Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Defense Virus caused probable Rootkit


  • This topic is locked This topic is locked
30 replies to this topic

#1 terry6

terry6

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 14 January 2010 - 09:22 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/286144/continuing-problems-after-malware-defense-attack/ ~ OB

Hello,

I have used the Malwarebytes s/w to clean off the Malware Defense virus and have removed many trojans, malware, adware, etc. I posted my Malwarebytes scan to the Malware Removal thread and was redirected to you all with a suspected Rootkit remaining on my computer. I have followed the Preparation Guide to posting a Hijackthislog and have been successful with all steps but the Rootrepeal which would not run and only produced the prompt of "Intializing....". I am providing the DDS logs below.

Thanks for your help!!!
Terry


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 20:09:01.62 on Thu 01/14/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.252 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
C:\WINNT\system32\svchost -k rpcss
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\System32\svchost.exe -k NetworkService
C:\WINNT\System32\svchost.exe -k LocalService
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe -k LocalService
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\svchost.exe -k netsvcs
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINNT\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://comcast.net//
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: {51D81DD5-55B7-497F-95DB-D356429BB54E} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Start WingMan Profiler]
uRun: [Aim6]
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Gateway Ink Monitor] "c:\program files\gateway\gateway ink monitor\GWInkMonitor.exe"
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: []
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
Trusted Zone: adobe.com\www
Trusted Zone: comcast.net\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\www.update
Trusted Zone: turbotax.com
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191693192296
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\zmksupco.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://comcast.net
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=5CNRrS1CaupJsbK1LwWy.g&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\zmksupco.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2010-1-3 207792]
R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-3 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-3 359624]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-3 1141712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
S0 bqdbng;bqdbng;c:\winnt\system32\drivers\ttsueo.sys --> c:\winnt\system32\drivers\ttsueo.sys [?]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\4.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\4.bin\mwssvc.exe [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\winnt\system32\drivers\mfeavfk.sys [2007-10-1 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\winnt\system32\drivers\mfebopk.sys [2007-10-1 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\winnt\system32\drivers\mferkdk.sys [2007-10-1 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\winnt\system32\drivers\mfesmfk.sys [2007-10-1 40552]
S3 rootrepeal;rootrepeal;\??\c:\winnt\system32\drivers\rootrepeal.sys --> c:\winnt\system32\drivers\rootrepeal.sys [?]
S4 navapsvc;Norton AntiVirus Auto Protect Service;"c:\program files\norton antivirus\navapsvc.exe" --> c:\program files\norton antivirus\navapsvc.exe [?]

=============== Created Last 30 ================

2010-01-14 03:00:10 0 d-----w- c:\program files\Runtime Software
2010-01-14 00:05:18 0 d-----w- c:\docume~1\owner\applic~1\AVG8
2010-01-13 07:43:27 471552 ------w- c:\winnt\system32\dllcache\aclayers.dll
2010-01-11 14:20:41 1048 ----a-w- c:\winnt\system32\h8srtshsyst.dll
2010-01-10 03:59:59 928 ----a-w- c:\winnt\system32\h8srtkrl32mainweq.dll
2010-01-10 03:58:41 36864 ----a-w- c:\winnt\system32\H8SRTmlhboapjrh.dll
2010-01-09 20:47:13 241 ----a-w- c:\winnt\system32\H8SRTitqsnswutf.dat
2010-01-06 03:22:12 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-06 03:15:20 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-01-06 03:15:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-06 03:15:15 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-01-06 03:15:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 05:10:02 1409 ----a-w- c:\winnt\QTFont.for
2010-01-04 05:10:01 54156 ---ha-w- c:\winnt\QTFont.qfn
2010-01-04 01:52:26 883 ----a-w- c:\winnt\RegSDImport.xml
2010-01-04 01:52:26 880 ----a-w- c:\winnt\RegISSImport.xml
2010-01-04 01:52:26 767952 ----a-w- c:\winnt\BDTSupport.dll
2010-01-04 01:52:26 149456 ----a-w- c:\winnt\SGDetectionTool.dll
2010-01-04 01:52:26 131 ----a-w- c:\winnt\IDB.zip
2010-01-04 01:52:25 165840 ----a-w- c:\winnt\PCTBDRes.dll
2010-01-04 01:52:25 1640400 ----a-w- c:\winnt\PCTBDCore.dll
2010-01-04 01:52:25 1152444 ----a-w- c:\winnt\UDB.zip
2010-01-04 01:50:57 7387 ----a-w- c:\winnt\system32\drivers\pctgntdi.cat
2010-01-04 01:50:57 233136 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2010-01-04 01:50:42 87784 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2010-01-04 01:50:42 7412 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.cat
2010-01-04 01:50:42 7383 ----a-w- c:\winnt\system32\drivers\pctcore.cat
2010-01-04 01:50:42 207792 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2010-01-04 01:50:18 7383 ----a-w- c:\winnt\system32\drivers\pctplsg.cat
2010-01-04 01:50:18 70408 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2010-01-04 01:50:07 0 d-----w- c:\program files\Spyware Doctor
2010-01-04 01:50:07 0 d-----w- c:\program files\common files\PC Tools
2010-01-04 01:50:07 0 d-----w- c:\docume~1\owner\applic~1\PC Tools
2010-01-04 01:50:07 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-03 21:33:59 40960 ----a-w- c:\winnt\system32\H8SRThhasjvvmnk.dll
2010-01-03 21:33:55 202 ----a-w- c:\winnt\system32\srcr.dat
2010-01-03 21:33:52 23040 ----a-w- c:\winnt\system32\H8SRTkrjkdulqhb.dll
2010-01-03 21:33:51 40448 ----a-w- c:\winnt\system32\drivers\H8SRTqxyirtqppl.sys

==================== Find3M ====================

2009-10-28 14:36:11 70656 ----a-w- c:\winnt\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\winnt\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ----a-w- c:\winnt\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ----a-w- c:\winnt\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\winnt\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\winnt\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\winnt\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\winnt\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\winnt\system32\dllcache\http.sys
2008-09-12 21:00:18 32768 --sha-w- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 20:10:49.06 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/16/2004 9:49:30 PM
System Uptime: 1/14/2010 5:25:36 PM (3 hours ago)

Motherboard: Intel Corporation | | D865GLC
Processor: Intel« Pentium« 4 CPU 2.80GHz | J2E1 | 2793/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 114 GiB total, 54.67 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 399.106 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1561: 9/27/2009 12:43:52 PM - System Checkpoint
RP1562: 9/28/2009 1:32:58 PM - System Checkpoint
RP1563: 9/29/2009 7:45:27 PM - System Checkpoint
RP1564: 10/1/2009 8:24:14 PM - System Checkpoint
RP1565: 10/2/2009 8:27:03 AM - Installed Compatibility Pack for the 2007 Office system
RP1566: 10/5/2009 10:22:55 AM - System Checkpoint
RP1567: 10/7/2009 6:20:46 PM - System Checkpoint
RP1568: 10/9/2009 3:59:24 PM - System Checkpoint
RP1569: 10/10/2009 4:14:41 PM - System Checkpoint
RP1570: 10/12/2009 7:18:43 AM - System Checkpoint
RP1571: 10/12/2009 11:00:30 PM - Software Distribution Service 3.0
RP1572: 10/14/2009 10:38:45 PM - System Checkpoint
RP1573: 10/16/2009 11:17:11 AM - System Checkpoint
RP1574: 10/17/2009 1:05:22 PM - System Checkpoint
RP1575: 10/18/2009 1:18:25 PM - System Checkpoint
RP1576: 10/18/2009 2:40:10 PM - Software Distribution Service 3.0
RP1577: 10/19/2009 5:17:41 PM - System Checkpoint
RP1578: 10/20/2009 9:40:28 PM - System Checkpoint
RP1579: 10/23/2009 9:43:17 AM - System Checkpoint
RP1580: 10/24/2009 2:35:08 PM - System Checkpoint
RP1581: 10/25/2009 3:03:47 PM - System Checkpoint
RP1582: 10/26/2009 4:41:45 PM - System Checkpoint
RP1583: 10/27/2009 9:50:58 PM - System Checkpoint
RP1584: 10/30/2009 1:11:47 PM - System Checkpoint
RP1585: 10/31/2009 7:00:12 PM - System Checkpoint
RP1586: 11/2/2009 8:03:22 PM - System Checkpoint
RP1587: 11/4/2009 8:09:34 PM - Software Distribution Service 3.0
RP1588: 11/6/2009 7:42:33 PM - System Checkpoint
RP1589: 11/8/2009 3:02:03 PM - System Checkpoint
RP1590: 11/10/2009 9:44:41 PM - System Checkpoint
RP1591: 11/10/2009 10:54:54 PM - Software Distribution Service 3.0
RP1592: 11/12/2009 10:07:49 PM - System Checkpoint
RP1593: 11/14/2009 11:40:11 AM - System Checkpoint
RP1594: 11/15/2009 5:53:46 PM - System Checkpoint
RP1595: 11/19/2009 9:30:54 PM - System Checkpoint
RP1596: 11/21/2009 12:18:00 PM - System Checkpoint
RP1597: 11/22/2009 6:33:03 PM - System Checkpoint
RP1598: 11/23/2009 9:53:44 PM - System Checkpoint
RP1599: 11/24/2009 11:38:47 PM - Software Distribution Service 3.0
RP1600: 11/26/2009 12:46:14 PM - System Checkpoint
RP1601: 11/27/2009 1:43:01 PM - System Checkpoint
RP1602: 11/28/2009 6:16:58 PM - System Checkpoint
RP1603: 11/29/2009 7:10:30 PM - System Checkpoint
RP1604: 12/1/2009 5:19:08 PM - System Checkpoint
RP1605: 12/2/2009 5:56:24 PM - System Checkpoint
RP1606: 12/3/2009 8:20:47 PM - System Checkpoint
RP1607: 12/4/2009 10:06:41 PM - System Checkpoint
RP1608: 12/6/2009 2:49:09 PM - System Checkpoint
RP1609: 12/7/2009 4:18:14 PM - System Checkpoint
RP1610: 12/8/2009 6:54:36 PM - System Checkpoint
RP1611: 12/8/2009 10:06:59 PM - Software Distribution Service 3.0
RP1612: 12/11/2009 7:10:35 AM - System Checkpoint
RP1613: 12/12/2009 10:48:56 AM - System Checkpoint
RP1614: 12/13/2009 2:34:22 PM - System Checkpoint
RP1615: 12/15/2009 7:41:51 PM - System Checkpoint
RP1616: 12/16/2009 8:58:55 PM - System Checkpoint
RP1617: 12/17/2009 10:24:27 PM - System Checkpoint
RP1618: 12/19/2009 11:25:14 AM - System Checkpoint
RP1619: 12/20/2009 12:58:12 AM - Software Distribution Service 3.0
RP1620: 12/21/2009 11:26:54 AM - System Checkpoint
RP1621: 12/22/2009 8:25:48 PM - System Checkpoint
RP1622: 12/23/2009 10:51:58 PM - System Checkpoint
RP1623: 12/24/2009 11:41:49 PM - System Checkpoint
RP1624: 1/2/2010 9:17:34 PM - System Checkpoint
RP1625: 1/13/2010 6:21:22 AM - System Checkpoint

==== Installed Programs ======================



23_24_2500Tour
2400
2400_2500Help
2400_2500trb
4x4 Evo2
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Ahead Nero BurnRights
AIM 6
AiO_Scan
AIOMinimal
AiOSoftware
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AOL Explorer
AOL Instant Messenger
AOL Toolbar 2.0
Apple Mobile Device Support
Apple Software Update
Blackhawk Striker from Gateway (remove only)
Blasterball 2 from Gateway (remove only)
Bounce Symphony from Gateway (remove only)
Browser Defender 2.0.6.11
City Racer
Comcast Toolbar
Compatibility Pack for the 2007 Office system
Copy
Creative Driver
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
Director
Dirt Track Racing 2
DivX Web Player
DocProc
DoMore
Drive Manager
DriveImage XML (Private Edition)
DVD
EAX Unified
EAX4 Unified Redist
Electronic Arts Game Updater
Excavation from Gateway (remove only)
Fax
Gateway Ink Monitor
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Grand Prix 3
GWCares
Higher Score on the New SAT 1.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photo & Imaging 3.1
HP PSC & OfficeJet 3.0
HP Update
hpmdtab
HPSystemDiagnostics
Hutchinson Educational Encyclopedia 2000
InstantShare
Intel« 537EP Data Fax Modem
Intel« PRO Network Adapters and Drivers
iPod for Windows 2005-09-23
ItsDeductible Express
iTunes
Jasc Animation Shop 3
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 7
Kaplan Essential Review - Writing and Vocabulary
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Picture It! Photo Premium 9
Microsoft RalliSport Challenge
Microsoft Silverlight
Microsoft Streets and Trips 2004
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.8)
MSN Messenger 5.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
NASCAR Heat
NASCAR Thunder TM 2004
Need For Speed - Porsche Unleashed
Need For Speed Hot Pursuit 2
Office 2003 Setup Files
Offroad Redneck Racing
Orbital from Gateway (remove only)
Otto from Gateway (remove only)
Overball from Gateway (remove only)
overland
PC-Doctor for Windows
PhotoGallery
PhotoShow Print & Share
PhotoSuite 4 (Remove Only)
Polar Bowler from Gateway (remove only)
PrintScreen
QFolder
Quicken 2004
QuickProjects
QuickTime
Race Driver
Race Driver 2
Readme
RealPlayer
Roxio Burn Engine
Saturday Night Speedway
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
Sierra Utilities
SIM Edit Tool
SkinsHP1
SkinsHP2
Slyder from Gateway (remove only)
SPEEDBUSTERS
Spyware Doctor 7.0
Street Racing Syndicate ™
Test Drive
Total Immersion Racing
TrayApp
Turbo GT
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmdiper
TurboTax 2008 wrapper
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Uninstall Startup Inspector
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V-Rally2 Expert Edition
Viper Racing
WeatherBug
WebFldrs XP
WebReg
WexTech AnswerWorks
WildTangent GameChannel (remove only)
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WingMan Software
World of Outlaws Sprint Cars

==== Event Viewer Messages From Past Week ========

1/9/2010 9:44:10 PM, error: System Error [1003] - Error code 100000d1, parameter1 f4fd2198, parameter2 00000002, parameter3 00000000, parameter4 f4fc9e22.
1/9/2010 4:04:00 PM, error: DCOM [10001] - Unable to start a DCOM Server: {6A972E27-93E2-4F98-8367-4101B2073814} as /. The error: "%2" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
1/13/2010 6:02:53 AM, error: PlugPlayManager [11] - The device Root\LEGACY_ONDMD\0000 disappeared from the system without first being prepared for removal.
1/11/2010 10:02:13 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.

==== End Of File ===========================

Edited by Orange Blossom, 14 January 2010 - 10:07 PM.


BC AdBot (Login to Remove)

 


#2 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 16 January 2010 - 09:07 AM

Hi there,

I wanted to let you know that I deleted the following file via My Computer, as I felt it was a lingering rootkit -- not sure if it was active or not. The date that it was installed is the date that all my problems began so I believe it was part of the Malware Defense problems. FYI, my computer is behaving fine now, but I am not doing any of my personal business on here still because I am worried something could be lingering in the shadows.

File deleted just now:

2010-01-03 21:33:51 40448 ----a-w- c:\winnt\system32\drivers\H8SRTqxyirtqppl.sys


Thanks,
Terry


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 16 January 2010 - 02:31 PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:01 PM

Posted 20 January 2010 - 04:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 20 January 2010 - 10:15 PM

Hi myrti! Thanks so much for responding to my post. I know you all must be extremely busy and I've been patient, checking everyday to see if it is my turn. So I'm very glad to have your help now.


You'll see in my previous posts that we were infected with the Malware Defense Virus in early January. I used Malwarebytes to clean as much as I could off and have been successful in restoring pretty normal operation to the computer, it's not freezing up anymore or constantly giving us pop-up errors regarding Internet Explorer or View Manager etc.

We are still getting malware, adware and rootkits in our Malwarebyte scans that have us concerned. I am not comfortable doing any personal business or using accounts/passwords on my computer. If you could look over our scans to see if we are still infected with anything that may be hidden in our start-up processes, etc., I would greatly appreciate it.

Terry

Here are the scans you requested:


OTL logfile created on: 1/20/2010 9:41:01 PM - Run 1
OTL by OldTimer - Version 3.1.25.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 300.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 55.52 Gb Free Space | 48.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 398.91 Gb Free Space | 85.65% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: S1100411655
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/20 21:39:52 | 00,546,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/11/18 12:47:14 | 01,243,088 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2009/11/10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/11/06 14:29:22 | 01,141,712 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2009/10/30 11:18:16 | 00,359,624 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2009/10/28 01:54:16 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/09 04:19:17 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/03/09 04:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/12/08 14:50:04 | 00,054,576 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuschd2.exe
PRC - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/13 19:12:28 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2008/01/10 15:27:36 | 00,385,024 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2007/10/09 16:21:02 | 00,124,280 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
PRC - [2007/07/18 20:57:46 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/01/12 13:54:58 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2005/01/12 13:54:56 | 00,135,168 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
PRC - [2003/11/17 11:33:00 | 00,077,824 | ---- | M] (NVIDIA Corporation) -- C:\WINNT\system32\nvsvc32.exe
PRC - [2003/11/05 13:23:28 | 00,303,180 | ---- | M] (Gateway) -- C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe


========== Modules (SafeList) ==========

MOD - [2010/01/20 21:39:52 | 00,546,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2009/10/30 11:18:16 | 00,147,024 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\PCTGMhk.dll
MOD - [2009/09/09 22:54:58 | 00,155,184 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\smum32.dll
MOD - [2000/06/15 15:32:24 | 00,036,864 | ---- | M] (Tartan Software) -- C:\Program Files\Gateway\Gateway Ink Monitor\inkpeek.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (navapsvc)
SRV - File not found [Auto | Stopped] -- -- (MyWebSearchService)
SRV - File not found [Auto | Stopped] -- -- (MpfService)
SRV - File not found [Auto | Stopped] -- -- (McSysmon)
SRV - File not found [Unknown | Stopped] -- -- (McShield)
SRV - File not found [Auto | Stopped] -- -- (McNASvc)
SRV - File not found [Auto | Stopped] -- -- (mcmscsvc)
SRV - [2009/11/10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/11/06 14:29:22 | 01,141,712 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/10/30 11:18:16 | 00,359,624 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/09/03 10:51:46 | 00,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/03/26 19:49:39 | 00,183,280 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/09 04:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/01/15 03:22:44 | 00,504,104 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/10/09 16:21:02 | 00,124,280 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe -- (Basics Service)
SRV - [2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINNT\system32\hpzipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/11/17 11:33:00 | 00,077,824 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINNT\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/11/09 11:20:12 | 00,207,792 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/11/04 16:54:12 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/04/13 13:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/20 05:03:30 | 00,136,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINNT\catchme.exe -- (catchme)
DRV - [2006/09/19 15:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2004/10/07 20:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/09/03 12:23:10 | 00,115,680 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2004/09/03 12:19:07 | 00,054,368 | ---- | M] (Protection Technology) [Kernel | System | Running] -- C:\WINNT\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2004/07/19 09:49:54 | 00,007,040 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\prosync1.sys -- (prosync1)
DRV - [2003/12/01 10:20:52 | 00,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/11/17 11:33:00 | 01,618,939 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/11/13 18:59:18 | 00,645,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2003/11/13 18:58:10 | 00,148,432 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2003/11/13 18:57:40 | 00,904,496 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/11/13 13:01:52 | 00,145,488 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2003/11/13 13:01:38 | 00,130,288 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/11/13 13:01:10 | 00,006,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2003/11/13 13:01:02 | 00,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/11/13 13:00:46 | 00,366,160 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2003/11/12 15:11:54 | 00,333,600 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2003/08/18 22:14:44 | 00,066,992 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2003/08/18 22:14:44 | 00,024,698 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2003/08/15 19:22:12 | 00,082,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2003/08/11 03:07:38 | 00,051,056 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/08/11 03:07:38 | 00,021,488 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/08/11 03:07:38 | 00,016,496 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/07/16 20:52:40 | 00,050,805 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2003/07/16 20:52:28 | 01,075,685 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2003/07/16 20:51:56 | 00,481,305 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2003/07/16 20:51:28 | 00,031,440 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/07/02 20:00:00 | 00,274,816 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2003/03/31 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/03/18 14:00:00 | 00,542,976 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2003/03/04 12:56:26 | 00,145,408 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2002/06/20 12:45:44 | 00,013,920 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\WmHidLo.sys -- (WmHidLo)
DRV - [2002/06/20 12:45:42 | 00,020,128 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2002/06/20 12:45:40 | 00,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2002/06/20 12:45:36 | 00,005,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2002/06/20 12:45:34 | 00,039,776 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2002/04/01 14:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINNT\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:20:04 | 00,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 12:56:16 | 00,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net//
IE - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
IE - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "http://comcast.net"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=5CNRrS1CaupJsbK1LwWy.g&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/22 19:09:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/19 19:32:12 | 00,000,000 | ---D | M]

[2009/04/17 08:07:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/01/20 19:38:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zmksupco.default\extensions
[2009/05/17 14:58:25 | 00,009,895 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zmksupco.default\searchplugins\mywebsearch.xml
[2008/04/12 18:48:58 | 00,000,273 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zmksupco.default\searchplugins\search.xml
[2010/01/20 19:38:26 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/07/11 23:36:21 | 00,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/09/06 20:54:33 | 00,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2009/09/06 20:54:33 | 00,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2009/09/06 20:54:33 | 00,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/09/06 20:54:37 | 00,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2009/09/06 20:54:37 | 00,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2008/03/24 19:21:00 | 02,889,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2008/09/16 19:51:36 | 00,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Comcast Toolbar) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll (Comcast Cable Communications. )
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Comcast Toolbar) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll (Comcast Cable Communications. )
O3 - HKLM\..\Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O3 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..\Toolbar\WebBrowser: (Comcast Toolbar) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll (Comcast Cable Communications. )
O3 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Gateway Extended Warranty] C:\Program Files\Gateway\GWCares\GWCares.exe (BillP Studios)
O4 - HKLM..\Run: [Gateway Ink Monitor] C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe (Gateway)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuschd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\uqDZKwRyr.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003..\Run: [Aim6] File not found
O4 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003..\Run: [Start WingMan Profiler] File not found
O4 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Julie\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\Program Files\AOL\AOL Toolbar 2.0\resources\en-us\local\search.html ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: adobe.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: comcast.net ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/OneClickFix/tgctlsr.cab (SupportSoft Script Runner Class)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1005.cab (MySpace Uploader Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://go.divx.com/plugin/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1191693192296 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/17 13:48:16 | 00,000,040 | ---- | M] () - F:\Autorun.inf -- [ NTFS ]
O33 - MountPoints2\{7873b4ae-469e-11db-8874-0011955854dd}\Shell - "" = AutoRun
O33 - MountPoints2\{7873b4ae-469e-11db-8874-0011955854dd}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7873b4ae-469e-11db-8874-0011955854dd}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/20 21:39:51 | 00,546,816 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/13 22:00:10 | 00,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2010/01/13 19:05:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVG8
[2010/01/13 02:43:27 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\aclayers.dll
[2010/01/06 20:39:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/01/06 20:39:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2010/01/05 22:22:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/01/05 22:15:20 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/01/05 22:15:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/05 22:15:15 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/01/05 22:15:14 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/03 20:52:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Threat Expert
[2010/01/03 20:52:26 | 00,149,456 | ---- | C] (PC Tools) -- C:\WINNT\SGDetectionTool.dll
[2010/01/03 20:52:25 | 01,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINNT\PCTBDCore.dll
[2010/01/03 20:52:25 | 00,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINNT\PCTBDRes.dll
[2010/01/03 20:50:57 | 00,233,136 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\pctgntdi.sys
[2010/01/03 20:50:42 | 00,207,792 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\PCTCore.sys
[2010/01/03 20:50:42 | 00,087,784 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\PCTAppEvent.sys
[2010/01/03 20:50:18 | 00,070,408 | ---- | C] (PC Tools) -- C:\WINNT\System32\drivers\pctplsg.sys
[2010/01/03 20:50:07 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/01/03 20:50:07 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/01/03 20:50:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\PC Tools
[2010/01/03 20:50:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/01/03 20:49:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/07 21:19:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2007/11/20 23:55:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/08/18 22:04:26 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/01/11 20:31:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/10/06 15:32:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2003/10/06 15:17:14 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[6 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[4 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/20 21:39:52 | 00,546,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/20 20:56:00 | 00,054,156 | -H-- | M] () -- C:\WINNT\QTFont.qfn
[2010/01/20 19:06:26 | 00,000,384 | ---- | M] () -- C:\WINNT\System32\DVCStateBkp-{00000001-00000000-00000001-00001102-00000004-20041102}.dat
[2010/01/20 19:06:26 | 00,000,384 | ---- | M] () -- C:\WINNT\System32\DVCState-{00000001-00000000-00000001-00001102-00000004-20041102}.dat
[2010/01/20 19:06:25 | 00,031,056 | ---- | M] () -- C:\WINNT\System32\BMXStateBkp-{00000001-00000000-00000001-00001102-00000004-20041102}.rfx
[2010/01/20 19:06:25 | 00,031,056 | ---- | M] () -- C:\WINNT\System32\BMXState-{00000001-00000000-00000001-00001102-00000004-20041102}.rfx
[2010/01/20 19:06:25 | 00,030,528 | ---- | M] () -- C:\WINNT\System32\BMXCtrlState-{00000001-00000000-00000001-00001102-00000004-20041102}.rfx
[2010/01/20 19:06:25 | 00,030,528 | ---- | M] () -- C:\WINNT\System32\BMXBkpCtrlState-{00000001-00000000-00000001-00001102-00000004-20041102}.rfx
[2010/01/20 19:06:25 | 00,001,080 | ---- | M] () -- C:\WINNT\System32\settingsbkup.sfm
[2010/01/20 19:06:25 | 00,001,080 | ---- | M] () -- C:\WINNT\System32\settings.sfm
[2010/01/20 17:58:15 | 00,001,158 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2010/01/20 17:57:11 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/01/20 17:57:09 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2010/01/20 17:57:08 | 53,561,3440 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/19 22:30:01 | 09,175,040 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/01/19 22:30:01 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/15 10:39:31 | 00,260,096 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GW_2010 SB Schedule.doc
[2010/01/14 20:58:45 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe
[2010/01/14 20:07:45 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/01/14 19:46:43 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\~$eepfixforoot.doc
[2010/01/13 22:09:57 | 01,527,991 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Drive_C.xml
[2010/01/13 22:09:56 | 00,001,041 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Drive_C.dat
[2010/01/13 22:00:11 | 00,000,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2010/01/13 21:58:36 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\bleepfixforoot.doc
[2010/01/13 05:42:28 | 00,000,717 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to uqDZKwRyr.exe.lnk
[2010/01/13 03:03:45 | 00,001,374 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/01/11 21:39:27 | 00,098,816 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\TITLE IX.ppt
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/01/05 22:07:12 | 00,263,168 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.com
[2010/01/04 14:31:34 | 00,000,202 | ---- | M] () -- C:\WINNT\System32\srcr.dat
[2010/01/04 00:10:02 | 00,001,409 | ---- | M] () -- C:\WINNT\QTFont.for
[2010/01/03 20:50:24 | 00,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/01/03 16:30:23 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/02 21:59:31 | 00,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Resume Adobe Downloads.lnk
[6 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[4 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/14 20:58:45 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe
[2010/01/14 20:07:44 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/01/14 19:46:43 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\~$eepfixforoot.doc
[2010/01/13 22:09:55 | 01,527,991 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Drive_C.xml
[2010/01/13 22:09:55 | 00,001,041 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Drive_C.dat
[2010/01/13 22:00:11 | 00,000,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2010/01/13 21:58:35 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\bleepfixforoot.doc
[2010/01/13 05:42:28 | 00,000,717 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to uqDZKwRyr.exe.lnk
[2010/01/11 20:24:10 | 00,098,816 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\TITLE IX.ppt
[2010/01/05 22:07:11 | 00,263,168 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.com
[2010/01/04 00:10:02 | 00,001,409 | ---- | C] () -- C:\WINNT\QTFont.for
[2010/01/04 00:10:01 | 00,054,156 | -H-- | C] () -- C:\WINNT\QTFont.qfn
[2010/01/03 20:52:26 | 00,767,952 | ---- | C] () -- C:\WINNT\BDTSupport.dll
[2010/01/03 20:52:26 | 00,000,883 | ---- | C] () -- C:\WINNT\RegSDImport.xml
[2010/01/03 20:52:26 | 00,000,880 | ---- | C] () -- C:\WINNT\RegISSImport.xml
[2010/01/03 20:52:26 | 00,000,131 | ---- | C] () -- C:\WINNT\IDB.zip
[2010/01/03 20:52:25 | 01,152,444 | ---- | C] () -- C:\WINNT\UDB.zip
[2010/01/03 20:50:57 | 00,007,387 | ---- | C] () -- C:\WINNT\System32\drivers\pctgntdi.cat
[2010/01/03 20:50:42 | 00,007,412 | ---- | C] () -- C:\WINNT\System32\drivers\PCTAppEvent.cat
[2010/01/03 20:50:42 | 00,007,383 | ---- | C] () -- C:\WINNT\System32\drivers\pctcore.cat
[2010/01/03 20:50:24 | 00,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/01/03 20:50:18 | 00,007,383 | ---- | C] () -- C:\WINNT\System32\drivers\pctplsg.cat
[2010/01/03 16:33:55 | 00,000,202 | ---- | C] () -- C:\WINNT\System32\srcr.dat
[2010/01/03 16:30:23 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2007/09/25 18:32:38 | 00,000,004 | ---- | C] () -- C:\WINNT\System32\navwanvd.ini
[2007/05/21 22:33:39 | 00,000,103 | ---- | C] () -- C:\WINNT\cdplayer.ini
[2007/04/03 19:02:26 | 00,000,044 | ---- | C] () -- C:\WINNT\liveup.ini
[2007/01/01 17:56:29 | 00,001,360 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/27 09:45:22 | 00,069,632 | ---- | C] () -- C:\WINNT\System32\OPShDwn.dll
[2006/02/22 17:28:59 | 00,000,000 | ---- | C] () -- C:\WINNT\PROTOCOL.INI
[2006/02/22 17:28:40 | 00,240,640 | R--- | C] () -- C:\WINNT\System32\NMOCOD.DLL
[2005/08/31 10:43:32 | 00,098,304 | ---- | C] () -- C:\WINNT\System32\resourceGeneric.dll
[2005/04/14 17:48:39 | 00,000,048 | ---- | C] () -- C:\WINNT\PerWin.ini
[2005/01/29 11:11:49 | 00,018,432 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/01/29 11:03:51 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/10/01 22:04:11 | 00,000,002 | ---- | C] () -- C:\WINNT\msoffice.ini
[2004/09/17 23:03:20 | 00,000,193 | ---- | C] () -- C:\WINNT\cncscore.ini
[2004/09/08 16:18:57 | 04,194,441 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\sdi.db
[2004/08/30 18:53:52 | 00,000,771 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2004/07/18 17:39:48 | 00,000,049 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2004/07/10 17:55:38 | 00,252,416 | ---- | C] () -- C:\WINNT\System32\wsiShared.dll
[2004/07/05 16:58:55 | 00,000,387 | ---- | C] () -- C:\WINNT\SIERRA.INI
[2004/06/25 21:00:01 | 00,000,027 | ---- | C] () -- C:\WINNT\Rally.INI
[2004/04/26 19:08:07 | 00,028,747 | ---- | C] () -- C:\WINNT\System32\KMemoryMMX.dll
[2004/04/26 19:08:07 | 00,024,653 | ---- | C] () -- C:\WINNT\System32\KMemoryPIII.dll
[2004/04/26 19:08:07 | 00,024,632 | ---- | C] () -- C:\WINNT\System32\KMemory.dll
[2004/04/26 19:08:07 | 00,020,546 | ---- | C] () -- C:\WINNT\System32\KMemoryC.dll
[2004/04/26 19:07:43 | 00,000,002 | ---- | C] () -- C:\WINNT\PhotoSuite.ini
[2004/04/26 19:07:36 | 00,458,752 | ---- | C] () -- C:\WINNT\System32\Fpl.dll
[2004/04/26 19:07:36 | 00,122,880 | ---- | C] () -- C:\WINNT\System32\EnrouteStitch.dll
[2004/04/26 19:07:35 | 00,019,968 | ---- | C] () -- C:\WINNT\System32\CPUINF32.DLL
[2004/04/26 19:07:30 | 00,332,800 | ---- | C] () -- C:\WINNT\System32\FPXLIB.DLL
[2004/04/26 19:07:30 | 00,122,880 | ---- | C] () -- C:\WINNT\System32\JPEGLIB.DLL
[2004/04/18 06:45:03 | 00,000,078 | ---- | C] () -- C:\WINNT\qwimp.ini
[2004/04/18 06:45:02 | 00,000,368 | ---- | C] () -- C:\WINNT\intuprof.ini
[2004/04/17 19:35:48 | 00,032,418 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2004/03/22 11:47:18 | 00,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2004/02/18 12:23:38 | 00,000,194 | ---- | C] () -- C:\WINNT\System32\KILL.INI
[2004/02/18 12:23:35 | 00,053,312 | ---- | C] () -- C:\WINNT\System32\upddrv9x.dll
[2004/02/18 12:23:35 | 00,015,866 | ---- | C] () -- C:\WINNT\System32\aud2_gw.ini
[2004/02/18 12:23:35 | 00,000,029 | ---- | C] () -- C:\WINNT\System32\ctzapxx.ini
[2004/02/17 12:02:39 | 00,000,370 | ---- | C] () -- C:\WINNT\ODBC.INI
[2004/02/17 12:00:09 | 00,001,081 | ---- | C] () -- C:\WINNT\QUICKEN.INI
[2004/02/17 11:59:55 | 00,028,672 | ---- | C] () -- C:\WINNT\System32\JAWTAccessBridge.dll
[2004/02/17 11:56:09 | 00,086,016 | ---- | C] () -- C:\WINNT\System32\PCDrKernelModeServices.dll
[2004/02/17 11:56:09 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\ProgressTrace.dll
[2004/02/17 10:55:31 | 00,000,571 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI
[2003/10/06 15:57:12 | 00,000,778 | ---- | C] () -- C:\WINNT\orun32.ini
[2003/10/06 15:40:33 | 00,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2003/08/11 03:07:40 | 00,565,248 | ---- | C] () -- C:\WINNT\System32\hpotscl.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINNT\System32\OUTLPERF.INI
[1999/02/22 17:27:36 | 00,280,064 | ---- | C] () -- C:\WINNT\System32\Cncs232.dll
[1980/01/01 01:00:00 | 00,012,288 | ---- | C] () -- C:\WINNT\System32\e100bmsg.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 304 bytes -> C:\Documents and Settings\Owner\My Documents\us%20[1].jpg:SummaryInformation
@Alternate Data Stream - 304 bytes -> C:\Documents and Settings\Owner\My Documents\%2F031308_1841a[1].jpg:SummaryInformation
@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >





OTL Extras logfile created on: 1/20/2010 9:41:02 PM - Run 1
OTL by OldTimer - Version 3.1.25.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 300.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 55.52 Gb Free Space | 48.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 398.91 Gb Free Space | 85.65% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: S1100411655
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Disabled:AIM -- (AOL LLC)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader -- (AOL LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes -- (Apple Inc.)
"C:\WINNT\system32\dpvsetup.exe" = C:\WINNT\system32\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{092eeeee-9fdd-4895-a568-0818c96beb6c}" = AiO_Scan
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1CAD83B0-87A3-4206-BF70-644546808731}" = Overland
"{1CC535A8-BD37-4AD5-BF85-1C366873BA47}" = Street Racing Syndicate ™
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}" = Adobe Media Player
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{21D3F5FD-4AB5-4772-885E-3569B9CC62AF}" = Test Drive
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2BD74F5D-4089-4064-B6AF-8E8A93022650}" = Office 2003 Setup Files
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{2E132061-C78A-48D4-A899-1D13B9D189FA}" = Memories Disc Creator 2.0
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{2F1FD032-67D1-4569-923F-47EAF132BF0F}" = DocProc
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{435673AB-6821-416D-806A-E477DFA60A42}" = WingMan Software
"{48B0F38D-1913-44F3-99AA-D4C55A2B038E}" = Drive Manager
"{4FB6F304-A91D-4919-98E5-D96E074EA9E5}" = SkinsHP1
"{5188D24B-9003-41B9-BC5D-7FEBA5C8F3AE}" = Dirt Track Racing 2
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{54e854d5-d5d4-452d-9c75-b39f5625b5fb}" = Readme
"{595ED82D-446E-4C0B-B327-216AE31E9471}" = TurboTax 2008 wmdiper
"{5ADF6293-D60F-4425-AFA7-CEB820DB872B}" = QuickProjects
"{63B5F453-898D-45CE-931D-6F4FF669BB04}" = City Racer
"{642a22b1-7ab8-44b5-84b9-e58eecf8ece2}" = 2400_2500Help
"{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}" = QuickTime
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{746B3247-FEFC-4C04-0087-E87636B0B1D3}" = NASCAR Thunder TM 2004
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland
"{76F4DD9B-C246-4BE0-00B6-3DE9ABF72299}" = Need For Speed Hot Pursuit 2
"{79C217FB-ADE6-47D9-8205-A479BB264B16}" = PhotoShow Print & Share
"{7C4196CA-CA41-4F34-9C08-7724E7705D52}" = Jasc Animation Shop 3
"{7D2E05C0-064C-4F12-8173-6EBAD61E7F93}" = World of Outlaws Sprint Cars
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{829698DE-9EAC-475E-9A05-B7BA807CA1EF}" = Director
"{82EF8297-C8B2-4CA8-9430-FF2BC8C40414}" = GWCares
"{8704D51E-25B7-4F23-81E7-AA4F54790210}" = Microsoft Streets and Trips 2004
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89661B04-C646-4412-B6D3-5E19F02F1F37}" = EAX4 Unified Redist
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{8E309767-4214-4A04-AB88-FE86155FC151}" = Race Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{939227BD-19D8-4684-8A04-31AC9F6A564C}" = Scan
"{9441cb44-9729-4962-9ce1-c7752350fe52}" = 23_24_2500Tour
"{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}" = Roxio Burn Engine
"{98e3d87f-6946-468d-b34e-9f89ac8da70a}" = 2400
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = DVD
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{9F4EEA0C-7174-4BD3-89AF-7AB2F9F6AEDD}" = hpmdtab
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A363B66C-1547-47bf-90F0-3834E70A841A}" = CreativeProjects
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{ABEB838C-A1A7-4C5D-B7E1-8B4314B00527}" = MSN Messenger 5.0
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}" = iTunes
"{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works
"{BCB5B1F6-5C55-4BCB-9192-77C63D166D2B}" = Saturday Night Speedway
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C19423A6-78AB-4EF0-BE84-6B18342316A5}" = Kaplan Essential Review - Writing and Vocabulary
"{C2FE0127-0F86-43C7-824E-AA78E6B5F4F3}" = Total Immersion Racing
"{c330461f-c4a9-4fc7-af5d-c158e0b56aa7}" = AiOSoftware
"{C38BC5B7-62D3-4880-82DD-A4803FD81921}" = PhotoGallery
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE4F8FFB-4063-4247-9F14-ECE61AFEFA25}" = TrayApp
"{CEABB85A-22B9-4DEF-B881-51FEC54FD441}" = SIM Edit Tool
"{CFD1B282-555D-494d-8231-4175C2AF08C2}" = PrintScreen
"{D1D8C9C4-89BE-4f37-9EC4-B80E3C239C41}" = Copy
"{d40e4a88-ebc8-4d52-be3c-a4917a057ef0}" = Fax
"{D474A0E8-4421-43C0-BE8E-F454F91E2E2A}" = Race Driver 2
"{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23
"{D545BB81-DEB0-49f7-BE26-197BC31AAF57}" = SkinsHP2
"{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}" = Apple Mobile Device Support
"{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Premium 9
"{DE114695-AE58-4B66-8E0F-2505188602FB}_is1" = Uninstall Startup Inspector
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E2A77960-16D1-11D5-A25B-00A0CC3D622D}" = Offroad Redneck Racing
"{E4961DB6-A3F3-11D3-BE67-0000B4A81FC5}" = Grand Prix 3
"{E4ABB302-9D82-4D18-83D5-AD1DFE786AA8}" = Unload
"{E5B26C1E-4751-4F03-BC18-634F41F31EC6}" = DoMore
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EB387132-2EE8-4023-B365-2853A2CBBB36}" = Turbo GT
"{ec7d7a6a-31cb-4810-826f-74171bef44f1}" = AIOMinimal
"{F10082FE-BACB-4E58-A423-DAD6BFC8B3A2}" = Gateway Ink Monitor
"{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}" = HP PSC & OfficeJet 3.0
"{f409f2fe-2567-446f-a220-e60cd7e016f4}" = 2400_2500trb
"{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML (Private Edition)
"{FBBF532A-47AC-457d-AC06-0D3163D8911E}" = WebReg
"4AF3F682-FE2A-488D-A11C-A0470A325E93" = Blasterball 2 from Gateway (remove only)
"4x4 Evo2" = 4x4 Evo2
"5A137FCB-35EA-4849-8239-AFEBD2F45B3B" = Otto from Gateway (remove only)
"618CD711-AFB3-4EB4-9B48-ABD2AB370B21" = Slyder from Gateway (remove only)
"70216ACD-1547-44E5-8966-615BE9569EAD" = Blackhawk Striker from Gateway (remove only)
"A375E2C6-77CA-4F2F-AB6F-CD0A96D87B24" = Overball from Gateway (remove only)
"AA4162B8-1BB1-4110-8F93-0092D4DEF122" = Bounce Symphony from Gateway (remove only)
"ADFCE1E4-A420-437C-998D-EAF04E3601BE" = Excavation from Gateway (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AIM_6" = AIM 6
"AOL Explorer" = AOL Explorer
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Toolbar" = AOL Toolbar 2.0
"BECB8A74-E07D-44A1-813D-1E390EB3047B" = Orbital from Gateway (remove only)
"Browser Defender_is1" = Browser Defender 2.0.6.11
"C4D2212B-5331-470D-9BF7-96DB25A398C7" = Polar Bowler from Gateway (remove only)
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"ComcastToolbar" = Comcast Toolbar
"Creative Driver" = Creative Driver
"EAX Unified" = EAX Unified
"Electronic Arts Game Updater" = Electronic Arts Game Updater
"GameChannel" = WildTangent GameChannel (remove only)
"Higher Score on the New SAT_is1" = Higher Score on the New SAT 1.0
"HP Photo & Imaging" = HP Photo & Imaging 3.1
"Hutchinson Educational Encyclopedia 2000" = Hutchinson Educational Encyclopedia 2000
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{48B0F38D-1913-44F3-99AA-D4C55A2B038E}" = Drive Manager
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{63B5F453-898D-45CE-931D-6F4FF669BB04}" = City Racer
"InstallShield_{8E309767-4214-4A04-AB88-FE86155FC151}" = Race Driver
"InstallShield_{D474A0E8-4421-43C0-BE8E-F454F91E2E2A}" = Race Driver 2
"InstallShield_{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23
"InstallShield_{EB387132-2EE8-4023-B365-2853A2CBBB36}" = Turbo GT
"Intel® 537EP Data Fax Modem" = Intel® 537EP Data Fax Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.8)" = Mozilla Firefox (3.0.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NASCAR Heat" = NASCAR Heat
"Need For Speed - Porsche Unleashed" = Need For Speed - Porsche Unleashed
"Nero BurnRights!UninstallKey" = Ahead Nero BurnRights
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureIt_v9" = Microsoft Picture It! Photo Premium 9
"PROSet" = Intel® PRO Network Adapters and Drivers
"RalliSport Challenge 1.0" = Microsoft RalliSport Challenge
"RealPlayer 12.0" = RealPlayer
"ROXIO_PRISM_V4_0" = PhotoSuite 4 (Remove Only)
"Shockwave" = Shockwave
"Sierra Utilities" = Sierra Utilities
"SPEEDBUSTERS" = SPEEDBUSTERS
"Spyware Doctor" = Spyware Doctor 7.0
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2004" = TurboTax Deluxe 2004
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"ViewpointMediaPlayer" =
"Viper Racing" = Viper Racing
"V-Rally2 Expert Edition" = V-Rally2 Expert Edition
"WeatherBug" = WeatherBug
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2004Setup" = Microsoft Works 2004 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4069285105-1660435534-2397799627-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/12/2010 11:50:03 PM | Computer Name = S1100411655 | Source = Application Hang | ID = 1002
Description = Hanging application gXmrWHUSx.exe, version 1.43.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/13/2010 6:33:42 AM | Computer Name = S1100411655 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module unknown, version 0.0.0.0, fault address 0x00f61626.

Error - 1/13/2010 6:34:35 AM | Computer Name = S1100411655 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module unknown, version 0.0.0.0, fault address 0x00f61626.

Error - 1/13/2010 6:35:49 AM | Computer Name = S1100411655 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module unknown, version 0.0.0.0, fault address 0x00f61626.

Error - 1/13/2010 6:39:37 AM | Computer Name = S1100411655 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module unknown, version 0.0.0.0, fault address 0x00df1626.

Error - 1/13/2010 6:39:50 AM | Computer Name = S1100411655 | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 1/13/2010 6:41:10 AM | Computer Name = S1100411655 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module unknown, version 0.0.0.0, fault address 0x00f61626.

Error - 1/18/2010 9:58:56 AM | Computer Name = S1100411655 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8312.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/18/2010 9:58:57 AM | Computer Name = S1100411655 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8312.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/18/2010 9:59:11 AM | Computer Name = S1100411655 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8312.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/6/2010 10:14:44 PM | Computer Name = S1100411655 | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}
as /. The error: "%2" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 1/6/2010 10:14:54 PM | Computer Name = S1100411655 | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}
as /. The error: "%2" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 1/6/2010 10:41:35 PM | Computer Name = S1100411655 | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 f4b0e198, parameter2 00000002, parameter3
00000000, parameter4 f4b05e22.

Error - 1/9/2010 2:39:51 PM | Computer Name = S1100411655 | Source = DCOM | ID = 10010
Description = The server {6A972E27-93E2-4F98-8367-4101B2073814} did not register
with DCOM within the required timeout.

Error - 1/9/2010 2:49:29 PM | Computer Name = S1100411655 | Source = DCOM | ID = 10010
Description = The server {6A972E27-93E2-4F98-8367-4101B2073814} did not register
with DCOM within the required timeout.

Error - 1/9/2010 5:04:00 PM | Computer Name = S1100411655 | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {6A972E27-93E2-4F98-8367-4101B2073814}
as /. The error: "%2" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 1/9/2010 10:44:10 PM | Computer Name = S1100411655 | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 f4fd2198, parameter2 00000002, parameter3
00000000, parameter4 f4fc9e22.

Error - 1/11/2010 11:02:13 PM | Computer Name = S1100411655 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 1/11/2010 11:02:19 PM | Computer Name = S1100411655 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 1/13/2010 7:02:53 AM | Computer Name = S1100411655 | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_ONDMD\0000 disappeared from the system without
first being prepared for removal.


< End of report >


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:01 PM

Posted 21 January 2010 - 06:20 AM

Hi,

please also run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 22 January 2010 - 07:33 PM

Hi,

I have been trying to run the gmer scan and am having difficulty. In my regular mode, after about 3 hours, the scan gets to the files section and while scanning pictures just stops. I tried running it in the safe mode and it may have finished, but the screen was so large that I could not access the Save button in order to save the results to post.

I am trying to research how to go into the safe mode and not have the screen size so large. I will continue to try to get the gmer to run to completion, but if there is something else I can try please let me know.

Thank-you,
Terry

#7 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 23 January 2010 - 09:58 AM

Hi myrti,

No luck with the gmer scan in safe mode. I researched some of your other posts and see where others have encountered problems with gmer scans, seemingly like me. I also see that you recommend they perform the mbr.exe and root repeal scans next. In an effort to try to get resolution, I went ahead and used your instructions for running those. I was able to get the mbr.exe to run, but it did not save the results with a .log extension ?? just as txt file. Here it is:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll prosync1.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


I could not get the rootrepeal to run. After I start it up, it just goes to "Please wait, initializing" and stays like that. I also had the same results with this tool when directed to try it by the 'Am I Infected?' forum.

Thanks again,
Terry

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:01 PM

Posted 23 January 2010 - 01:46 PM

Hi,

there may be some interference from other programs. Please try RootRepeal again, but before the scan do the following:
Please start RootRepeal, and, before doing anything else, try changing the "Disk Access Level" in the Settings->Options dialog. Try moving it to the "Special" or "High" level. Also, click on the Files tab, and uncheck "Use lowest level for MBR check". Please let me know if this fixes the problem.

My next step would have indeed been to advise to run mbr and rootrepeal instead. wink.gif mbr log looks good though smile.gif

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 23 January 2010 - 09:10 PM

Hi myrti,

Unfortunately, I can't even get the rootrepeal to start. Everytime, in regular or safe mode, I try to Run rootrepeal it puts a white box on my screen that says 'Intializing, please wait' and never starts anything. Eventually I get an error pop up saying that I do not have enough memory to perform that function and then my computer just freezes up.

wacko.gif

Terry



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:01 PM

Posted 23 January 2010 - 09:38 PM

Hi,

please try using sophos instead:

lease download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 24 January 2010 - 07:17 AM

Hi myrti,

I was able to run the sophos anti-rootkit scan. The first time I tried to run it, I got the following message and stopped the scan:

Fatal error. Could not initialize kernal driver memsweep.sys. Please restart and try again. Access is denied.


I ran the sophos scan a second time and it finished. The first item in my scan results was this:

Warning: Failed to query live registry key \HKEY_USERS. You may not have access rights to the whole registry. Incorrect Function.


There were no items in the results that recommended I remove them so I did not remove anything. Here are the results of the second sophos scan:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 1/23/2010 at 23:44:39 PM
User "Owner" on computer "S1100411655"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Error: Could not initialize kernel driver memsweep.sys. Please restart and try again.
Access is denied.
Info: Starting registry scan.
Stopped logging on 1/23/2010 at 23:47:19 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 1/23/2010 at 23:47:28 PM
User "Owner" on computer "S1100411655"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Stopped logging on 1/23/2010 at 23:58:19 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 1/23/2010 at 23:59:26 PM
User "Owner" on computer "S1100411655"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Failed to query live registry key \HKEY_USERS.
You may not have access rights to the whole registry.
Incorrect function.
Hidden: registry item \HKEY_USERS\.DEFAULT
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\MOPZ41AM\tractionsactivities;sz=300x250;kl=N;kgender=f;ku=N;kr=F;k21=1;kl=N;kga=1002;kar=4;kage=26;kgg=2;kt=U;kw=ultimate+water+slide;tile=1;dcopt=ist;ord=2915433445171719[1]
Hidden: file C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\P7N0W6NW\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHuQIAAAAAAAIAAwAAAAAA.4eC0yIBAAAAAAAAADJlNjFiMmNjLTdlMzgtMTFkZS1hMzhlLTAwMWU2ODQ5ZjEzZACwrSoAAAA=,,http%3A%2F%2Fwww.myspace[1].htm
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\HCQ8FKQ9\vjyzfkzofnibtbagn5qu_ydsxihn3wpihlgyiitlfg-m5oppzt4jf-cxe6j47ld9rcoevkavym0onxyw6fuplnadhsq1y4dkvj7wcay0dn1preyiam%3A%3A0%3A0%3Am2zlogi0ogzizwu1mt,;ord=1213307121[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\20YAL5K3\4mrbf4bRz.V2wD5Rf9gLUiJUWkAAgnO%2FB%3DrE1aJtG_Rvg-%2FJ%3D1216958825173006%2FA%3D5404711%2FR%3D0%2F%2A%24,http%3A%2F%2Fus.mc384.mail.yahoo.com%2Fmc%2Fwelcome%3F[1].htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\9RUM1YNE\Y1QPCA2VRD38CAHOCE1FCAP4NGY0CAW1FRTSCA781A86CAXB0YCXCA2SCLKFCAHMMUOXCA4Y0FPNCAIS11UDCA2GSX35CA47L8LTCA47VEZ3CACFX6XLCAWBVNKBCAHQZOXGCAHWJBV3CAHH5ZZNCAQCQC0JCAHM4C1QCAGN7T6B.htm
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\YXCJJ8VE\1vnHe9G_fzU-%2FJ%3D1229544593468054%2FA%3D5404712%2FR%3D0%2F%2A%24,http%3A%2F%2Fus.mc384.mail.yahoo.com%2Fmc%2Fshowfolder%3Febulk%3D1%26mcrumb%3Ddrpqme.y7te%26[1].htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\O5I3QXVZ\0MMMCAFLQFFGCASD9V8SCAQAHZ24CAZTG361CA78STA9CAPLPNUBCA25PR90CA5GA5J0CAZMKBMFCAHOMDQSCA8VBM5JCA2CTSKXCA73EC1QCAQPDLPFCAVJYW6OCAH4C10PCAJIX2S7CAWVJCVJCAGR4L6MCA999OO7CAKTHU40.htm
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\LNN923KZ\06400;u=r35a762140e0e602f;wm=o;city=crofton;st=md;dma=baltimore;co=usa;zip=21114;distancebucket=2;distance=30;rm=1;!c=d-jav;sz=728x90;tile=1;dcove=d;ord=564893697[1]
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\3VID11MR\FAULCACLZR8PCABUJOY7CABF9VWECAV8016SCA9FAPBCCAYJPCQSCANN7HWYCAP05ZB0CAN756CLCAE9DNC3CA8HZYN6CA88CZV5CAJX9QVOCACJYMUSCAMB9NGYCAJCMAAGCAQNMFG2CA2DMSRQCA9EK0L4CA5BNJZKCA5IF8MM.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\9RUM1YNE\6MQYCATP84DZCADYTW64CARCVWZ1CA9530J1CAF9NXRCCAF6NESDCAB19CCCCA83P6VLCA5J2B5ICA8J1OHJCA0DR5AXCADIIZG7CAIVXA0ICAWU9HN4CASIZ4MHCAXG5RD5CA8YXHFKCAC0KSQ7CAOM3IKUCAETYEGDCA8YCUZC.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\L68PK4QH\OZ2YCAXVRJRUCAM11DHBCAB21LTDCAQWJSINCAA70BQPCASM2RENCAN1LDQGCA2HNXM2CAZYCXJFCAG0JVKECA8R3G7ICACHK97JCAIXEZDZCANQBYBXCA8GYDTTCASF2T1HCA2MB3MGCA5VJZWJCA68CQHWCA26DYXZCA9M9QYI.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\3VID11MR\57QTCANJFJJBCAAUH9T8CAZXWWUPCAXI47WNCA15Q6GXCAXKHKLWCAFI7DBOCAIHF1O5CAIQ5A8VCAEK5DJACAIB4P6GCAH3BL8HCA64ENJ4CAXRJHW3CAG2NJ8ECAIH9W0LCACY8MD6CA9AOPPMCA53RM4OCAWJGDRSCA4JU7J9.htm
Hidden: file C:\Documents and Settings\Elisa\My Documents\My Pictures\hiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\WEH6AWO5\c5ODI0JklkeD0yJllZPTMxNjQ2Jnk1YmV0YT15ZXMmeTViZXRhPXllcyZpbmM9MjUmb3JkZXI9ZG93biZzb3J0PWRhdGUmcG9zPTAmdmlldz0maGVhZD0mYm94PUluYm94BHZpc2libGUDMQR3dAMwLjk5MDk2MQ--[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\QZWWKYS5\c5ODI0JklkeD0yJllZPTMxNjQ2Jnk1YmV0YT15ZXMmeTViZXRhPXllcyZpbmM9MjUmb3JkZXI9ZG93biZzb3J0PWRhdGUmcG9zPTAmdmlldz0maGVhZD0mYm94PUluYm94BHZpc2libGUDMQR3dAMwLjk5MDk2MQ--[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\V7W816NN\%253A%252F%252Fus.mc384.mail.yahoo.com%252Fmc%252FshowFolder%253B_ylt%253DAgNsXpvrQoXyTSQVWAEqxBfrk70X%253F%2526fid%253DInbox%2526[1].rand%253D1097135572%2526da%253D0
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\UFWCMIQB\c5Mjc4OV9BQ0o5djlFQUFHcExTRnlPQWc2U3RFUSUyRiUyRiUyRlEsMV8xNzkyMjUxX0FDWjl2OUVBQUd1R1NGeHdhQVAlMkJvd2lPYk1ZLDFfMTc5MTY2NF9BQ1o5djlFQUFBSzRTRnhDM3dDcWtHU1YlMkZSUSw-[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\LNN923KZ\ile;s1=profile;slot=top;url=profile_JON755755;nfl=ad;!category=;kw=;plyr=thomas_jonespos=rb;team=nyj;conf=afc;dvsn=ace;tile=1;test=;sz=728x90;dcopt=ist;ord=945[1].htm
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\LLA3AF4Q\e;s1=profile;slot=rightrailfirst;url=profile_JON755755;nfl=ad;!category=;kw=;plyr=thomas_jonespos=rb;team=nyj;conf=afc;dvsn=ace;tile=2;test=;sz=300x100;ord=945[1].htm
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\QMUDFCVU\hpt%253D0%2526ged%253D0%253A0%253AZjEyYmExMTY1MjJlMDNmZhAGOb8y7fSt1kZJESPv1do_UrteBmJFwYwyQCMltF48C0eBHVZqH967QvMCe4S2yQnprxaqknSEjxUsq3FlKMd8md8dBKTFW3EqVaqUoL7X[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\EKWGG20U\%20%28hagrstwn%29;co=usa;zip=20685;distancebucket=1;distance=22;abr=%21ec;rm=1;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=42500338[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\20YAL5K3\ty=saint%20leonard;st=md;dma=washington%2C%20dc%20%28hagrstwn%29;co=usa;zip=20685;distancebucket=1;distance=22;rm=1;!c=d-jav;sz=728x90;tile=1;dcove=d;ord=42385072[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\4F8NU0R2\=170;k21=1;kvid=g9Qjg3BSmp8;kpu=kocotv;kar=4;kgender=f;ko=p;kpid=170;kl=N;kga=1002;kr=H;u=g9Qjg3BSmp8%7C170;ku=N;kt=U;kage=26;kgg=2;tile=1;dcopt=ist;ord=17408[1].asx
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\ACRV0S9C\dref=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC[3].adp%253Fmagic%253D93167109%2526width%253D120%2526height%253D90%2526sn%253Dcamquarter010
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\ACRV0S9C\hpt%253D0%2526ged%253D0%253A0%253AMTcyNjZkM2ZiY2VjYzFkZoFniBTBagn5qu_YdSXIHn3WpIHLGyIiTlFG-M5OPPZt4jf-CXe6j47LD9RCOeVkaVym0oNXYw6fUpLnaDhSq1Y4dkvj7WCAY0dn1pREYiam[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\MOPZ41AM\dref=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC[1].adp%253Fmagic%253D93167109%2526width%253D120%2526height%253D90%2526sn%253Dcamquarter010
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\EKWGG20U\hpt%253D0%2526ged%253D0%253A0%253AOTU0MjAwMjNhMTNlZGFjYcSMP5hwLmWhB3eVfpU-vU4UhjIiHc7z4S957UH6_bwvzoE8T8vnYvKntQCxKCDa2KuosbTnFC33wHeLQ0INwwK94fOSGxxnJPX6FV9BQi_s[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\4F8NU0R2\vjyzfkzofnibtbagn5qu_ydsxihn3wpihlgyiitlfg-m5oppzt4jf-cxe6j47ld9rcoevkavym0onxyw6fuplnadhsq1y4dkvj7wcay0dn1preyiam%3A%3A0%3A0%3Aytrhntmzyzg2ymnmyz,;ord=1213307128[1]
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\0D7LGRDS\BgO9HgQA4f0GAJLvBgAAAAAAAAAAAAAAAAAAAAAAAAAAAEPKUkgAAAAA,,http%3A%2F%2Fmyxertones[1].com%2Fshow%2Fad%2Fmyxer_explore_top_atf_728x90%2Fany%2Fall%2F0%2F,;ord=1213385283
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\5MCPC370\egionalcontent_centraleasterneurope;sz=300x50;kl=N;kgender=f;ku=N;kr=F;k21=1;kl=N;kga=1002;kar=4;kage=26;kgg=2;kt=U;kw=baywatch+rescue;tile=3;ord=5597972683583988[1]
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\L68PK4QH\S2UOCAUGW8OXCAIFOI39CA0M2QMZCAUHDHB2CAWCR6ARCA278UNZCA12EKYNCAMQPACMCA0NI2YFCAKX0JRZCAY4NB1HCAOV1493CAMAG4Y2CA37W6SNCAACUXOCCAUUHRQ3CAR978H4CAW61594CA0QTAGYCA4GL8FICAL50AHL.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\3VID11MR\2KEUCAVQPHYTCAMIKZQVCANGJGF5CA9ZCEZRCA02KWYVCAA7PT2MCA6VRKBUCAQR4TQZCANHPDIACA7CNYDWCAC0JSESCADANDUNCA1058FUCAG91CP3CAFF8279CAENANKQCASLEHNRCADPCN5QCAD5VW05CAITOH1SCAJJ24CQ.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\L68PK4QH\8E0WCAEM4QH4CALG101CCAX8O2IQCACT4CCZCASON5TTCAAKZ33WCAJKBBN9CAXHSD58CAPR0KETCARMX7J8CA4DLHX7CAUB4D46CAGXHYRCCAEECFVNCAJ9P8X5CAVF9QY3CA5F7168CA8VX9R8CA179OVVCAARCVEJCAGTB0D4.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\L68PK4QH\UO6KCA8TUI47CA0H7NV1CASNV8UWCAJMSO3VCAYVE23UCAS068OBCAV8MO1LCA69SLHHCADF0EIDCAVHOUZQCA7MJYVICADOY7KWCA79VB73CAD9TI3BCAXR790FCASQS7ATCA2Z8RZ0CAJTTJ8ZCARZGFSCCA2EERA0CAHZCCRM.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\O5I3QXVZ\O6C8CA0M0TOQCAJFSACVCAOLH2WCCA652GZ0CAXM9X9ICAD9MN2OCAM3VNUNCA3ZISB9CA4GNYQ6CAD9D45HCA4CAZMXCAV031PGCAE2VBQHCAPV49DSCAV3RMD4CA1A28V9CAZ6XRSZCABO7WYJCAWOV7WSCAHSZK90CARX96PG.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\L68PK4QH\QMIRCADPTBXJCAEDKEDDCANBXDORCA16QL1GCAK94J1DCA8VKANDCAW0EFGMCA08J2LBCABLKB7ICAHSR5T1CAH8IB8KCA82D3J6CAQ3ZH70CAQPREZQCANECREDCASGG729CAMU77B4CAZ8VOZ1CA7NI53UCA9SU6IUCAC0GDCF.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\O5I3QXVZ\zUzXzEwMDcxXzBfMjI0OV8zODk4OF80NzM0NjYxNzAmSWR4PTEmWVk9Mjg1MTQmeTViZXRhPXllcyZ5NWJldGE9eWVzJmluYz0yNSZvcmRlcj1kb3duJnNvcnQ9ZGF0ZSZwb3M9MCZ2aWV3PSZoZWFkPSZib3g9SW5ib3gEd3QDMQ--[1]
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\O5I3QXVZ\JDSECAJIFX23CAQX9VYOCAGOVQYFCAX925LKCAIMU7DFCAEYFUJTCACADXMMCAGOROXTCAU4L7TWCAI823RLCASJLEVHCAPAXME0CAA2KUTLCAM5BHN0CAYJC2Q5CAZCC488CA59CSJ4CA6ZFAPCCA2VN6OHCAUS5FLWCA36X6I9.htm
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\Temporary Internet Files\Content.IE5\3VID11MR\8JXECAQYF8YXCAK023ITCAAWQ629CAH5N2I2CA0Q1TFRCA31QFFNCA79C9A8CA4EVLHHCACL6Y1RCAJCX7MFCAC9G0I9CAQH0V8GCAOA80EWCAZ479YGCAIAYOWGCAFJOPDBCAJNDWFECAT1I3Q6CA1PIDQ0CAIV7Q21CADT5UWY.htm
Hidden: file C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\LNN923KZ\w$2Eignlinktrack$2Ecom$2Fcheats_callout-imp$2Eign$2Ecom-cheats$2Eign$2Ecom&r=http$3A$2F$2Fcheats$2Eign$2Ecom$2Fob2$2F068$2F858$2F858010$2Ehtml&name=ATAtracker[1].gif
Hidden: file C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\0PAXLNXG\Bu5ccMQHLF6oBffCSRql__-mk0sCV4ikEOl1fzWIzKEeEUEPo2qAUddVTImTfqUous1dz0kX59E6SkF9537frRFCgXpriNIGlgRV_THZJsZSjKhRFYugXdZALUiCMxt8PRVQY5tBfqCRCTgOZ9clJyspyv4c[1].jpg
Hidden: file C:\Documents and Settings\Julie\Local Settings\temp\TFRB.tmp
Hidden: file C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\0PAXLNXG\_100148;s1=tvshow;s2=100148;url=detail_tvshow_id_100148;tvg=ad;pos=bottom;tile=4;dcopt=;kw=Family+Guy;kw=tvshow;service=cable;promo=;sz=728x90;ord=1233257584562[1]
Hidden: file C:\WINNT\system32\SET20.tmp
Hidden: file C:\Documents and Settings\Owner\Desktop\ \Thumbs.db
Info: Starting disk scan of F: (NTFS).
Stopped logging on 1/24/2010 at 2:03:03 AM


I am not sure how to start the ARK scan so I did not do that yet.

Thanks,
Terry



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:01 PM

Posted 24 January 2010 - 12:05 PM

Hi,

ARK stands for Anti RootKit. The scan with Sophos you just did was an ARK scan. smile.gif

Please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 24 January 2010 - 02:05 PM

myrti,

Here is my ComboFix log. It ran fine. thumbup2.gif Thanks again for all of your help.

Terry



ComboFix 10-01-23.06 - Owner 01/24/2010 13:01:29.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.289 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\MSN6
c:\documents and settings\All Users\Application Data\MSN6\au.ini
c:\documents and settings\Dan\Desktop\
c:\documents and settings\Julie\
c:\documents and settings\Julie\Desktop\
c:\documents and settings\Julie\Desktop\ \Five Card Frenzy.lnk
c:\documents and settings\Owner\Application Data\MSN6
c:\documents and settings\Owner\Application Data\MSN6\msndata.dat
c:\documents and settings\Owner\Desktop\
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 001.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 002.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 003.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 004.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 005.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 006.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 007.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 008.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 009.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 010.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 011.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 012.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 013.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 014.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 015.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 016.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 017.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 018.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 019.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 020.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 021.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 022.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 023.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 024.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 025.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 026.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 027.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 028.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 029.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 030.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 031.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 032.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 033.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 034.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 035.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 036.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 037.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 038.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 039.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 040.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 041.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 042.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 043.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 044.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 045.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 046.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 047.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 048.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 049.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 050.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 051.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 052.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 053.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 054.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 055.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 056.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 057.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 058.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 059.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 060.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 061.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 062.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 063.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 064.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 065.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 066.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 067.jpg
c:\documents and settings\Owner\Desktop\ \sweetswimmingpics09 068.jpg
c:\documents and settings\Owner\Desktop\ \Thumbs.db
c:\recycler\S-1-5-21-2382183845-4255425384-640177857-1003
c:\recycler\S-1-5-21-3025020880-579824901-2654331408-1003
c:\winnt\EventSystem.log
c:\winnt\system32\Data
c:\winnt\system32\Data\CTP0245W.DAT
c:\winnt\system32\Data\CTP0246W.DAT
c:\winnt\system32\Data\CTP0355W.DAT
c:\winnt\system32\srcr.dat
c:\winnt\system32\Thumbs.db
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-24 04:44 . 2010-01-24 04:44 -------- d-----w- c:\program files\Sophos
2010-01-23 01:10 . 2010-01-23 01:14 77312 ----a-w- C:\mbr.exe
2010-01-14 03:00 . 2010-01-14 03:00 -------- d-----w- c:\program files\Runtime Software
2010-01-14 00:05 . 2010-01-14 00:05 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2010-01-13 07:43 . 2009-11-21 15:51 471552 ------w- c:\winnt\system32\dllcache\aclayers.dll
2010-01-06 03:22 . 2010-01-06 03:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-06 03:15 . 2010-01-07 21:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-01-06 03:15 . 2010-01-06 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-06 03:15 . 2010-01-07 21:07 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-01-06 03:15 . 2010-01-13 10:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 02:32 . 2010-01-04 02:32 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2010-01-04 02:32 . 2010-01-04 02:32 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Threat Expert
2010-01-04 02:32 . 2010-01-04 02:32 -------- d-----w- c:\documents and settings\Guest\Application Data\COMCASTTOOLBAR
2010-01-04 01:52 . 2010-01-04 01:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-01-04 01:52 . 2009-11-10 15:28 149456 ----a-w- c:\winnt\SGDetectionTool.dll
2010-01-04 01:52 . 2009-11-10 15:26 767952 ----a-w- c:\winnt\BDTSupport.dll
2010-01-04 01:52 . 2008-11-26 17:08 131 ----a-w- c:\winnt\IDB.zip
2010-01-04 01:52 . 2009-11-10 15:28 165840 ----a-w- c:\winnt\PCTBDRes.dll
2010-01-04 01:52 . 2009-11-10 15:28 1640400 ----a-w- c:\winnt\PCTBDCore.dll
2010-01-04 01:52 . 2009-10-28 06:36 1152444 ----a-w- c:\winnt\UDB.zip
2010-01-04 01:50 . 2009-10-30 16:11 233136 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2010-01-04 01:50 . 2009-11-09 16:20 207792 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2010-01-04 01:50 . 2009-10-06 21:31 87784 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2010-01-04 01:50 . 2009-09-03 14:45 70408 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2010-01-04 01:50 . 2010-01-24 18:34 -------- d-----w- c:\program files\Spyware Doctor
2010-01-04 01:50 . 2010-01-04 01:50 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-04 01:50 . 2010-01-04 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2010-01-04 01:50 . 2010-01-04 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-04 01:49 . 2010-01-24 18:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 18:33 . 2004-03-21 22:18 384 ----a-w- c:\winnt\system32\DVCStateBkp-{00000001-00000000-00000001-00001102-00000004-20041102}.dat
2010-01-24 18:33 . 2004-03-21 22:18 384 ----a-w- c:\winnt\system32\DVCState-{00000001-00000000-00000001-00001102-00000004-20041102}.dat
2010-01-20 22:57 . 2009-11-06 00:54 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-13 08:23 . 2006-09-14 17:20 -------- d-----w- c:\program files\Google
2010-01-11 16:53 . 2007-10-20 11:57 -------- d-----w- c:\documents and settings\Owner\Application Data\wsInspector
2010-01-11 15:25 . 2004-08-10 01:28 -------- d-----w- c:\program files\GameSpy Arcade
2010-01-10 02:02 . 2007-10-01 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-09 21:22 . 2007-10-01 13:44 -------- d-----w- c:\program files\McAfee
2010-01-09 21:22 . 2007-10-01 13:44 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-05 10:00 . 2005-10-21 17:51 832512 ----a-w- c:\winnt\system32\wininet.dll
2010-01-05 10:00 . 2008-09-13 22:34 78336 ----a-w- c:\winnt\system32\ieencode.dll
2010-01-05 10:00 . 1980-01-01 06:00 17408 ----a-w- c:\winnt\system32\corpol.dll
2010-01-03 02:59 . 2009-09-20 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-01 00:46 . 2006-01-15 22:09 -------- d-----w- c:\program files\Kap.NewSAT
2009-11-28 22:47 . 2007-09-24 11:28 -------- d-----w- c:\documents and settings\Julie\Application Data\COMCASTTOOLBAR
2009-11-26 21:24 . 2009-11-26 21:24 -------- d-----w- c:\documents and settings\Guest\Application Data\Grisoft
2009-11-04 21:54 . 2009-11-04 21:54 214664 ----a-w- c:\winnt\system32\drivers\mfehidk.sys
2009-09-07 01:54 . 2009-09-07 01:54 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-09-07 01:54 . 2009-09-07 01:54 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-09-07 01:54 . 2009-09-07 01:54 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-09-07 01:54 . 2009-09-07 01:54 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-09-07 01:54 . 2009-09-07 01:54 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 303180]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2003-11-17 3022848]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\dpvsetup.exe"=
"c:\\WINNT\\Network Diagnostic\\xpnetdiag.exe"=

R0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [1/3/2010 8:50 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/3/2010 8:52 PM 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/3/2010 8:50 PM 359624]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 3:42 PM 24652]
S0 bqdbng;bqdbng;c:\winnt\system32\drivers\ttsueo.sys --> c:\winnt\system32\drivers\ttsueo.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\winnt\system32\10.tmp --> c:\winnt\system32\10.tmp [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://comcast.net//
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: adobe.com\www
Trusted Zone: comcast.net\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\www.update
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zmksupco.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://comcast.net
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=5CNRrS1CaupJsbK1LwWy.g&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zmksupco.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Start WingMan Profiler - (no file)
HKCU-Run-Aim6 - (no file)
SafeBoot-MCODS
AddRemove-NASCAR Heat - c:\program files\Hasbro Interactive\NASCAR Heat\NHeat.exe
AddRemove-WeatherBug - c:\progra~1\AWS\WEATHE~1\REMOVE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 13:36
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\winnt\system32\10.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**¬*b%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*L*c%T%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*L*c%T%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í*<*ž \OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%÷*ß*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%÷*ß*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3792)
c:\winnt\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Gateway\Gateway Ink Monitor\inkpeek.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\System32\nvsvc32.exe
c:\winnt\System32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\winnt\system32\wscntfy.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2010-01-24 13:51:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 18:51

Pre-Run: 59,475,079,168 bytes free
Post-Run: 61,507,039,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 2DCF5C852A470AD2E19BE4B4FF2F6185


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:01 PM

Posted 24 January 2010 - 05:55 PM

Hi,

I'm sorry to say that ComboFix seems to have deleted some of your personal files. Please do not do anything unless instructed by me first. We can get these files back.

Please go to C:\qoobox and copy the content of Combofix-quarantined-files.txt into your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 terry6

terry6
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 24 January 2010 - 06:46 PM

Hi,

Here are the contents of the quarantined combo fix files. I also see that there is a new announcement about combo fix being taken off line. Does that impact me any?

Also, I am not getting any sound from my speakers after the combo fix. I don't know if something was changed or maybe deleted. If you have any ideas on that, please let me know.

Thanks.
Terry

2010-01-24 18:50:12 . 2010-01-24 18:50:12 1,384 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-WeatherBug.reg.dat
2010-01-24 18:50:12 . 2010-01-24 18:50:12 512 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-NASCAR Heat.reg.dat
2010-01-24 18:49:47 . 2010-01-24 18:49:47 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-MCODS.reg.dat
2010-01-24 18:49:22 . 2010-01-24 18:49:22 90 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2010-01-24 18:49:22 . 2010-01-24 18:49:22 108 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Start WingMan Profiler.reg.dat
2010-01-24 18:36:29 . 2010-01-24 18:36:29 344 ----a-w- C:\Qoobox\Quarantine\F\av2.zip
2010-01-24 18:36:28 . 2007-08-17 18:48:16 40 ----a-w- C:\Qoobox\Quarantine\F\Autorun.inf.vir
2010-01-24 18:15:09 . 2010-01-24 18:15:09 2,728 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_MyWebSearchService.reg.dat
2010-01-24 18:15:09 . 2010-01-24 18:15:09 892 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MYWEBSEARCHSERVICE.reg.dat
2010-01-24 18:14:37 . 2010-01-24 18:14:37 11,788 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-01-03 21:33:55 . 2010-01-04 19:31:34 202 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\srcr.dat.vir
2009-11-21 16:56:21 . 2009-11-21 16:56:21 7,680 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \Thumbs.db.vir
2009-08-11 19:09:22 . 2009-08-11 19:04:22 2,347,108 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 068.jpg.vir
2009-08-11 19:09:22 . 2009-08-11 19:04:22 2,565,521 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 067.jpg.vir
2009-08-11 19:09:21 . 2009-08-11 19:04:21 2,323,988 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 066.jpg.vir
2009-08-11 19:09:20 . 2009-08-11 19:04:21 2,059,851 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 065.jpg.vir
2009-08-11 19:09:19 . 2009-08-11 19:04:20 2,248,119 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 064.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:20 2,251,030 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 063.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:20 2,790,180 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 062.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:19 2,443,189 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 061.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:19 2,456,995 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 060.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:18 2,273,756 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 059.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:18 2,546,931 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 058.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:17 2,615,294 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 057.jpg.vir
2009-08-11 19:09:18 . 2009-08-11 19:04:16 2,177,470 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 056.jpg.vir
2009-08-11 19:09:17 . 2009-08-11 19:04:16 2,039,177 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 055.jpg.vir
2009-08-11 19:09:16 . 2009-08-11 19:04:16 3,028,627 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 054.jpg.vir
2009-08-11 19:09:15 . 2009-08-11 19:04:15 2,225,786 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 053.jpg.vir
2009-08-11 19:09:14 . 2009-08-11 19:04:15 2,095,121 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 052.jpg.vir
2009-08-11 19:09:14 . 2009-08-11 19:04:14 1,400,539 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 051.jpg.vir
2009-08-11 19:09:14 . 2009-08-11 19:04:14 2,841,328 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 050.jpg.vir
2009-08-11 19:09:13 . 2009-08-11 19:04:13 2,398,960 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 049.jpg.vir
2009-08-11 19:09:13 . 2009-08-11 19:04:12 2,499,490 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 048.jpg.vir
2009-08-11 19:09:13 . 2009-08-11 19:04:12 2,781,649 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 047.jpg.vir
2009-08-11 19:09:13 . 2009-08-11 19:04:11 2,693,646 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 046.jpg.vir
2009-08-11 19:09:13 . 2009-08-11 19:04:10 2,569,805 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 045.jpg.vir
2009-08-11 19:09:13 . 2009-08-11 19:04:10 2,159,171 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 044.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:10 2,246,601 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 043.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:09 1,744,448 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 042.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:09 2,550,477 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 041.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:08 2,085,624 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 040.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:08 2,257,799 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 039.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:07 2,251,829 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 038.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:07 2,391,012 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 037.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:06 2,658,425 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 036.jpg.vir
2009-08-11 19:09:12 . 2009-08-11 19:04:06 2,857,446 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 035.jpg.vir
2009-08-11 19:09:11 . 2009-08-11 19:04:05 2,313,094 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 034.jpg.vir
2009-08-11 19:09:11 . 2009-08-11 19:04:05 2,035,270 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 033.jpg.vir
2009-08-11 19:09:10 . 2009-08-11 19:04:04 3,279,871 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 032.jpg.vir
2009-08-11 19:09:10 . 2009-08-11 19:04:04 2,447,340 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 031.jpg.vir
2009-08-11 19:09:10 . 2009-08-11 19:04:03 2,640,491 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 030.jpg.vir
2009-08-11 19:09:10 . 2009-08-11 19:04:03 2,480,753 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 029.jpg.vir
2009-08-11 19:09:10 . 2009-08-11 19:04:02 2,268,133 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 028.jpg.vir
2009-08-11 19:09:10 . 2009-08-11 19:04:02 2,488,492 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 027.jpg.vir
2009-08-11 19:09:09 . 2009-08-11 19:04:01 2,729,714 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 026.jpg.vir
2009-08-11 19:09:08 . 2009-08-11 19:04:01 2,541,032 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 025.jpg.vir
2009-08-11 19:09:06 . 2009-08-11 19:04:00 2,807,304 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 024.jpg.vir
2009-08-11 19:09:05 . 2009-08-11 19:03:59 2,387,917 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 023.jpg.vir
2009-08-11 19:09:04 . 2009-08-11 19:03:59 2,503,094 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 022.jpg.vir
2009-08-11 19:09:04 . 2009-08-11 19:03:59 2,372,431 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 021.jpg.vir
2009-08-11 19:09:04 . 2009-08-11 19:03:58 2,758,564 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 020.jpg.vir
2009-08-11 19:09:03 . 2009-08-11 19:03:58 2,930,832 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 019.jpg.vir
2009-08-11 19:09:03 . 2009-08-11 19:03:57 2,470,173 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 018.jpg.vir
2009-08-11 19:09:03 . 2009-08-11 19:03:56 2,334,793 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 017.jpg.vir
2009-08-11 19:09:03 . 2009-08-11 19:03:56 2,050,995 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 016.jpg.vir
2009-08-11 19:09:03 . 2009-08-11 19:03:56 3,040,238 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 015.jpg.vir
2009-08-11 19:09:02 . 2009-08-11 19:03:55 3,281,449 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 014.jpg.vir
2009-08-11 19:09:02 . 2009-08-11 19:03:54 3,419,950 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 013.jpg.vir
2009-08-11 19:09:02 . 2009-08-11 19:03:54 3,551,646 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 012.jpg.vir
2009-08-11 19:09:02 . 2009-08-11 19:03:53 3,503,380 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 011.jpg.vir
2009-08-11 19:09:02 . 2009-08-11 19:03:53 3,671,800 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 010.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:52 3,640,875 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 009.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:51 2,808,218 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 008.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:51 2,616,044 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 007.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:50 3,969,486 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 006.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:49 2,681,990 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 005.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:49 2,804,286 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 004.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:48 2,828,803 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 003.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:44 2,796,202 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 001.jpg.vir
2009-08-11 19:09:01 . 2009-08-11 19:03:48 3,144,179 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Desktop\ \sweetswimmingpics09 002.jpg.vir
2007-10-12 17:46:55 . 2010-01-24 17:51:57 279 ----a-w- C:\Qoobox\Quarantine\catchme.log
2007-10-08 19:17:15 . 2007-10-08 19:17:15 20,224 ----a-w- C:\Qoobox\Quarantine\C\WINNT\hotporn.exe.vir
2007-10-06 14:43:21 . 2007-10-06 14:43:21 892 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\msndata.dat.vir
2007-10-06 14:43:11 . 2007-10-06 14:43:26 98 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\MSN6\au.ini.vir
2007-09-30 19:43:09 . 2007-10-14 19:01:06 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Julie\Application Data\wsnpoem\audio.dll.vir
2007-09-30 19:43:09 . 2007-10-14 20:43:05 10,702 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Julie\Application Data\wsnpoem\video.dll.vir
2007-09-29 02:16:25 . 2007-09-29 02:16:25 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\3_exception.nls.vir
2007-09-25 23:54:04 . 2007-09-25 23:54:04 27,648 ----a-w- C:\Qoobox\Quarantine\C\WINNT\eventlowg.dll.vir
2007-09-25 23:54:03 . 2007-09-25 23:54:03 11,264 ----a-w- C:\Qoobox\Quarantine\C\WINNT\daxtime.dll.vir
2007-09-25 23:54:02 . 2007-09-25 23:54:02 20,224 ----a-w- C:\Qoobox\Quarantine\C\WINNT\liqui-Uninstaller.exe.vir
2007-09-25 23:54:02 . 2007-09-25 23:54:02 18,432 ----a-w- C:\Qoobox\Quarantine\C\WINNT\fhfmm-Uninstaller.exe.vir
2007-09-25 23:54:01 . 2007-09-25 23:54:01 27,136 ----a-w- C:\Qoobox\Quarantine\C\WINNT\xadbrk_.exe.vir
2007-09-25 23:54:00 . 2007-09-25 23:54:00 16,896 ----a-w- C:\Qoobox\Quarantine\C\WINNT\kkcomp$.exe.vir
2007-09-25 23:53:59 . 2007-09-25 23:53:59 28,672 ----a-w- C:\Qoobox\Quarantine\C\WINNT\liqad$.exe.vir
2007-09-25 23:53:57 . 2007-09-25 23:53:57 15,616 ----a-w- C:\Qoobox\Quarantine\C\WINNT\wbeInst$.exe.vir
2007-09-25 23:53:57 . 2007-09-25 23:53:57 24,320 ----a-w- C:\Qoobox\Quarantine\C\WINNT\adbar.dll.vir
2007-09-25 23:53:57 . 2007-09-25 23:53:57 23,552 ----a-w- C:\Qoobox\Quarantine\C\WINNT\jd2002.dll.vir
2007-09-25 23:53:57 . 2007-09-25 23:53:57 9,216 ----a-w- C:\Qoobox\Quarantine\C\WINNT\spredirect.dll.vir
2007-09-25 23:53:56 . 2007-09-25 23:53:56 24,064 ----a-w- C:\Qoobox\Quarantine\C\Program Files\e-zshopper\BarLcher.dll.vir
2007-09-25 23:53:54 . 2007-09-25 23:53:54 8,704 ----a-w- C:\Qoobox\Quarantine\C\WINNT\aconti.exe.vir
2007-09-25 23:53:53 . 2007-09-25 23:53:53 16,640 ----a-w- C:\Qoobox\Quarantine\C\WINNT\ie_32.exe.vir
2007-09-25 23:53:53 . 2007-09-25 23:53:53 29,952 ----a-w- C:\Qoobox\Quarantine\C\WINNT\xxxvideo.exe.vir
2007-09-25 23:53:52 . 2007-09-25 23:53:52 14,592 ----a-w- C:\Qoobox\Quarantine\C\WINNT\ngd.dll.vir
2007-09-25 23:53:52 . 2007-09-25 23:53:52 13,824 ----a-w- C:\Qoobox\Quarantine\C\WINNT\dp0.dll.vir
2007-09-25 23:53:49 . 2007-09-25 23:53:49 32,256 ----a-w- C:\Qoobox\Quarantine\C\WINNT\vxddsk.exe.vir
2007-09-25 23:53:48 . 2007-09-25 23:53:48 21,504 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\vxddsk.exe.vir
2007-09-25 23:53:48 . 2007-09-25 23:53:48 23,552 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\wml.exe.vir
2007-09-25 23:53:48 . 2007-09-25 23:53:48 31,232 ----a-w- C:\Qoobox\Quarantine\C\WINNT\wml.exe.vir
2007-09-25 23:53:47 . 2007-09-25 23:53:47 17,408 ----a-w- C:\Qoobox\Quarantine\C\WINNT\7search.dll.vir
2007-09-25 23:53:47 . 2007-09-25 23:53:47 9,728 ----a-w- C:\Qoobox\Quarantine\C\WINNT\flt.dll.vir
2007-09-25 23:53:47 . 2007-09-25 23:53:47 25,856 ----a-w- C:\Qoobox\Quarantine\C\WINNT\764.exe.vir
2007-09-25 23:53:47 . 2007-09-25 23:53:47 13,568 ----a-w- C:\Qoobox\Quarantine\C\WINNT\pbar.dll.vir
2007-09-25 23:33:13 . 2007-10-08 19:16:03 12 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\gtv_sd.bin.vir
2007-09-25 23:33:03 . 2007-09-25 23:33:03 283 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\x.gif.vir
2007-09-25 23:33:02 . 2007-09-25 23:33:02 1,791 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\win_logo.gif.vir
2007-09-25 23:33:02 . 2007-09-25 23:33:02 3,877 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\warning_icon.gif.vir
2007-09-25 23:33:02 . 2007-09-25 23:33:02 291 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\v.gif.vir
2007-09-25 23:33:02 . 2007-09-25 23:33:02 550 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\star_small.gif.vir
2007-09-25 23:33:01 . 2007-09-25 23:33:01 223 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\star_gray_small.gif.vir
2007-09-25 23:33:01 . 2007-09-25 23:33:01 425 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\star_gray.gif.vir
2007-09-25 23:33:01 . 2007-09-25 23:33:01 639 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\star.gif.vir
2007-09-25 23:33:01 . 2007-09-25 23:33:01 13,618 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\spy_away_box.jpg.vir
2007-09-25 23:33:00 . 2007-09-25 23:33:00 49 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\spacer.gif.vir
2007-09-25 23:33:00 . 2007-09-25 23:33:00 53 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\sep_vert.gif.vir
2007-09-25 23:32:58 . 2007-09-25 23:32:58 65 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\sep_hor.gif.vir
2007-09-25 23:32:58 . 2007-09-25 23:32:58 1,330 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\product_features.gif.vir
2007-09-25 23:32:58 . 2007-09-25 23:32:58 1,714 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\product_3_name_small.gif.vir
2007-09-25 23:32:57 . 2007-09-25 23:32:57 3,080 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\product_3_header.gif.vir
2007-09-25 23:32:57 . 2007-09-25 23:32:57 979 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\product_2_name_small.gif.vir
2007-09-25 23:32:57 . 2007-09-25 23:32:57 2,214 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\product_2_header.gif.vir
2007-09-25 23:32:57 . 2007-09-25 23:32:57 1,253 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\product_1_name_small.gif.vir
2007-09-25 23:32:56 . 2007-09-25 23:32:56 2,604 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\product_1_header.gif.vir
2007-09-25 23:32:56 . 2007-09-25 23:32:56 10,260 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\perfect_cleaner_box.jpg.vir
2007-09-25 23:32:56 . 2007-09-25 23:32:56 215 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\main_back.gif.vir
2007-09-25 23:32:55 . 2007-09-25 23:32:55 1,204 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\infected.gif.vir
2007-09-25 23:32:55 . 2007-09-25 23:32:55 11,077 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_4.gif.vir
2007-09-25 23:32:55 . 2007-09-25 23:32:55 10,193 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_3.gif.vir
2007-09-25 23:32:54 . 2007-09-25 23:32:54 15,421 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_2.gif.vir
2007-09-25 23:32:54 . 2007-09-25 23:32:54 28,459 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_1.gif.vir
2007-09-25 23:32:53 . 2007-09-25 23:32:53 2,922 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\footer_back.jpg.vir
2007-09-25 23:32:53 . 2007-09-25 23:32:53 2,238 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\download_box.gif.vir
2007-09-25 23:32:53 . 2007-09-25 23:32:53 1,647 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\button_freescan.gif.vir
2007-09-25 23:32:52 . 2007-09-25 23:32:52 1,619 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\button_buynow.gif.vir
2007-09-25 23:32:52 . 2007-09-25 23:32:52 12,326 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\box_3.gif.vir
2007-09-25 23:32:51 . 2007-09-25 23:32:51 11,927 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\box_2.gif.vir
2007-09-25 23:32:51 . 2007-09-25 23:32:51 12,313 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\box_1.gif.vir
2007-09-25 23:32:50 . 2007-09-25 23:32:50 837 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\blank.gif.vir
2007-09-25 23:32:50 . 2007-09-25 23:32:50 835 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\style.css.vir
2007-09-25 23:32:50 . 2007-09-25 23:32:50 50,280 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\pt.htm.vir
2007-09-25 23:32:48 . 2007-09-25 23:32:48 1,014 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\yellow_warning_ico.gif.vir
2007-09-25 23:32:48 . 2007-09-25 23:32:48 1,381 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\warning_ico.gif.vir
2007-09-25 23:32:47 . 2007-09-25 23:32:47 3,031 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\spyware_detected.gif.vir
2007-09-25 23:32:47 . 2007-09-25 23:32:47 1,743 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\remove_spyware_header.gif.vir
2007-09-25 23:32:47 . 2007-09-25 23:32:47 16,941 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\icon_warning_big.gif.vir
2007-09-25 23:32:46 . 2007-09-25 23:32:46 64 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\close_ico.gif.vir
2007-09-25 23:32:46 . 2007-09-25 23:32:46 72 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\bg_bg.gif.vir
2007-09-25 23:32:46 . 2007-09-25 23:32:46 5,418 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\s_detect.htm.vir
2007-09-25 23:32:45 . 2007-09-25 23:32:45 821 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\shadow_bg.gif.vir
2007-09-25 23:32:45 . 2007-09-25 23:33:00 2,798 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\shadow.jpg.vir
2007-09-25 23:32:45 . 2007-09-25 23:32:45 26,487 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\screenshot.jpg.vir
2007-09-25 23:32:44 . 2007-09-25 23:32:44 4,008 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\rating.gif.vir
2007-09-25 23:32:44 . 2007-09-25 23:32:44 16,977 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_red_protect_your_pc.gif.vir
2007-09-25 23:32:43 . 2007-09-25 23:32:43 838 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_red_free_scan_bg.gif.vir
2007-09-25 23:32:43 . 2007-09-25 23:32:43 3,216 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_red_free_scan.gif.vir
2007-09-25 23:32:43 . 2007-09-25 23:32:43 877 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\header_red_bg.gif.vir
2007-09-25 23:32:42 . 2007-09-25 23:32:42 4,448 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\download_now_btn.gif.vir
2007-09-25 23:32:42 . 2007-09-25 23:32:42 8,852 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\download_btn.jpg.vir
2007-09-25 23:32:41 . 2007-09-25 23:32:41 3,479 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\cell_header_scan.gif.vir
2007-09-25 23:32:41 . 2007-09-25 23:32:41 3,552 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\cell_header_remove.gif.vir
2007-09-25 23:32:40 . 2007-09-25 23:32:40 3,313 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\cell_header_block.gif.vir
2007-09-25 23:32:39 . 2007-09-25 23:32:40 1,373 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\cell_footer.gif.vir
2007-09-25 23:32:39 . 2007-09-25 23:32:39 1,342 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\cell_bg.gif.vir
2007-09-23 15:12:54 . 2007-10-10 00:17:01 4,743 ----a-w- C:\Qoobox\Quarantine\C\Program Files\ISM2\targets.gz.vir
2007-07-31 05:47:42 . 2007-07-31 05:47:42 1,476 ----a-w- C:\Qoobox\Quarantine\C\WINNT\EventSystem.log.vir
2007-07-08 16:28:34 . 2007-07-26 18:37:41 1,470 ----a-w- C:\Qoobox\Quarantine\C\WINNT\wr.txt.vir
2006-10-14 15:08:14 . 2006-10-14 15:08:16 3,584 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\Thumbs.db.vir
2006-06-21 20:14:11 . 2006-06-21 20:14:12 104 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Elisa\Desktop\Internet.lnk.vir
2005-04-26 01:13:55 . 2005-04-26 01:13:55 104 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Julie\Desktop\Internet.lnk.vir
2004-04-24 23:58:59 . 2004-02-17 17:03:25 1,994 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Julie\Desktop\ \Five Card Frenzy.lnk.vir
2004-02-18 17:23:40 . 2003-11-26 18:29:52 310,905 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\Data\CTP0355W.DAT.vir
2004-02-18 17:23:40 . 2003-12-22 21:25:22 308,441 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\Data\CTP0246W.DAT.vir
2004-02-18 17:23:40 . 2003-12-22 21:25:22 306,965 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\Data\CTP0245W.DAT.vir





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users