13:04 | 00,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 15:00:12 | 00,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2008/11/15 22:21:13 | 00,000,256 | ---- | C] () -- C:\WINDOWS\onlineeye.INI
[2008/07/28 23:22:13 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\Peggy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/24 16:56:10 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/05/23 19:11:50 | 00,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/05/06 20:52:16 | 00,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2008/03/09 19:46:38 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt.dll
[2008/02/17 07:51:02 | 00,000,108 | RHS- | C] () -- C:\WINDOWS\neoqaz2.dll
[2008/02/15 13:55:46 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2008/01/14 06:32:23 | 00,000,183 | ---- | C] () -- C:\Program Files\work.url
[2008/01/01 19:48:23 | 00,001,325 | ---- | C] () -- C:\WINDOWS\Remove.ini
[2007/12/04 19:15:37 | 00,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/12/04 19:15:37 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/12/01 09:00:59 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/11/26 20:11:45 | 00,000,033 | ---- | C] () -- C:\WINDOWS\BiMonitor.ini
[2007/11/26 20:11:43 | 00,030,846 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2007/11/25 20:48:31 | 00,000,161 | ---- | C] () -- C:\WINDOWS\DISPARAM.INI
[2007/11/25 20:24:57 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2007/11/25 20:21:52 | 00,000,447 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2007/11/25 20:21:52 | 00,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2007/11/25 20:21:52 | 00,000,062 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2007/11/25 20:21:52 | 00,000,052 | ---- | C] () -- C:\WINDOWS\brpp2ka.ini
[2007/11/25 20:21:52 | 00,000,040 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2007/11/25 20:21:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\opt_5040.ini
[2007/11/25 20:21:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\BROHL504.INI
[2007/11/25 20:21:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/11/25 20:21:50 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2007/11/25 20:21:50 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2007/11/25 20:21:50 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2007/11/25 20:21:49 | 00,011,604 | ---- | C] () -- C:\WINDOWS\HL-5040.INI
[2007/11/25 19:00:06 | 00,000,193 | ---- | C] () -- C:\WINDOWS\vuepro32.ini
[2006/01/12 17:09:14 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\DXFLib.dll
[2006/01/12 17:08:06 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\opcode.dll
[2005/09/07 12:00:44 | 00,257,536 | ---- | C] () -- C:\WINDOWS\System32\BiImg.dll
[2005/09/07 12:00:44 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPEG32.DLL
[2004/09/10 08:36:12 | 00,327,680 | ---- | C] () -- C:\WINDOWS\System32\QFClient2.dll
[2002/04/11 13:47:52 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0AA053B7
@Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D282699C
@Alternate Data Stream - 188 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4BF2F6B5
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 108 bytes -> C:\WINDOWS:
< End of report >



Extra.txt
OTL Extras logfile created on: 1/14/2010 9:41:48 PM - Run 1
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Peggy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 3069 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.95 Gb Total Space | 89.18 Gb Free Space | 61.10% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 158.09 Gb Free Space | 67.88% Space Free | Partition Type: NTFS
Drive E: | 960.72 Mb Total Space | 907.36 Mb Free Space | 94.45% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KEITH-8400
Current User Name: Peggy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"5353:UDP" = 5353:UDP:LocalSubNet:Enabled:mDNS-SD/Bonjour
"7288:TCP" = 7288:TCP:LocalSubNet:Enabled:TiVo HME Host: Port %d

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Disabled:AIM -- File not found
"C:\Documents and Settings\Keith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\Keith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player -- (Octoshape ApS)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\TVersity\Media Server\MediaServer.exe" = C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Enabled:TVersity Media Server -- File not found
"C:\Program Files\TiVo\Desktop\TiVoTransfer.exe" = C:\Program Files\TiVo\Desktop\TiVoTransfer.exe:LocalSubNet:Enabled:TiVo Transfer Service -- (TiVo Inc.)
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" = C:\Program Files\TiVo\Desktop\TiVoServer.exe:LocalSubNet:Enabled:TiVo Server Service -- (TiVo Inc.)
"C:\Program Files\TiVo\Desktop\TiVoDesktop.exe" = C:\Program Files\TiVo\Desktop\TiVoDesktop.exe:LocalSubNet:Enabled:TiVo Desktop User Interface -- (TiVo Inc.)
"C:\Program Files\TiVo\Desktop\curl.exe" = C:\Program Files\TiVo\Desktop\curl.exe:LocalSubNet:Enabled:TiVo Curl Service -- ()
"C:\Program Files\TiVo\Desktop\TiVoBeacon.exe" = C:\Program Files\TiVo\Desktop\TiVoBeacon.exe:LocalSubNet:Enabled:TiVo Beacon Service -- (TiVo Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{0116F921-3F28-447E-B33F-248D8E65D4CD}" = 001 File Joiner and Splitter
"{02E73E50-6513-4802-8600-B5A5BA185BE3}" = ScanSoft PaperPort 11
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{12365698-8042-4774-8CAF-35BE91DC657B}" = Creative Vado HD Codec
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16D9439B-DF3D-43D1-A727-4B335300D07A}" = OverDrive Media Console
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}" = Microsoft IntelliPoint 4.1
"{20CFBF87-73BD-4EC5-80B4-9C894126BD14}" = TurboTax 2008 wvaiper
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{409ECFF1-9CC7-43A8-B28A-B7F0B7CB04D1}_is1" = Classic Menu 3.x for Office 2007
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4BCDD100-3029-42C3-B7F7-4A0DA414861D}" = DietPower 4.4
"{4E839090-3B68-436A-B3CF-A2A08C38DD26}" = TiVo Desktop 2.8
"{5171512e-ab28-4ac9-bd9b-f1a21a07c003}" = DFX for Windows Media Player
"{52232EF4-CC12-4C21-ABCF-ADB79618302D}" = Adobe Soundbooth CS4 Codecs
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{561968FD-56A1-49FD-9ED0-F55482C7C5BC}" = Adobe Media Encoder CS4 Exporter
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{593AFFA4-D08E-4272-BABB-420949D32A10}" = QUICKfind
"{59B13FD3-AD00-4E2C-AE30-0556451EC0DE}" = ScanSnap Organizer
"{5B21E6C6-04C8-4131-8556-08CC6CCE1DE0}_is1" = MyPersonalIndex 2.0.1
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{70E3A868-C269-4E6D-B225-862AADF7D0AF}" = Adobe Creative Suite 4 Production Premium
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}" = Microsoft Visual C Runtime
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9233F6E2-952D-48C5-A0A2-FA6AEEFA8194}" = Logitech Harmony Remote Client
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9501CD08-4582-47A3-92BD-3E7FAF9F343C}_is1" = Sothink FLV Converter
"{95A62B30-9558-4027-AEFF-68F05B60215C}" = Sudoku
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A351224F-533A-4EED-89F4-0BF3417FD31D}" = WD Backup
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-F400-BA7E-000000000003}" = Adobe Acrobat 8 Standard - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC96671C-2001-432C-9826-5266D84EF1DC}" = Logitech Webcam Software
"{AD1D8B40-F83C-41CA-BA08-9DB8D1653316}" = ScanSoft PDF Create! 3.0
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B3C9A441-C34D-40F3-9D3B-00EDDDAC74F1}" = Garmin Communicator Plugin
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BD01E97F-2A6A-495E-BE38-22C7B80F3CD7}" = Cheetah DVD Burner
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1205500-2179-11D7-B0B9-0000E24D4B29}" = Digital Camera
"{C2E8B236-7554-45FE-92C0-94EF76E4D182}" = Garmin City Navigator North America NT 2010.20
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C938BE91-3BB5-4B84-9EF6-88F0505D0038}" = Adobe Premiere Pro CS4 Third Party Content
"{CA842D69-22DB-456E-95C7-A5C92593C7C4}" = Adobe Setup
"{CAAB0192-5704-469F-A0BE-2D842D70E93B}_is1" = Sothink FLV Player
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"{D5F881C2-B134-474E-AA60-B25DD218AE0D}" = Crash Analysis Tool
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DBCDB997-EEEB-4BE9-BAFF-26B4094DBDE6}" = ScanSnap Manager
"{E58F3B88-3B3E-4F85-9323-04789D979C15}" = ScanSnap Organizer
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FB250000-0001-0000-0000-074957833700}" = ABBYY FineReader for ScanSnap ™ 3.0
"{FB2A5FCC-B81B-48C2-A009-7804694D83E9}" = Adobe Encore CS4 Codecs
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}" = WD Firewire HID Driver
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 8 Standard - English, Français, Deutsch" = Adobe Acrobat 8.1.4 Standard
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_36ac9dc8c9a94feb9e5886810012e78" = Adobe Creative Suite 4 Production Premium
"All ATI Software" = ATI - Software Uninstall Utility
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"ATI Display Driver" = ATI Display Driver
"Autobahn" = Autobahn
"AviSynth" = AviSynth 2.5
"Boilsoft Video Joiner_is1" = Boilsoft Video Joiner 5.16
"Brother HL-5040" = Brother HL-5040
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"Creative Vado HD Codec" = Creative Vado HD Codec
"CSCLIB" = Canon Camera Support Core Library
"DietPower 4.4" = DietPower 4.4
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DreamAqua" = Dream Aquarium
"ENTERPRISER" = Microsoft Office Enterprise 2007
"EOS Utility" = Canon Utilities EOS Utility
"ESET Online Scanner" = ESET Online Scanner v3
"ffdshow_is1" = ffdshow [rev 1723] [2007-12-24]
"FileZilla Client" = FileZilla Client 3.1.5
"FLV Player" = FLV Player 2.0 (build 25)
"Forte Agent" = Forté Agent
"Free CD to MP3 Converter" = Free CD to MP3 Converter
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"InfraRecorder" = InfraRecorder
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{9233F6E2-952D-48C5-A0A2-FA6AEEFA8194}" = Logitech Harmony Remote Client
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"Kyodai Mahjongg 2006_is1" = Kyodai Mahjongg 2006 v1.0
"lvdrivers_11.70" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Miro" = Miro
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NewsBin5" = NewsBin Pro
"NIS" = Norton Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Oxelon Media Converter_is1" = Oxelon Media Converter 1.1
"PhotoStitch" = Canon Utilities PhotoStitch
"plusdeck23.25c" = plusdeck2
"Pure Sudoku Deluxe_is1" = Pure Sudoku Deluxe 1.03
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"ScummVM_is1" = ScummVM 0.12.0
"SoundTaxi_is1" = SoundTaxi 3.1.1
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"Tweak UI 2.10" = Tweak UI
"VLC media player" = VLC media player 1.0.2
"VuePrint" = VuePrint
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"xplorer2p" = xplorer² professional
"XviD_is1" = XviD 1.1 final uninstall
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-329068152-776561741-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/11/2010 9:30:13 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/11/2010 9:58:09 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/11/2010 10:30:13 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/11/2010 10:58:05 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/14/2010 7:54:31 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/14/2010 7:58:05 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/14/2010 8:07:09 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/14/2010 8:58:05 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/14/2010 9:07:10 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

Error - 1/14/2010 9:58:05 PM | Computer Name = KEITH-8400 | Source = Google Update | ID = 20
Description =

[ OSession Events ]
Error - 9/11/2008 8:45:27 AM | Computer Name = KEITH-8400 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6323.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1638
seconds with 1140 seconds of active time. This session ended with a crash.

Error - 5/15/2009 10:15:04 PM | Computer Name = KEITH-8400 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 307
seconds with 60 seconds of active time. This session ended with a crash.

Error - 12/1/2009 5:53:51 AM | Computer Name = KEITH-8400 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 66
seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/10/2010 9:34:12 PM | Computer Name = KEITH-8400 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/10/2010 9:34:45 PM | Computer Name = KEITH-8400 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 1/11/2010 9:19:50 PM | Computer Name = KEITH-8400 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 1/11/2010 9:19:53 PM | Computer Name = KEITH-8400 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/11/2010 9:19:53 PM | Computer Name = KEITH-8400 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/11/2010 10:33:13 PM | Computer Name = KEITH-8400 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/14/2010 7:54:26 PM | Computer Name = KEITH-8400 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/14/2010 7:54:26 PM | Computer Name = KEITH-8400 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/14/2010 7:54:53 PM | Computer Name = KEITH-8400 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 1/14/2010 7:56:02 PM | Computer Name = KEITH-8400 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 14 January 2010 - 10:16 PM

Hi,

please also provide a log from gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 15 January 2010 - 06:43 PM

Myrta,

The initial result is below. but GMR locks up when I hit scan.
GMER froze when I attempted to scan the disk. The initial log below shows:

C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

when I hit scan in both the safe and nonsafe mode, scanning starts for about 2 seconds then hits the section about the atapi.sys driver then the computer locks up. I tried this several times and waited up to 30 minutes for the scan to get past this one part.

Vr,

Keith


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-15 18:15:58
Windows 5.1.2600 Service Pack 3
Running: 1vzd4non.exe; Driver: C:\DOCUME~1\Keith\LOCALS~1\Temp\fgdcifow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A70A841

---- Threads - GMER 1.0.15 ----

Thread System [4:468] 89F8F2A0

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 15 January 2010 - 06:46 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 16 January 2010 - 04:48 PM

Myrti,
I ran combofix and the log follows. My desire is to fix this compter (if possible) but I'll keep sensitive info off the machine. This computer was infected when I was running Norton Internet Security. Is there another program or suite of programs that could have prevented this infection.

Thanks for your help,

Keith

ComboFix 10-01-16.02 - Keith 01/16/2010 16:24:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1595 [GMT -5:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: ThreatFire *On-access scanning disabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Keith\My Documents\ZbThumbnail.info
c:\windows\TEMP\jna590210093957245132.tmp

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-16 17:47 . 2010-01-16 17:47 -------- d-----w- c:\documents and settings\Keith\.autobahn
2010-01-16 15:09 . 2010-01-16 15:09 -------- d-----w- c:\documents and settings\Peggy\Application Data\Leadertech
2010-01-16 15:09 . 2010-01-16 15:09 -------- d-----w- c:\documents and settings\Peggy\Application Data\Malwarebytes
2010-01-05 22:55 . 2010-01-06 03:01 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-02 15:31 . 2010-01-16 14:38 -------- d-----w- c:\documents and settings\Peggy\Application Data\SUPERAntiSpyware.com
2010-01-02 12:42 . 2010-01-02 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-02 12:42 . 2010-01-02 12:42 -------- d-----w- c:\documents and settings\Keith\Application Data\SUPERAntiSpyware.com
2009-12-28 15:07 . 2009-12-28 15:07 -------- d-----w- c:\documents and settings\Keith\Application Data\Malwarebytes
2009-12-28 15:07 . 2009-12-28 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-28 05:22 . 2009-12-28 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avanquest
2009-12-28 05:16 . 2009-12-28 05:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-27 13:15 . 2009-12-27 13:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-24 14:23 . 2009-12-24 15:16 -------- d-----w- c:\documents and settings\Peggy\Application Data\U3
2009-12-18 02:43 . 2009-12-18 02:43 -------- d-sh--w- c:\documents and settings\Keith\IECompatCache
2009-12-18 00:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 21:32 . 2009-11-09 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 15:16 . 2007-11-26 01:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-16 15:09 . 2008-05-24 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-01-16 15:05 . 2008-03-22 14:05 -------- d-----w- c:\documents and settings\Peggy\Application Data\uTorrent
2010-01-16 15:05 . 2007-11-25 18:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-16 15:04 . 2008-06-22 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DietPower4.4
2010-01-16 14:50 . 2007-12-04 03:11 -------- d-----w- c:\documents and settings\Peggy\Application Data\Newsbin
2010-01-16 14:49 . 2008-05-03 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-16 14:38 . 2007-12-05 00:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-16 14:33 . 2008-05-27 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-16 14:29 . 2007-11-27 22:33 -------- d-----w- c:\documents and settings\Peggy\Application Data\ScanSoft
2010-01-16 14:29 . 2007-11-27 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-16 14:25 . 2007-11-25 18:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 14:21 . 2007-11-25 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-16 14:20 . 2007-11-25 21:27 -------- d-----w- c:\program files\MSBuild
2010-01-11 02:37 . 2008-05-27 23:22 -------- d-----w- c:\documents and settings\Keith\Application Data\Skype
2010-01-11 01:37 . 2008-05-27 23:23 -------- d-----w- c:\documents and settings\Keith\Application Data\skypePM
2010-01-03 13:13 . 2007-11-26 00:28 -------- d-----w- c:\documents and settings\Keith\Application Data\NewsBin
2010-01-02 12:43 . 2010-01-02 12:43 52224 ----a-w- c:\documents and settings\Keith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-02 12:43 . 2010-01-02 12:43 117760 ----a-w- c:\documents and settings\Keith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 21:35 . 2009-11-28 22:57 -------- d-----w- c:\documents and settings\Keith\Application Data\Move Networks
2010-01-01 21:33 . 2009-05-20 02:31 -------- d-----w- c:\program files\ABC Amber LIT Converter
2009-12-29 13:49 . 2008-05-24 00:11 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-29 13:49 . 2008-05-24 00:11 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-21 16:01 . 2009-06-17 21:45 -------- d-----w- c:\program files\Google
2009-12-20 14:41 . 2007-12-19 01:06 -------- d-----w- c:\documents and settings\Keith\Application Data\ZoomBrowser EX
2009-12-20 13:08 . 2009-10-25 13:56 -------- d-----w- c:\documents and settings\Keith\Application Data\PCF-VLC
2009-12-20 13:08 . 2008-03-09 13:35 -------- d-----w- c:\documents and settings\Keith\Application Data\gtk-2.0
2009-12-19 04:55 . 2009-10-25 22:54 -------- d-----w- c:\documents and settings\Keith\Application Data\vlc
2009-12-13 12:41 . 2007-11-26 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-09 09:00 . 2010-01-16 15:16 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100115.050\CCERASER.DLL
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 13:31 . 2009-10-25 19:46 -------- d-----w- c:\program files\PS3 Media Server
2009-11-20 05:32 . 2009-11-20 05:32 -------- d-----w- c:\documents and settings\Keith\Application Data\dvdcss
2009-11-12 21:01 . 2009-11-12 21:01 726008 ----a-w- c:\documents and settings\Peggy\gotomypc_438.exe
2009-11-05 23:16 . 2009-11-05 23:16 593920 ----a-w- c:\documents and settings\Keith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll
2009-11-03 22:53 . 2009-11-03 22:53 152576 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-30 14:02 . 2009-10-30 14:02 78216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-26 22:42 . 2009-10-26 22:41 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2009-10-21 05:38 . 2006-02-28 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-02-28 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-02-28 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2008-02-15 18:55 . 2008-02-15 18:55 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-02-15 18:55 . 2008-02-15 18:55 107936 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-02-17 12:51 . 2008-02-17 12:51 108 --sha-r- c:\windows\neoqaz2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2009-11-02 856280]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2009-11-02 604888]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-11-02 2195160]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-11-02 430808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Keith\Start Menu\Programs\Startup\
autobahn.lnk - c:\documents and settings\Keith\Local Settings\Application Data\Autobahn\autobahn.exe [2009-8-31 711384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Conversion to PDF with ScanSnap Organizer.lnk]
backup=c:\windows\pss\Conversion to PDF with ScanSnap Organizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote.lnk]
backup=c:\windows\pss\Logitech Harmony Remote.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Keith\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [9/8/2009 7:55 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00B\BHDrvx86.sys [9/8/2009 7:55 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [9/8/2009 6:52 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSXpx86.sys [1/16/2010 10:16 AM 329592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [9/8/2009 7:55 PM 117640]
R2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [2/7/2009 1:05 PM 217088]
R2 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [11/2/2009 1:17 PM 1098968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 7:36 AM 102448]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [3/19/2008 8:45 PM 2688]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S4 gmxfwsvc;Onlineeye Firewall Service;"c:\program files\Onlineeye\gmxffcsrv.exe" -service --> c:\program files\Onlineeye\gmxffcsrv.exe [?]
S4 gupdate1c9ef965109422a;Google Update Service (gupdate1c9ef965109422a);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 4:46 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 21:45]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: intuit.com
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\579w1nny.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-UpdatePDRShortCut - d:\program files\CyberLink\PowerDirector\PowerDirector\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-AdobeCS4ServiceManager - c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-Logitech Vid - c:\program files\Logitech\Logitech Vid\vid.exe
MSConfigStartUp-Miro - c:\program files\Participatory Culture Foundation\Miro\Miro.exe
MSConfigStartUp-PlayOn - c:\program files\MediaMall\PlayOn.exe
MSConfigStartUp-VirusScannerPro - c:\progra~1\AVANQU~1\Fix-It\MemCheck.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 16:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tlntsvr.exe
c:\windows\system32\java.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-16 16:40:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 21:40

Pre-Run: 111,137,136,640 bytes free
Post-Run: 115,663,777,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E564520A1BAA03C45F8B6B73BFBE8A00


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 16 January 2010 - 05:24 PM

Hi,

ComboFix should have taken out the rootkit, how is your PC doing now?

Please provide a new log from OTL (only OTL.txt will open).

No anti virus program will ever be able to catch all malware. Sure there may be an anti virus that would have kept you clear of this infection, but it would probably have slipped on a another infection.

I will give you a couple of additional software advices once we get your system clean. As long as it is still infected, I would like to add/change as little as possible.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 16 January 2010 - 05:47 PM

Myrti,
The OTL file follows. The computer appears to be working fine. The redirect problem does not appear to exist at this time. The computer would not start some programs like turbo tax 08. That program now works.

Are we close to claiming victory?

Keith

OTL logfile created on: 1/16/2010 5:34:29 PM - Run 2
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Keith\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 3069 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.95 Gb Total Space | 107.72 Gb Free Space | 73.81% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 168.47 Gb Free Space | 72.34% Space Free | Partition Type: NTFS
Drive E: | 960.72 Mb Total Space | 956.50 Mb Free Space | 99.56% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KEITH-8400
Current User Name: Keith
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/14 21:38:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe
PRC - [2009/11/02 13:17:08 | 00,604,888 | ---- | M] (TiVo Inc.) -- C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
PRC - [2009/11/02 13:17:04 | 00,430,808 | ---- | M] (TiVo Inc.) -- C:\Program Files\TiVo\Desktop\TiVoNotify.exe
PRC - [2009/11/02 13:17:00 | 01,098,968 | ---- | M] (TiVo Inc.) -- C:\Program Files\TiVo\Desktop\TiVoBeacon.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/11 04:17:31 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe
PRC - [2009/09/21 15:36:12 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/31 15:05:44 | 00,711,384 | ---- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\Autobahn\autobahn.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/22 02:21:19 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PRC - [2009/06/17 16:45:47 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2009/02/07 13:05:52 | 00,217,088 | ---- | M] () -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/12/13 00:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\BRSS01A.EXE


========== Modules (SafeList) ==========

MOD - [2010/01/14 21:38:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe
MOD - [2009/08/22 02:21:16 | 00,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\asOEHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ThreatFire)
SRV - File not found [Disabled | Stopped] -- -- (gmxfwsvc)
SRV - [2009/11/02 13:17:00 | 01,098,968 | ---- | M] (TiVo Inc.) [Auto | Running] -- C:\Program Files\TiVo\Desktop\TiVoBeacon.exe -- (TivoBeacon2)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/08/22 02:21:19 | 00,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2009/06/17 16:45:47 | 00,133,104 | ---- | M] (Google Inc.) [Disabled | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9ef965109422a) Google Update Service (gupdate1c9ef965109422a)
SRV - [2009/02/07 13:05:52 | 00,217,088 | ---- | M] () [Auto | Running] -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe -- (PS3 Media Server)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/09 15:20:25 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/03/09 19:46:38 | 00,126,976 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\UAService.exe -- (UserAccess)
SRV - [2006/02/09 21:05:00 | 00,520,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2006/02/09 20:51:48 | 00,405,504 | ---- | M] (ATI Technologies Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2002/04/12 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Stopped] -- C:\WINDOWS\system32\BRSVC01A.EXE -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2009/12/29 08:49:36 | 00,000,000 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.hs -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2009/10/28 17:37:22 | 00,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100116.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/09/10 17:02:02 | 00,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/09/08 19:55:29 | 00,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\ccHPx86.sys -- (ccHP)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/08/26 03:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/26 03:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/25 03:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.005\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/08/25 03:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.005\NAVENG.SYS -- (NAVENG)
DRV - [2009/08/22 02:21:19 | 00,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1007020.00B\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/22 02:21:19 | 00,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/22 02:21:19 | 00,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/08/22 02:21:19 | 00,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/22 02:21:19 | 00,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMFW.SYS -- (SYMFW)
DRV - [2009/08/22 02:21:19 | 00,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1007020.00B\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/22 02:21:19 | 00,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/08/22 02:21:19 | 00,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/08/22 02:21:06 | 00,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/08/22 02:21:06 | 00,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/04/13 23:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/11/29 17:30:24 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/11/27 19:05:26 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/09 16:04:56 | 00,513,152 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys -- (SndTDriverV32)
DRV - [2007/10/09 11:52:18 | 00,002,688 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MovRVDrv32.sys -- (MovRVDrv32)
DRV - [2006/02/28 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2006/02/09 20:57:46 | 01,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/23 14:49:30 | 00,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2002/04/11 13:47:52 | 00,011,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2000/07/24 01:01:00 | 00,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-329068152-776561741-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-329068152-776561741-839522115-1003\S-1-5-21-329068152-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-329068152-776561741-839522115-1003\S-1-5-21-329068152-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tbff50ie7&query="
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.76
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: 0
FF - prefs.js..network.proxy.backup.gopher: ""
FF - prefs.js..network.proxy.backup.gopher_port: 0
FF - prefs.js..network.proxy.backup.socks: ""
FF - prefs.js..network.proxy.backup.socks_port: 0
FF - prefs.js..network.proxy.backup.ssl: ""
FF - prefs.js..network.proxy.backup.ssl_port: 0
FF - prefs.js..network.proxy.ftp: "superhappykittymeow.com"
FF - prefs.js..network.proxy.ftp_port: 3128
FF - prefs.js..network.proxy.gopher: "superhappykittymeow.com"
FF - prefs.js..network.proxy.gopher_port: 3128
FF - prefs.js..network.proxy.http: "superhappykittymeow.com"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "superhappykittymeow.com"
FF - prefs.js..network.proxy.socks_port: 3128
FF - prefs.js..network.proxy.ssl: "superhappykittymeow.com"
FF - prefs.js..network.proxy.ssl_port: 3128

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/28 00:16:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/16 10:16:50 | 00,000,000 | ---D | M]

[2008/06/20 05:38:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Extensions
[2010/01/03 17:18:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\579w1nny.default\extensions
[2008/11/12 22:37:38 | 00,000,000 | ---D | M] (CustomizeGoogle) -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\579w1nny.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2009/12/27 23:43:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\579w1nny.default\extensions\staged-xpis
[2010/01/16 17:28:06 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/02/15 13:55:00 | 00,044,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2008/02/15 13:55:00 | 00,107,936 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2008/02/15 13:54:59 | 00,057,248 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-329068152-776561741-839522115-1003\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-329068152-776561741-839522115-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-329068152-776561741-839522115-1003..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-329068152-776561741-839522115-1003..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-329068152-776561741-839522115-1003..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-329068152-776561741-839522115-1003..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe ()
O4 - Startup: C:\Documents and Settings\Keith\Start Menu\Programs\Startup\autobahn.lnk = C:\Documents and Settings\Keith\Local Settings\Application Data\Autobahn\autobahn.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-329068152-776561741-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-329068152-776561741-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-329068152-776561741-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-329068152-776561741-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-329068152-776561741-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-329068152-776561741-839522115-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-329068152-776561741-839522115-1003\..Trusted Domains: intuit.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-329068152-776561741-839522115-1003\..Trusted Domains: turbotax.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-329068152-776561741-839522115-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-329068152-776561741-839522115-1003\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/25 13:00:50 | 00,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/16 17:32:59 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe
[2010/01/16 16:16:39 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/16 16:14:03 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/16 16:14:03 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/16 16:14:03 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/16 16:14:03 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/16 16:13:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/16 16:13:19 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/16 12:51:34 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Keith\My Documents\My TiVo Recordings
[2010/01/16 12:47:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\.autobahn
[2010/01/07 21:55:24 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Keith\Desktop\RootRepeal.exe
[2010/01/05 17:50:31 | 00,137,480 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Keith\Desktop\TDSSKiller.exe
[2010/01/02 07:42:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/02 07:42:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\SUPERAntiSpyware.com
[2010/01/02 07:39:24 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Keith\Desktop\ATF-Cleaner.exe
[2009/12/30 00:22:30 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Keith\Desktop\HJTInstall.exe
[2009/12/28 10:07:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\Malwarebytes
[2009/12/28 10:07:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/28 00:03:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/12/17 21:43:30 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Keith\IECompatCache
[2009/12/17 19:15:59 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/10/30 12:50:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\DivX
[2009/10/30 09:21:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/30 09:15:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2009/10/30 09:01:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/10/25 19:20:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2009/10/24 21:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/06/30 20:38:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/06/17 16:55:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/10/04 21:09:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Avanquest
[2008/06/16 18:17:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
[2008/03/21 12:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\TiVo Desktop
[2007/12/10 12:24:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/11/25 13:00:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/11/25 13:00:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/16 16:58:05 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/16 16:48:48 | 00,075,184 | ---- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/16 16:48:38 | 00,002,399 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2008.lnk
[2010/01/16 16:33:25 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/16 16:32:44 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/16 16:32:23 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/16 16:32:17 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/16 16:32:11 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/16 16:32:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/16 16:32:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/16 16:30:42 | 09,699,328 | ---- | M] () -- C:\Documents and Settings\Keith\ntuser.dat
[2010/01/16 16:30:42 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Keith\ntuser.ini
[2010/01/16 16:17:06 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/16 16:10:40 | 03,827,053 | R--- | M] () -- C:\Documents and Settings\Keith\Desktop\ComboFix.exe
[2010/01/16 16:10:12 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/16 10:52:47 | 00,000,280 | ---- | M] () -- C:\WINDOWS\vuepro32.ini
[2010/01/16 10:24:29 | 02,158,568 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/16 09:17:38 | 00,000,414 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/15 17:10:24 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\1vzd4non.exe
[2010/01/14 21:38:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe
[2010/01/14 18:57:04 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/07 21:56:00 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\settings.dat
[2010/01/07 21:54:32 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Keith\Desktop\RootRepeal.exe
[2010/01/07 21:53:21 | 00,005,143 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Attach.zip
[2010/01/06 22:26:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/05 22:01:15 | 00,016,904 | ---- | M] () -- C:\WINDOWS\System32\drivers\KLMD.sys
[2010/01/05 17:45:32 | 00,120,283 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\tdsskiller.zip
[2010/01/03 07:16:48 | 02,672,312 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\esetsmartinstaller_enu.exe
[2010/01/02 07:41:01 | 07,451,168 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\SUPERAntiSpyware.exe
[2010/01/02 07:39:25 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Keith\Desktop\ATF-Cleaner.exe
[2009/12/29 19:14:01 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\HijackThis.lnk
[2009/12/29 19:11:16 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Keith\Desktop\HJTInstall.exe
[2009/12/29 08:49:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2009/12/29 08:49:34 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2009/12/27 23:34:12 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\housecall.guid.cache
[2009/12/25 19:24:32 | 00,012,292 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\.DS_Store
[2009/12/25 06:36:15 | 00,529,501 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\unisudoku.dmg
[2009/12/25 06:30:40 | 25,842,136 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MacJong.zip
[2009/12/24 09:39:55 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/12/24 09:32:56 | 04,239,844 | -H-- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\IconCache.db
[2009/12/24 08:20:26 | 13,817,211 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MJS.dmg
[2009/12/24 08:19:52 | 16,819,667 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MJS2(2).dmg
[2009/12/24 08:18:51 | 01,683,688 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\solitaire.sit.hqx.hqx
[2009/12/24 08:18:39 | 01,278,543 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\SolitaireTillDawn401.sit.hqx
[2009/12/24 08:17:50 | 18,683,551 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\sd2demo_mac.hqx
[2009/12/24 08:17:39 | 07,330,715 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MahjongPalace.sit
[2009/12/24 08:11:47 | 03,387,808 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\SudokuSusser.Mac.dmg
[2009/12/24 08:04:13 | 16,819,667 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MJS2.dmg
[2009/12/24 08:03:02 | 07,298,584 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\mahjongepic-setup.dmg
[2009/12/24 08:00:03 | 04,452,853 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\mikescards.zip
[2009/12/24 07:56:18 | 10,827,549 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\solitaireepic-setup.dmg
[2009/12/24 07:52:20 | 07,786,415 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\sol_demo.dmg
[2009/12/24 07:45:40 | 32,248,045 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\SoliLuxe-Full-Free-120.zip
[2009/12/23 04:43:39 | 00,013,764 | ---- | M] () -- C:\Documents and Settings\Keith\My Documents\Merry Christmas 2009.docx
[2009/12/20 17:17:49 | 00,000,218 | ---- | M] () -- C:\Documents and Settings\Keith\.recently-used.xbel
[2009/12/20 02:41:24 | 00,137,480 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Keith\Desktop\TDSSKiller.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/16 16:17:05 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2010/01/16 16:16:52 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010/01/16 16:14:03 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/16 16:14:03 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/16 16:14:03 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/16 16:14:03 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/16 16:14:03 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/16 16:12:55 | 03,827,053 | R--- | C] () -- C:\Documents and Settings\Keith\Desktop\ComboFix.exe
[2010/01/15 17:14:43 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\1vzd4non.exe
[2010/01/07 21:56:00 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\settings.dat
[2010/01/07 21:53:21 | 00,005,143 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\Attach.zip
[2010/01/05 17:55:54 | 00,016,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\KLMD.sys
[2010/01/05 17:50:17 | 00,120,283 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\tdsskiller.zip
[2010/01/03 07:18:09 | 02,672,312 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\esetsmartinstaller_enu.exe
[2010/01/02 07:40:35 | 07,451,168 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\SUPERAntiSpyware.exe
[2009/12/29 19:14:01 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\HijackThis.lnk
[2009/12/27 23:34:12 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\housecall.guid.cache
[2009/12/25 06:36:15 | 00,529,501 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\unisudoku.dmg
[2009/12/25 06:27:41 | 25,842,136 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MacJong.zip
[2009/12/24 08:19:58 | 13,817,211 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MJS.dmg
[2009/12/24 08:19:23 | 16,819,667 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MJS2(2).dmg
[2009/12/24 08:18:48 | 01,683,688 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\solitaire.sit.hqx.hqx
[2009/12/24 08:18:26 | 01,278,543 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\SolitaireTillDawn401.sit.hqx
[2009/12/24 08:17:07 | 07,330,715 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MahjongPalace.sit
[2009/12/24 08:15:45 | 18,683,551 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\sd2demo_mac.hqx
[2009/12/24 08:11:34 | 03,387,808 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\SudokuSusser.Mac.dmg
[2009/12/24 08:03:48 | 16,819,667 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MJS2.dmg
[2009/12/24 08:02:51 | 07,298,584 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\mahjongepic-setup.dmg
[2009/12/24 07:59:41 | 04,452,853 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\mikescards.zip
[2009/12/24 07:55:58 | 10,827,549 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\solitaireepic-setup.dmg
[2009/12/24 07:52:08 | 07,786,415 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\sol_demo.dmg
[2009/12/24 07:44:44 | 32,248,045 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\SoliLuxe-Full-Free-120.zip
[2009/12/23 04:43:36 | 00,013,764 | ---- | C] () -- C:\Documents and Settings\Keith\My Documents\Merry Christmas 2009.docx
[2009/12/20 17:17:49 | 00,000,218 | ---- | C] () -- C:\Documents and Settings\Keith\.recently-used.xbel
[2009/10/26 17:41:55 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
[2009/10/25 01:31:12 | 00,014,848 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/09 06:46:40 | 00,000,123 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/11/15 22:21:13 | 00,000,256 | ---- | C] () -- C:\WINDOWS\onlineeye.INI
[2008/05/24 16:56:10 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/05/06 20:52:16 | 00,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2008/03/09 19:46:38 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt.dll
[2008/02/17 07:51:02 | 00,000,108 | RHS- | C] () -- C:\WINDOWS\neoqaz2.dll
[2008/02/15 13:55:46 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/12/15 07:28:42 | 00,053,760 | ---- | C] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/01 09:00:59 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/11/25 20:24:57 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2007/11/25 20:21:52 | 00,000,447 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2007/11/25 20:21:52 | 00,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2007/11/25 20:21:52 | 00,000,062 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2007/11/25 20:21:52 | 00,000,052 | ---- | C] () -- C:\WINDOWS\brpp2ka.ini
[2007/11/25 20:21:52 | 00,000,040 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2007/11/25 20:21:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\opt_5040.ini
[2007/11/25 20:21:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\BROHL504.INI
[2007/11/25 20:21:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/11/25 20:21:50 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2007/11/25 20:21:50 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2007/11/25 20:21:50 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2007/11/25 20:21:49 | 00,011,604 | ---- | C] () -- C:\WINDOWS\HL-5040.INI
[2007/11/25 19:00:06 | 00,000,280 | ---- | C] () -- C:\WINDOWS\vuepro32.ini
[2006/01/12 17:09:14 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\DXFLib.dll
[2006/01/12 17:08:06 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\opcode.dll
[2002/04/11 13:47:52 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D282699C
@Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0AA053B7
@Alternate Data Stream - 188 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4BF2F6B5
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 108 bytes -> C:\WINDOWS:
< End of report >


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 16 January 2010 - 06:00 PM

Hi,

please run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Afterwards I would like you to download and run the latest version of TDSSKiller again:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 16 January 2010 - 11:02 PM

Myrti,

The logs for GMER and TDSSKILLER are below.

Keith


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 22:39:45
Windows 5.1.2600 Service Pack 3
Running: xd72cscn.exe; Driver: C:\DOCUME~1\Keith\LOCALS~1\Temp\fgdcifow.sys


---- System - GMER 1.0.15 ----

SSDT 8A3A9F88 ZwAlertResumeThread
SSDT 8A705660 ZwAlertThread
SSDT 8A0F9008 ZwAllocateVirtualMemory
SSDT 8A6E4648 ZwAssignProcessToJobObject
SSDT 8A36CAB8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB0D87130]
SSDT 8A2A8F78 ZwCreateMutant
SSDT 8A24B0D8 ZwCreateSymbolicLinkObject
SSDT 8A5BE3D8 ZwCreateThread
SSDT 8A7195B0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB0D873B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB0D87910]
SSDT 8A6F9BD0 ZwDuplicateObject
SSDT 8A5D4F30 ZwFreeVirtualMemory
SSDT 8A727150 ZwImpersonateAnonymousToken
SSDT 8A6F5890 ZwImpersonateThread
SSDT 8A396080 ZwLoadDriver
SSDT 8A5EDC50 ZwMapViewOfSection
SSDT 8A6ED200 ZwOpenEvent
SSDT 8A216458 ZwOpenProcess
SSDT 8A6DE0C8 ZwOpenProcessToken
SSDT 8A6EB0D0 ZwOpenSection
SSDT 8A6F04B0 ZwOpenThread
SSDT 8A324098 ZwProtectVirtualMemory
SSDT 8A6E2338 ZwResumeThread
SSDT 8A1D9568 ZwSetContextThread
SSDT 8A21ED30 ZwSetInformationProcess
SSDT 8A6E8220 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB0D87B60]
SSDT 8A713B68 ZwSuspendProcess
SSDT 8A6FA7B8 ZwSuspendThread
SSDT 8A6EFED8 ZwTerminateProcess
SSDT 8A6F8F88 ZwTerminateThread
SSDT 8A6DCF88 ZwUnmapViewOfSection
SSDT 8A5D4FC0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


22:51:55:312 1640 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
22:51:55:312 1640 ================================================================================
22:51:55:312 1640 SystemInfo:

22:51:55:312 1640 OS Version: 5.1.2600 ServicePack: 3.0
22:51:55:312 1640 Product type: Workstation
22:51:55:312 1640 ComputerName: KEITH-8400
22:51:55:312 1640 UserName: Keith
22:51:55:312 1640 Windows directory: C:\WINDOWS
22:51:55:312 1640 Processor architecture: Intel x86
22:51:55:312 1640 Number of processors: 1
22:51:55:312 1640 Page size: 0x1000
22:51:55:312 1640 Boot type: Normal boot
22:51:55:312 1640 ================================================================================
22:51:55:328 1640 UnloadDriverW: NtUnloadDriver error 2
22:51:55:328 1640 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:51:55:328 1640 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
22:51:55:421 1640 UtilityInit: KLMD drop and load success
22:51:55:421 1640 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
22:51:55:421 1640 UtilityInit: KLMD open success
22:51:55:421 1640 UtilityInit: Initialize success
22:51:55:421 1640
22:51:55:421 1640 Scanning Services ...
22:51:55:421 1640 CreateRegParser: Registry parser init started
22:51:55:421 1640 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
22:51:55:421 1640 CreateRegParser: DisableWow64Redirection error
22:51:55:421 1640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:51:55:421 1640 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
22:51:55:421 1640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:51:55:421 1640 wfopen_ex: Trying to KLMD file open
22:51:55:421 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
22:51:55:421 1640 wfopen_ex: File opened ok (Flags 2)
22:51:55:421 1640 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384AD0
22:51:55:421 1640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:51:55:421 1640 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
22:51:55:421 1640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:51:55:421 1640 wfopen_ex: Trying to KLMD file open
22:51:55:421 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
22:51:55:421 1640 wfopen_ex: File opened ok (Flags 2)
22:51:55:421 1640 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3849C0
22:51:55:421 1640 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
22:51:55:421 1640 CreateRegParser: EnableWow64Redirection error
22:51:55:421 1640 CreateRegParser: RegParser init completed
22:51:55:812 1640 GetAdvancedServicesInfo: Raw services enum returned 360 services
22:51:55:828 1640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:51:55:828 1640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:51:55:828 1640
22:51:55:828 1640 Scanning Kernel memory ...
22:51:55:828 1640 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
22:51:55:828 1640 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A78B868
22:51:55:828 1640 DetectCureTDL3: KLMD_GetDeviceObjectList returned 8 DevObjects
22:51:55:828 1640
22:51:55:828 1640 DetectCureTDL3: DEVICE_OBJECT: 8591EC68
22:51:55:828 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8591EC68
22:51:55:828 1640 KLMD_ReadMem: Trying to ReadMemory 0x8591EC68[0x38]
22:51:55:828 1640 DetectCureTDL3: DRIVER_OBJECT: 8A78B868
22:51:55:828 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A78B868[0xA8]
22:51:55:828 1640 KLMD_ReadMem: Trying to ReadMemory 0xE1842800[0x18]
22:51:55:828 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:51:55:828 1640 DetectCureTDL3: IrpHandler (0) addr: F763DBB0
22:51:55:828 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (2) addr: F763DBB0
22:51:55:828 1640 DetectCureTDL3: IrpHandler (3) addr: F7637D1F
22:51:55:828 1640 DetectCureTDL3: IrpHandler (4) addr: F7637D1F
22:51:55:828 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (9) addr: F76382E2
22:51:55:828 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (14) addr: F76383BB
22:51:55:828 1640 DetectCureTDL3: IrpHandler (15) addr: F763BF28
22:51:55:828 1640 DetectCureTDL3: IrpHandler (16) addr: F76382E2
22:51:55:828 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (22) addr: F7639C82
22:51:55:828 1640 DetectCureTDL3: IrpHandler (23) addr: F763E99E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:828 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:828 1640 TDL3_FileDetect: Processing driver: Disk
22:51:55:828 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:828 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:859 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:51:55:859 1640
22:51:55:859 1640 DetectCureTDL3: DEVICE_OBJECT: 843BBAB8
22:51:55:859 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 843BBAB8
22:51:55:859 1640 DetectCureTDL3: DEVICE_OBJECT: 843D4E38
22:51:55:859 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 843D4E38
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0x843D4E38[0x38]
22:51:55:859 1640 DetectCureTDL3: DRIVER_OBJECT: 8A6A9848
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A6A9848[0xA8]
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0xE10BDC58[0x1E]
22:51:55:859 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
22:51:55:859 1640 DetectCureTDL3: IrpHandler (0) addr: F77BC218
22:51:55:859 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (2) addr: F77BC218
22:51:55:859 1640 DetectCureTDL3: IrpHandler (3) addr: F77BC23C
22:51:55:859 1640 DetectCureTDL3: IrpHandler (4) addr: F77BC23C
22:51:55:859 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (14) addr: F77BC180
22:51:55:859 1640 DetectCureTDL3: IrpHandler (15) addr: F77B79E6
22:51:55:859 1640 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (22) addr: F77BB5F0
22:51:55:859 1640 DetectCureTDL3: IrpHandler (23) addr: F77B9A6E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0xF77B8F26[0x400]
22:51:55:859 1640 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
22:51:55:859 1640 TDL3_FileDetect: Processing driver: USBSTOR
22:51:55:859 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:51:55:859 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:51:55:859 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
22:51:55:859 1640
22:51:55:859 1640 DetectCureTDL3: DEVICE_OBJECT: 8A798C68
22:51:55:859 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A798C68
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A798C68[0x38]
22:51:55:859 1640 DetectCureTDL3: DRIVER_OBJECT: 8A78B868
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A78B868[0xA8]
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0xE1842800[0x18]
22:51:55:859 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:51:55:859 1640 DetectCureTDL3: IrpHandler (0) addr: F763DBB0
22:51:55:859 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (2) addr: F763DBB0
22:51:55:859 1640 DetectCureTDL3: IrpHandler (3) addr: F7637D1F
22:51:55:859 1640 DetectCureTDL3: IrpHandler (4) addr: F7637D1F
22:51:55:859 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (9) addr: F76382E2
22:51:55:859 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (14) addr: F76383BB
22:51:55:859 1640 DetectCureTDL3: IrpHandler (15) addr: F763BF28
22:51:55:859 1640 DetectCureTDL3: IrpHandler (16) addr: F76382E2
22:51:55:859 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (22) addr: F7639C82
22:51:55:859 1640 DetectCureTDL3: IrpHandler (23) addr: F763E99E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:859 1640 TDL3_FileDetect: Processing driver: Disk
22:51:55:859 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:859 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:859 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:51:55:859 1640
22:51:55:859 1640 DetectCureTDL3: DEVICE_OBJECT: 8A7B9C68
22:51:55:859 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7B9C68
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A7B9C68[0x38]
22:51:55:859 1640 DetectCureTDL3: DRIVER_OBJECT: 8A78B868
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A78B868[0xA8]
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0xE1842800[0x18]
22:51:55:859 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:51:55:859 1640 DetectCureTDL3: IrpHandler (0) addr: F763DBB0
22:51:55:859 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (2) addr: F763DBB0
22:51:55:859 1640 DetectCureTDL3: IrpHandler (3) addr: F7637D1F
22:51:55:859 1640 DetectCureTDL3: IrpHandler (4) addr: F7637D1F
22:51:55:859 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (9) addr: F76382E2
22:51:55:859 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (14) addr: F76383BB
22:51:55:859 1640 DetectCureTDL3: IrpHandler (15) addr: F763BF28
22:51:55:859 1640 DetectCureTDL3: IrpHandler (16) addr: F76382E2
22:51:55:859 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (22) addr: F7639C82
22:51:55:859 1640 DetectCureTDL3: IrpHandler (23) addr: F763E99E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:859 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:859 1640 TDL3_FileDetect: Processing driver: Disk
22:51:55:859 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:859 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:859 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:51:55:859 1640
22:51:55:859 1640 DetectCureTDL3: DEVICE_OBJECT: 8A801C68
22:51:55:859 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A801C68
22:51:55:859 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A801C68[0x38]
22:51:55:875 1640 DetectCureTDL3: DRIVER_OBJECT: 8A78B868
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A78B868[0xA8]
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0xE1842800[0x18]
22:51:55:875 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:51:55:875 1640 DetectCureTDL3: IrpHandler (0) addr: F763DBB0
22:51:55:875 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (2) addr: F763DBB0
22:51:55:875 1640 DetectCureTDL3: IrpHandler (3) addr: F7637D1F
22:51:55:875 1640 DetectCureTDL3: IrpHandler (4) addr: F7637D1F
22:51:55:875 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (9) addr: F76382E2
22:51:55:875 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (14) addr: F76383BB
22:51:55:875 1640 DetectCureTDL3: IrpHandler (15) addr: F763BF28
22:51:55:875 1640 DetectCureTDL3: IrpHandler (16) addr: F76382E2
22:51:55:875 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (22) addr: F7639C82
22:51:55:875 1640 DetectCureTDL3: IrpHandler (23) addr: F763E99E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:875 1640 TDL3_FileDetect: Processing driver: Disk
22:51:55:875 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:875 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:875 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:51:55:875 1640
22:51:55:875 1640 DetectCureTDL3: DEVICE_OBJECT: 8A78B3F8
22:51:55:875 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A78B3F8
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A78B3F8[0x38]
22:51:55:875 1640 DetectCureTDL3: DRIVER_OBJECT: 8A78B868
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A78B868[0xA8]
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0xE1842800[0x18]
22:51:55:875 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:51:55:875 1640 DetectCureTDL3: IrpHandler (0) addr: F763DBB0
22:51:55:875 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (2) addr: F763DBB0
22:51:55:875 1640 DetectCureTDL3: IrpHandler (3) addr: F7637D1F
22:51:55:875 1640 DetectCureTDL3: IrpHandler (4) addr: F7637D1F
22:51:55:875 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (9) addr: F76382E2
22:51:55:875 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (14) addr: F76383BB
22:51:55:875 1640 DetectCureTDL3: IrpHandler (15) addr: F763BF28
22:51:55:875 1640 DetectCureTDL3: IrpHandler (16) addr: F76382E2
22:51:55:875 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (22) addr: F7639C82
22:51:55:875 1640 DetectCureTDL3: IrpHandler (23) addr: F763E99E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:875 1640 TDL3_FileDetect: Processing driver: Disk
22:51:55:875 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:875 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:51:55:875 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:51:55:875 1640
22:51:55:875 1640 DetectCureTDL3: DEVICE_OBJECT: 8A7E2AB8
22:51:55:875 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7E2AB8
22:51:55:875 1640 DetectCureTDL3: DEVICE_OBJECT: 8A7C6B00
22:51:55:875 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7C6B00
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A7C6B00[0x38]
22:51:55:875 1640 DetectCureTDL3: DRIVER_OBJECT: 8A7BA428
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A7BA428[0xA8]
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0xE101D8B8[0x1A]
22:51:55:875 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
22:51:55:875 1640 DetectCureTDL3: IrpHandler (0) addr: F74A46F2
22:51:55:875 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (2) addr: F74A46F2
22:51:55:875 1640 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (14) addr: F74A4712
22:51:55:875 1640 DetectCureTDL3: IrpHandler (15) addr: F74A0852
22:51:55:875 1640 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (22) addr: F74A473C
22:51:55:875 1640 DetectCureTDL3: IrpHandler (23) addr: F74AB336
22:51:55:875 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:875 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:875 1640 KLMD_ReadMem: Trying to ReadMemory 0xF74A1864[0x400]
22:51:55:875 1640 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
22:51:55:875 1640 TDL3_FileDetect: Processing driver: atapi
22:51:55:875 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
22:51:55:875 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
22:51:55:937 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
22:51:55:937 1640
22:51:55:937 1640 DetectCureTDL3: DEVICE_OBJECT: 8A81B360
22:51:55:937 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A81B360
22:51:55:937 1640 DetectCureTDL3: DEVICE_OBJECT: 8A7BDB00
22:51:55:937 1640 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7BDB00
22:51:55:937 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A7BDB00[0x38]
22:51:55:937 1640 DetectCureTDL3: DRIVER_OBJECT: 8A7BA428
22:51:55:937 1640 KLMD_ReadMem: Trying to ReadMemory 0x8A7BA428[0xA8]
22:51:55:937 1640 KLMD_ReadMem: Trying to ReadMemory 0xE101D8B8[0x1A]
22:51:55:937 1640 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
22:51:55:937 1640 DetectCureTDL3: IrpHandler (0) addr: F74A46F2
22:51:55:937 1640 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (2) addr: F74A46F2
22:51:55:937 1640 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (14) addr: F74A4712
22:51:55:937 1640 DetectCureTDL3: IrpHandler (15) addr: F74A0852
22:51:55:937 1640 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (22) addr: F74A473C
22:51:55:937 1640 DetectCureTDL3: IrpHandler (23) addr: F74AB336
22:51:55:937 1640 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:51:55:937 1640 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:51:55:937 1640 KLMD_ReadMem: Trying to ReadMemory 0xF74A1864[0x400]
22:51:55:937 1640 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
22:51:55:937 1640 TDL3_FileDetect: Processing driver: atapi
22:51:55:937 1640 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
22:51:55:937 1640 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
22:51:55:937 1640 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
22:51:55:937 1640
22:51:55:937 1640 Completed
22:51:55:937 1640
22:51:55:937 1640 Results:
22:51:55:937 1640 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
22:51:55:937 1640 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:51:55:937 1640 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:51:55:937 1640
22:51:55:937 1640 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
22:51:55:937 1640 UtilityDeinit: KLMD(ARK) unloaded successfully



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 16 January 2010 - 11:11 PM

Hi,

please run ComboFix next:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 17 January 2010 - 12:06 AM

Myrti,

The combofix log follows.

Keith

ComboFix 10-01-16.02 - Keith 01/16/2010 23:56:23.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1507 [GMT -5:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: ThreatFire *On-access scanning disabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 04:46 . 2009-08-22 07:21 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-01-17 00:49 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\CCERASER.DLL
2010-01-17 00:49 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\ECMSVR32.DLL
2010-01-17 00:49 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\EECTRL.SYS
2010-01-17 00:49 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\ERASER.SYS
2010-01-17 00:49 . 2009-08-25 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\NAVENG.SYS
2010-01-17 00:49 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\NAVENG32.DLL
2010-01-17 00:49 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\NAVEX32A.DLL
2010-01-17 00:49 . 2009-08-25 08:00 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100116.021\NAVEX15.SYS
2010-01-16 22:28 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100116.002\Scxpx86.dll
2010-01-16 22:28 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100116.002\IDSXpx86.sys
2010-01-16 22:28 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100116.002\IDSxpx86.dll
2010-01-16 22:28 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100116.002\IDSvix86.sys
2010-01-16 22:28 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100116.002\IDSviA64.sys
2010-01-16 17:47 . 2010-01-16 17:47 -------- d-----w- c:\documents and settings\Keith\.autobahn
2010-01-16 15:16 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSXpx86.sys
2010-01-16 15:16 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\Scxpx86.dll
2010-01-16 15:16 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSxpx86.dll
2010-01-16 15:16 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSvix86.sys
2010-01-16 15:16 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100112.001\IDSviA64.sys
2010-01-16 15:09 . 2010-01-16 15:09 -------- d-----w- c:\documents and settings\Peggy\Application Data\Leadertech
2010-01-16 15:09 . 2010-01-16 15:09 -------- d-----w- c:\documents and settings\Peggy\Application Data\Malwarebytes
2010-01-02 15:31 . 2010-01-16 14:38 -------- d-----w- c:\documents and settings\Peggy\Application Data\SUPERAntiSpyware.com
2010-01-02 12:43 . 2010-01-02 12:43 52224 ----a-w- c:\documents and settings\Keith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-02 12:43 . 2010-01-02 12:43 117760 ----a-w- c:\documents and settings\Keith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-02 12:42 . 2010-01-02 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-02 12:42 . 2010-01-02 12:42 -------- d-----w- c:\documents and settings\Keith\Application Data\SUPERAntiSpyware.com
2009-12-28 15:07 . 2009-12-28 15:07 -------- d-----w- c:\documents and settings\Keith\Application Data\Malwarebytes
2009-12-28 15:07 . 2009-12-28 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-28 05:22 . 2009-12-28 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avanquest
2009-12-28 05:16 . 2009-12-28 05:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-27 13:15 . 2009-12-27 13:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-24 14:23 . 2009-12-24 15:16 -------- d-----w- c:\documents and settings\Peggy\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 04:46 . 2009-11-09 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 21:48 . 2007-11-25 18:06 75184 ----a-w- c:\documents and settings\Keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-16 15:16 . 2007-11-26 01:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-16 15:09 . 2008-05-24 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-01-16 15:05 . 2008-03-22 14:05 -------- d-----w- c:\documents and settings\Peggy\Application Data\uTorrent
2010-01-16 15:05 . 2007-11-25 18:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-16 15:04 . 2008-06-22 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DietPower4.4
2010-01-16 14:50 . 2007-12-04 03:11 -------- d-----w- c:\documents and settings\Peggy\Application Data\Newsbin
2010-01-16 14:49 . 2008-05-03 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-16 14:38 . 2007-12-05 00:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-16 14:33 . 2008-05-27 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-16 14:29 . 2007-11-27 22:33 -------- d-----w- c:\documents and settings\Peggy\Application Data\ScanSoft
2010-01-16 14:29 . 2007-11-27 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-16 14:25 . 2007-11-25 18:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 14:21 . 2007-11-25 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-16 14:20 . 2007-11-25 21:27 -------- d-----w- c:\program files\MSBuild
2010-01-11 02:37 . 2008-05-27 23:22 -------- d-----w- c:\documents and settings\Keith\Application Data\Skype
2010-01-11 01:37 . 2008-05-27 23:23 -------- d-----w- c:\documents and settings\Keith\Application Data\skypePM
2010-01-03 13:13 . 2007-11-26 00:28 -------- d-----w- c:\documents and settings\Keith\Application Data\NewsBin
2010-01-01 21:35 . 2009-11-28 22:57 -------- d-----w- c:\documents and settings\Keith\Application Data\Move Networks
2010-01-01 21:33 . 2009-05-20 02:31 -------- d-----w- c:\program files\ABC Amber LIT Converter
2009-12-29 13:49 . 2008-05-24 00:11 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-29 13:49 . 2008-05-24 00:11 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-21 16:01 . 2009-06-17 21:45 -------- d-----w- c:\program files\Google
2009-12-20 14:41 . 2007-12-19 01:06 -------- d-----w- c:\documents and settings\Keith\Application Data\ZoomBrowser EX
2009-12-20 13:08 . 2009-10-25 13:56 -------- d-----w- c:\documents and settings\Keith\Application Data\PCF-VLC
2009-12-20 13:08 . 2008-03-09 13:35 -------- d-----w- c:\documents and settings\Keith\Application Data\gtk-2.0
2009-12-19 04:55 . 2009-10-25 22:54 -------- d-----w- c:\documents and settings\Keith\Application Data\vlc
2009-12-13 12:41 . 2007-11-26 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 13:31 . 2009-10-25 19:46 -------- d-----w- c:\program files\PS3 Media Server
2009-11-20 05:32 . 2009-11-20 05:32 -------- d-----w- c:\documents and settings\Keith\Application Data\dvdcss
2009-11-12 21:01 . 2009-11-12 21:01 726008 ----a-w- c:\documents and settings\Peggy\gotomypc_438.exe
2009-11-05 23:16 . 2009-11-05 23:16 593920 ----a-w- c:\documents and settings\Keith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll
2009-11-03 22:53 . 2009-11-03 22:53 152576 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-30 14:02 . 2009-10-30 14:02 78216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-26 22:42 . 2009-10-26 22:41 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2009-10-21 05:38 . 2006-02-28 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-02-28 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-02-28 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2008-02-15 18:55 . 2008-02-15 18:55 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-02-15 18:55 . 2008-02-15 18:55 107936 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-02-17 12:51 . 2008-02-17 12:51 108 --sha-r- c:\windows\neoqaz2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2009-11-02 856280]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2009-11-02 604888]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-11-02 2195160]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-11-02 430808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Keith\Start Menu\Programs\Startup\
autobahn.lnk - c:\documents and settings\Keith\Local Settings\Application Data\Autobahn\autobahn.exe [2009-8-31 711384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Conversion to PDF with ScanSnap Organizer.lnk]
backup=c:\windows\pss\Conversion to PDF with ScanSnap Organizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote.lnk]
backup=c:\windows\pss\Logitech Harmony Remote.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Keith\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [9/8/2009 7:55 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00B\BHDrvx86.sys [9/8/2009 7:55 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [9/8/2009 6:52 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100116.002\IDSXpx86.sys [1/16/2010 5:28 PM 329592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [9/8/2009 7:55 PM 117640]
R2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [2/7/2009 1:05 PM 217088]
R2 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [11/2/2009 1:17 PM 1098968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 7:36 AM 102448]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [3/19/2008 8:45 PM 2688]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S4 gmxfwsvc;Onlineeye Firewall Service;"c:\program files\Onlineeye\gmxffcsrv.exe" -service --> c:\program files\Onlineeye\gmxffcsrv.exe [?]
S4 gupdate1c9ef965109422a;Google Update Service (gupdate1c9ef965109422a);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 4:46 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 21:45]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: intuit.com
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\579w1nny.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 00:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
Completion time: 2010-01-17 00:02:17
ComboFix-quarantined-files.txt 2010-01-17 05:02
ComboFix2.txt 2010-01-17 04:52
ComboFix3.txt 2010-01-16 21:40

Pre-Run: 115,646,500,864 bytes free
Post-Run: 115,630,727,168 bytes free

- - End Of File - - F53D02B03E16F20A8B78FFD4FF2FA601


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 17 January 2010 - 07:36 AM

Hi,

things are looking good. How is your PC doing?

Please run a scan with Eset to check for remaining malware:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 17 January 2010 - 08:45 AM

Myrti,

We were doing so well. ESET found a virus. The log follows. I deleted the virus.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ virus deleted - quarantined

Keith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users