Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Second browser opening to unrequested sites


  • This topic is locked This topic is locked
26 replies to this topic

#1 cranberry2

cranberry2

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 16 January 2010 - 03:22 PM


First time posting. I hope there is a solution.

I open up IE8 (with pop-up blocker ON -high security) and went to BleepingComputer.com. Shortly (5 secs) a second IE8 browser window opens up and sends me to a different site (i.e. WebsiteSurvey.com).
Many redirected sites are Survery sites but not all.
This second browser will occur often, but not on every site I go to.
I notice that Document and Settings\Default User \ Temporary Internet Files gets new entries every time this happens.
Other things that happen after this infection are:
When the computer is restarted, my McAffe On Access Scan is always disabled. I manually turn it back on with "Enable On Access Scan".
About once a day, my McAffee antivirus will pop up with an infection in Document and Settings\Default User \ Temporary Internet Files\XXXXXXX called Exploit-PDF.ac.
I have the file [1].PDF deleted.
I also delete all the Temporary Internet files inside this folder.
I am really concerned about having my ID and Passwords being stolen.

I have run after being updated with latest signatures:
McAfee scan
ThreatFire scan
Malwarebytes scan
Sophos scan
Clamwin scan
BitDefender scan
ESET scan
Adaware scan
Spybot scan
Rootkit Revealer
Stinger (which seems to hang up)
HiJack-This looks normal from my limited viewpoint (I have not posted it anywhere yet)

Most have been run in both Normal and Safe mode.
They all come back nothing found.

Something is hidden very well.
What can I do next to identify what is causing this "redirected browser" and getting the Exploit-PDF.ac?
Thanks for any help you can provide.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:39 PM, on 1/16/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\ThreatFire\TFService.exe
H:\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: *.citicards.com
O15 - Trusted Zone: http://www.fafsa.ed.gov
O15 - Trusted Zone: http://www.flickr.com
O15 - Trusted Zone: http://www.hgtv.com
O15 - Trusted Zone: http://quicken.intuit.com
O15 - ESC Trusted Zone: http://www.aaltonen.us
O15 - ESC Trusted Zone: http://surveys.apcc.com
O15 - ESC Trusted Zone: http://eval.bizrate.com
O15 - ESC Trusted Zone: http://www.cc.bizrate.com
O15 - ESC Trusted Zone: http://ftp.us.dell.com
O15 - ESC Trusted Zone: http://support.dell.com
O15 - ESC Trusted Zone: http://www.fafsa.ed.gov
O15 - ESC Trusted Zone: *.hotmail.com
O15 - ESC Trusted Zone: login.live.com
O15 - ESC Trusted Zone: http://*.mdmm.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.myspace.com
O15 - ESC Trusted Zone: http://download.nvidia.com
O15 - ESC Trusted Zone: http://www.nvidia.com
O15 - ESC Trusted Zone: http://www.nzone.com
O15 - ESC Trusted Zone: http://*.rutlandlibrary.org
O15 - ESC Trusted Zone: http://www.stapleseasyrebates.com
O15 - ESC Trusted Zone: http://www-unix.oit.umass.edu
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1260966743531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1260966718937
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jimhome.com
O17 - HKLM\Software\..\Telephony: DomainName = jimhome.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D92AB50-DA4E-48FE-84B1-6D8427433C60}: NameServer = 192.168.7.104,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jimhome.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jimhome.com
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TomTomHOMEService - TomTom - H:\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 10000 bytes


BC AdBot (Login to Remove)

 


#2 cranberry2

cranberry2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 16 January 2010 - 04:15 PM

I just ran Malwarebytes again and got some infections that were never found before.
I will wait for your replys before removing the infections.
Please let me know what I should do next.

Malwarebytes' Anti-Malware 1.44
Database version: 3576
Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

1/16/2010 4:08:02 PM
mbam-log-2010-01-16 (16-07-55).txt

Scan type: Quick Scan
Objects scanned: 117532
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe (Security.Hijack) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Edited by cranberry2, 16 January 2010 - 04:16 PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:48 PM

Posted 23 January 2010 - 09:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
[We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 cranberry2

cranberry2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 23 January 2010 - 11:33 PM

I am happy to get your message.
My PC OS is Windows 2003 Server with all the latest updates/patches.
I use IE8 with pop up blocker turned on with high security.
I have a little home network with this acting as my Domain Server.
My first symptoms were:
When I opened my IE8 browser, entered a URL and went to the website, a second browser window would open, often going to a survey website (i.e. thewebsitesurvey).
Upon startup, my McAfee "on access" scan would be disabled and my McAfee SiteAdvisor would be disabled.
On occasion, I would get a "svchost.exe" failed message and my PC would shut down within a minute.
Also I would find new Temporary Internet Files showing up under "Default User" Local Settings.

I ran scans with almost all the Anti Virus Tools and the only thing that was found was a "exploit.pdf" that would keep showing up after being Quarentined each time.
I will run the program you suggested and reply again. I am not sure if OTL will run on Win2003, but I will try.
While waiting for a reply, I ran GMER and found that atapi.sys had be modified.


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:48 PM

Posted 23 January 2010 - 11:39 PM

Hi,

OTL should run fine on server 2003. However many other tools don't.

Please also provide the log from gmer if you still have it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 cranberry2

cranberry2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 24 January 2010 - 12:18 AM

Here is OTL.txt
OTL logfile created on: 1/24/2010 12:00:35 AM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): h:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.74 Gb Total Space | 2.19 Gb Free Space | 14.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 22.48 Gb Total Space | 1.70 Gb Free Space | 7.58% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ATHENA
Current User Name: administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/16 15:51:08 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/01/07 07:45:44 | 00,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/07 07:45:43 | 01,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/23 14:49:27 | 00,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2009/11/23 14:49:24 | 00,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/16 06:37:19 | 00,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2007/02/17 09:04:02 | 00,024,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2007/02/17 09:04:01 | 00,040,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2007/02/17 09:03:53 | 00,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 09:03:42 | 00,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/17 09:03:39 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/17 09:03:35 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2005/12/10 03:06:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2003/03/06 06:00:00 | 00,233,595 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe
PRC - [2003/03/06 06:00:00 | 00,127,050 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
PRC - [2003/03/06 06:00:00 | 00,090,182 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\shstat.exe
PRC - [2003/02/25 05:00:00 | 00,139,347 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
PRC - [2003/02/25 05:00:00 | 00,127,058 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
PRC - [2003/02/25 05:00:00 | 00,106,586 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


========== Modules (SafeList) ==========

MOD - [2010/01/16 15:51:08 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2009/12/08 13:12:24 | 00,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/11/23 14:49:32 | 00,460,048 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFWAH.dll
MOD - [2007/02/17 23:26:08 | 01,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
MOD - [2007/02/17 00:35:15 | 00,812,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ws03res.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (TomTomHOMEService)
SRV - [2010/01/07 07:45:43 | 01,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/23 14:49:24 | 00,070,928 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/02/16 06:37:19 | 00,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2007/02/17 09:04:02 | 00,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 09:04:01 | 00,040,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2007/02/17 09:03:58 | 00,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 09:03:53 | 00,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 09:03:43 | 00,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 09:03:42 | 00,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 09:03:35 | 00,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2005/12/10 03:06:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/03/25 07:00:00 | 00,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2003/03/25 07:00:00 | 00,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2003/03/06 06:00:00 | 00,233,595 | ---- | M] (Network Associates, Inc.) [On_Demand | Paused] -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe -- (McShield)
SRV - [2003/03/06 06:00:00 | 00,127,050 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe -- (McTaskManager)
SRV - [2003/02/25 05:00:00 | 00,106,586 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - [2009/12/02 08:19:06 | 00,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/11/23 14:49:39 | 00,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2009/11/23 14:49:38 | 00,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/11/23 14:49:37 | 00,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2007/11/13 04:32:23 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/19 19:56:10 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/02/17 01:29:40 | 00,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/17 01:12:27 | 00,060,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/02/17 01:06:39 | 00,020,480 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2007/02/17 01:02:56 | 00,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/17 00:51:18 | 00,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2006/07/04 10:17:39 | 00,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\giveio.sys -- (giveio)
DRV - [2005/12/10 03:06:00 | 03,536,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/02/02 01:21:04 | 00,014,408 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2004/05/29 08:15:12 | 00,009,728 | ---- | M] (iolo technologies, LLC (based on original work by Bo BrantÚn)) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\filedisk.sys -- (FileDisk)
DRV - [2003/10/25 01:01:02 | 00,125,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1000325.sys -- (E1000) Intel®
DRV - [2003/05/06 08:14:34 | 00,580,992 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2003/05/01 13:26:34 | 00,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2003/03/24 23:07:18 | 00,009,216 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2003/03/24 23:07:16 | 00,025,600 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MemStPCI.SYS -- (MemStPCI) Sony Memory Stick controller (PCI)
DRV - [2003/03/24 16:54:06 | 00,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2003/03/06 06:00:00 | 00,084,448 | ---- | M] (Network Associates, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\naiavf5x.sys -- (NaiAvFilter1)
DRV - [2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2000/10/10 06:00:00 | 00,003,252 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\S-1-5-21-3525248195-4285539848-3424530049-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/01/08 20:32:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/02 09:02:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/16 12:01:06 | 00,000,000 | ---D | M]

[2009/09/01 16:47:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2008/04/27 20:43:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\home2@tomtom.com
[2009/09/01 16:58:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjlepw7u.default\extensions
[2008/02/12 18:52:49 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjlepw7u.default\searchplugins\siteadvisor.xml
[2010/01/13 19:16:52 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/29 17:31:02 | 00,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2007/11/29 17:31:02 | 00,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2007/11/29 17:31:04 | 00,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll

O1 HOSTS File: ([2010/01/09 01:15:46 | 00,371,817 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 12818 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (CitiUSBrowserHelper Class) - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..\Toolbar\WebBrowser: (no name) - {119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AuCaption] File not found
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (Network Associates, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (Network Associates, Inc.)
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKU\.DEFAULT..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: accountonline.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: amazon.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: citicards.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: ebay.com ([signin] https in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: ed.gov ([www.fafsa] http in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: flickr.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: google.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: hgtv.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: intuit.com ([quicken] http in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: live.com ([login] https in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: yahoo.com ([login] https in Trusted sites)
O15 - HKU\S-1-5-21-3525248195-4285539848-3424530049-500\..Trusted Domains: 67 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://dev.srtest.com/srl_bin/sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} http://www.umediaserver.net/bin/UMediaControl5.cab (UMediaPlayer Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1260966743531 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1260966718937 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8239.7730555556 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jimhome.com
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/09/09 16:18:52 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{10d325b9-d9f1-11de-8955-0011110cf8aa}\Shell\AutoRun\command - "" = G:\Customizer.exe -- File not found
O33 - MountPoints2\{6fdaaa12-a558-11de-bf09-0011110cf8aa}\Shell - "" = AutoRun
O33 - MountPoints2\{6fdaaa12-a558-11de-bf09-0011110cf8aa}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6fdaaa12-a558-11de-bf09-0011110cf8aa}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{942f1c09-ff77-11de-b7ab-0011110cf8aa}\Shell\AutoRun\command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{942f1c09-ff77-11de-b7ab-0011110cf8aa}\Shell\Shell00\Command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{942f1c09-ff77-11de-b7ab-0011110cf8aa}\Shell\Shell01\Command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{942f1c09-ff77-11de-b7ab-0011110cf8aa}\Shell\Shell02\Command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{988c5f01-c311-11dc-ae87-000cf1d3b155}\Shell\AutoRun\command - "" = J:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{c143dd31-edba-11de-85fd-0011110cf8aa}\Shell - "" = AutoRun
O33 - MountPoints2\{c143dd31-edba-11de-85fd-0011110cf8aa}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c143dd31-edba-11de-85fd-0011110cf8aa}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
O33 - MountPoints2\{c143dd32-edba-11de-85fd-0011110cf8aa}\Shell\AutoRun\command - "" = K:\Autoplay.exe -- File not found
O33 - MountPoints2\{ca8d1dd5-52a9-11dc-823d-000cf1d3b155}\Shell - "" = AutoRun
O33 - MountPoints2\{ca8d1dd5-52a9-11dc-823d-000cf1d3b155}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ca8d1dd5-52a9-11dc-823d-000cf1d3b155}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/03/24 15:45:53 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe File not found
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: nwiz - hkey= - key= - File not found
MsConfig - StartUpReg: TomTomHOME.exe - hkey= - key= - H:\TomTom HOME 2\TomTomHOMERunner.exe File not found
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: wd.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36BBA8D2-CA5C-4847-81CC-4F807DD86C91} - %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4CF07653-FE0F-11D4-A548-0090278A1BB8} - .NET Framework
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6D69F546-C1AF-4049-AE9E-28627B91D3F5} - %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
ActiveX: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} - Help and Support Center
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.alf2cd - C:\WINDOWS\System32\alf2cd.acm (NCT Company)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.scg726 - C:\WINDOWS\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: vidc.dvsd - C:\WINDOWS\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.mp42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mp43 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mpg4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()

========== Files/Folders - Created Within 30 Days ==========

[2010/01/20 23:02:37 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/01/19 22:03:13 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe
[2010/01/19 22:01:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\RootRepeal
[2010/01/16 15:50:59 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/16 15:15:40 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
[2010/01/16 11:59:35 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2010/01/15 21:25:41 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/01/09 21:21:26 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/01/09 20:01:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/01/09 11:35:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/01/09 11:35:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/01/09 11:33:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/01/09 00:58:22 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/01/09 00:58:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/01/08 21:59:49 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/08 21:54:36 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/07 07:36:56 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/01/07 07:36:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/01/07 07:18:19 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2004/09/09 16:24:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/09/09 16:23:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/09/09 16:18:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/09/09 16:18:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/23 23:44:09 | 00,608,490 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/23 23:44:09 | 00,509,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/23 23:44:09 | 00,087,606 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/23 23:42:50 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/23 23:42:50 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/23 23:42:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/23 23:42:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/23 23:42:47 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/23 23:41:45 | 00,043,573 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/23 23:40:02 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/23 23:39:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/23 23:39:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/21 23:01:27 | 21,233,664 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/01/21 23:01:27 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/01/21 22:44:02 | 00,173,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/21 22:43:20 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/20 23:14:26 | 00,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2010/01/20 21:50:30 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\xuekmoh7.exe
[2010/01/19 21:58:09 | 00,464,491 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip
[2010/01/19 21:55:19 | 00,000,512 | ---- | M] () -- C:\WINDOWS\randseed.rnd
[2010/01/19 21:43:22 | 00,132,597 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe
[2010/01/19 21:38:41 | 00,077,312 | ---- | M] () -- C:\mbr.exe
[2010/01/17 13:29:54 | 04,094,713 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\unhackme500.zip
[2010/01/17 07:51:00 | 00,008,856 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\virusie.rtf
[2010/01/16 15:51:08 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/16 15:16:20 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/01/16 15:15:41 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
[2010/01/16 12:01:07 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/16 08:34:51 | 04,240,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/01/15 20:26:59 | 00,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/14 15:12:06 | 03,824,993 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\yCF.exe
[2010/01/11 19:04:54 | 00,000,230 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\virus1.rtf
[2010/01/09 11:35:40 | 00,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/01/09 01:15:46 | 00,371,817 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/09 00:58:36 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/07 07:18:15 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/20 22:59:58 | 03,824,993 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\yCF.exe
[2010/01/20 21:50:25 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\xuekmoh7.exe
[2010/01/19 21:58:06 | 00,464,491 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip
[2010/01/19 21:43:21 | 00,132,597 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe
[2010/01/19 21:38:39 | 00,077,312 | ---- | C] () -- C:\mbr.exe
[2010/01/17 13:29:48 | 04,094,713 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\unhackme500.zip
[2010/01/17 07:51:00 | 00,008,856 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\virusie.rtf
[2010/01/16 12:01:07 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/11 19:04:54 | 00,000,230 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\virus1.rtf
[2010/01/09 11:35:40 | 00,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/01/09 00:58:36 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/01/08 21:54:36 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/01/08 20:10:11 | 00,000,512 | ---- | C] () -- C:\WINDOWS\randseed.rnd
[2010/01/07 09:18:08 | 00,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/07 07:48:15 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/07 07:48:14 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/07 07:48:13 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/07 07:48:11 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/07 07:44:22 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/07 07:18:15 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/01/05 15:44:10 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2006/12/23 12:51:15 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/10/22 13:26:26 | 00,011,597 | ---- | C] () -- C:\WINDOWS\System32\dnsperf.ini
[2006/07/04 10:17:39 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
[2006/05/21 08:23:03 | 00,000,045 | ---- | C] () -- C:\WINDOWS\EPSONC86.ini
[2006/05/21 08:21:52 | 00,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2006/04/07 23:31:38 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/04/07 23:31:38 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005/12/10 03:06:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 03:06:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 03:06:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 03:06:00 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 03:06:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 03:06:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/10 03:06:00 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/05/21 22:29:20 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\bcshellext.dll
[2005/03/31 06:39:36 | 00,198,656 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/03/24 20:44:26 | 00,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2005/03/18 20:44:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PasswordsPlus.INI
[2005/02/04 21:41:15 | 00,003,252 | ---- | C] () -- C:\WINDOWS\System32\drivers\PQNTDRV.sys
[2005/01/03 23:45:30 | 00,000,635 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/01/03 23:44:46 | 00,565,248 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2004/12/25 17:49:27 | 00,173,568 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/22 00:14:05 | 00,139,288 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2004/12/13 21:03:53 | 00,000,165 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2004/12/13 19:59:16 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/09/09 16:03:28 | 00,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2004/09/09 16:03:28 | 00,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2004/09/09 16:03:28 | 00,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2004/09/09 16:02:40 | 00,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2004/09/09 16:02:36 | 00,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2004/09/09 12:11:49 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 03:31:44 | 00,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 03:31:38 | 00,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2005/03/24 20:45:04 | 14,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:AGP440.sys
[2007/03/24 15:28:54 | 19,481,285 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2005/03/24 20:45:04 | 14,191,965 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp1.cab:AGP440.sys
[2007/03/24 15:28:54 | 19,481,285 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2007/02/17 00:58:53 | 00,044,032 | ---- | M] (Microsoft Corporation) MD5=B9985042687A43685FC64B282B627653 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2007/02/17 00:58:53 | 00,044,032 | ---- | M] (Microsoft Corporation) MD5=B9985042687A43685FC64B282B627653 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2005/03/24 20:45:04 | 14,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2007/03/24 15:28:54 | 19,481,285 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2005/03/24 20:45:04 | 14,191,965 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp1.cab:atapi.sys
[2007/03/24 15:28:54 | 19,481,285 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2003/03/25 07:00:00 | 00,091,136 | ---- | M] (Microsoft Corporation) MD5=FA30640404376517930772D7E559AEF1 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2003/03/24 22:04:52 | 00,091,136 | ---- | M] (Microsoft Corporation) MD5=FA30640404376517930772D7E559AEF1 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2007/02/17 01:07:35 | 00,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2007/02/17 01:07:35 | 00,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007/02/17 09:02:49 | 00,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2007/02/17 09:02:49 | 00,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\eventlog.dll
[2004/10/18 09:12:46 | 00,064,000 | ---- | M] (Microsoft Corporation) MD5=6A3A76F8080F4CE443AEF06ADF8B8008 -- C:\WINDOWS\$hf_mig$\KB885835\RTMQFE\eventlog.dll
[2004/03/15 21:09:57 | 00,064,000 | ---- | M] (Microsoft Corporation) MD5=79D61B396ADFEC5A097C29C6D7C9AC1C -- C:\WINDOWS\$hf_mig$\KB835732\RTMQFE\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2007/02/17 09:03:02 | 00,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2007/02/17 09:03:02 | 00,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2007/02/17 09:03:09 | 00,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2007/02/17 09:03:09 | 00,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
< End of report >

Here is Extras.txt
OTL Extras logfile created on: 1/24/2010 12:00:35 AM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): h:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.74 Gb Total Space | 2.19 Gb Free Space | 14.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 22.48 Gb Total Space | 1.70 Gb Free Space | 7.58% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ATHENA
Current User Name: administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
"{1912F734-6580-4620-8AFD-ECCCEA19CDE2}" = McAfee VirusScan Enterprise
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BAFA84F8-5A33-4ACD-AD10-58356B27A0F1}" = LiveUpdate
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"3554AA4B-9B0B-451a-A269-2B5F53982209_is1" = ThreatFire
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"AVS Video Converter 4.2_is1" = AVS Video Converter 4.2.1.323
"Bitzi's Bitcollider 0.6.0" = Bitzi's Bitcollider 0.6.0
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"EPSON Printer and Utilities" = EPSON Printer Software
"ESET Online Scanner" = ESET Online Scanner v3
"FLV Player" = FLV Player 2.0 (build 25)
"FLVPlayer" = FLV Player 1.3.3
"HijackThis" = HijackThis 2.0.2
"hp psc 1310 series_Driver" = hp psc 1310 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{BAFA84F8-5A33-4ACD-AD10-58356B27A0F1}" = LiveUpdate
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.1)" = Mozilla Firefox (3.5.1)
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"Search and Recover 3_is1" = iolo technologies' Search and Recover 3
"ServerMagic 4.0" = ServerMagic 4.0
"SSC Service Utility_is1" = SSC Service Utility v4.20
"SystemRequirementsLab" = System Requirements Lab
"TomTom HOME" = TomTom HOME 2.7.2.1825
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Vuze" = Vuze
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/25/2009 6:37:51 PM | Computer Name = ATHENA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A certificate chain could not be built to a trusted root authority.


Error - 11/26/2009 11:20:14 PM | Computer Name = ATHENA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A certificate chain could not be built to a trusted root authority.


Error - 12/17/2009 9:27:19 PM | Computer Name = ATHENA | Source = MsiInstaller | ID = 11500
Description = Product: Cisco Systems VPN Client 5.0.06.0160 -- Error 1500. Another
installation is in progress. You must complete that installation before continuing
this one.

Error - 12/20/2009 4:54:55 PM | Computer Name = ATHENA | Source = MsiInstaller | ID = 11720
Description = Product: Cisco Systems VPN Client 5.0.06.0160 -- Error 1720. There
is a problem with this Windows Installer package. A script required for this install
to complete could not be run. Contact your support personnel or package vendor.
Custom action CsCa_GetLocalPrivName script error -2147217357, : Line 12, Column
2,

Error - 1/7/2010 8:20:15 AM | Computer Name = ATHENA | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/9/2010 2:55:40 AM | Computer Name = ATHENA | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

Error - 1/11/2010 8:07:57 PM | Computer Name = ATHENA | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

Error - 1/11/2010 10:08:20 PM | Computer Name = ATHENA | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

Error - 1/14/2010 7:03:20 PM | Computer Name = ATHENA | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

Error - 1/16/2010 8:40:56 AM | Computer Name = ATHENA | Source = VSS | ID = 8211
Description = Volume Shadow Copy Service error: Writer with name WMI Writer and
ID {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} attempted to subscribe in safe mode.

[ Directory Service Events ]
Error - 1/14/2010 7:03:23 PM | Computer Name = ATHENA | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 1/14/2010 7:05:03 PM | Computer Name = ATHENA | Source = NTDS LDAP | ID = 1238
Description = Internal error: Active Directory was unable to initialize network
connections for incoming LDAP requests. Additional Data Error value: 0

Error - 1/14/2010 7:05:03 PM | Computer Name = ATHENA | Source = NTDS General | ID = 1168
Description = Internal error: An Active Directory error has occurred. Additional
Data Error value (decimal): -1073741823 Error value (hex): c0000001 Internal ID: 300051e

Error - 1/14/2010 7:20:04 PM | Computer Name = ATHENA | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 1792 An attempt was made to logon, but the network
logon service was not started. Internal ID: 3200cf3 User Action: Make sure a global
catalog is available in the forest, and is reachable from this domain controller.
You may use the nltest utility to diagnose this problem.

Error - 1/16/2010 8:40:58 AM | Computer Name = ATHENA | Source = NTDS General | ID = 1168
Description = Internal error: An Active Directory error has occurred. Additional
Data Error value (decimal): 1053 Error value (hex): 41d Internal ID: 30004f4

Error - 1/16/2010 8:40:58 AM | Computer Name = ATHENA | Source = NTDS General | ID = 1168
Description = Internal error: An Active Directory error has occurred. Additional
Data Error value (decimal): 1053 Error value (hex): 41d Internal ID: 3000502

Error - 1/16/2010 8:40:59 AM | Computer Name = ATHENA | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 1/16/2010 8:42:38 AM | Computer Name = ATHENA | Source = NTDS LDAP | ID = 1238
Description = Internal error: Active Directory was unable to initialize network
connections for incoming LDAP requests. Additional Data Error value: 0

Error - 1/16/2010 8:42:38 AM | Computer Name = ATHENA | Source = NTDS General | ID = 1168
Description = Internal error: An Active Directory error has occurred. Additional
Data Error value (decimal): -1073741823 Error value (hex): c0000001 Internal ID: 300051e

Error - 1/16/2010 8:57:39 AM | Computer Name = ATHENA | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 1792 An attempt was made to logon, but the network
logon service was not started. Internal ID: 3200cf3 User Action: Make sure a global
catalog is available in the forest, and is reachable from this domain controller.
You may use the nltest utility to diagnose this problem.

[ DNS Server Events ]
Error - 1/9/2010 12:51:21 PM | Computer Name = ATHENA | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 1/9/2010 12:51:21 PM | Computer Name = ATHENA | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 1/11/2010 8:05:56 PM | Computer Name = ATHENA | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 1/11/2010 8:05:56 PM | Computer Name = ATHENA | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 1/16/2010 8:38:35 AM | Computer Name = ATHENA | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 1/16/2010 8:38:35 AM | Computer Name = ATHENA | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

[ File Replication Service Events ]
Error - 5/25/2007 7:28:03 AM | Computer Name = ATHENA | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path c: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a c:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 5/25/2007 7:28:03 AM | Computer Name = ATHENA | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path C: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a C:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 4/19/2008 1:33:29 AM | Computer Name = ATHENA | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path c: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a c:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 4/19/2008 1:33:29 AM | Computer Name = ATHENA | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path C: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a C:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 7/24/2009 5:19:13 PM | Computer Name = ATHENA | Source = NtFrs | ID = 13568
Description =


========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Here is the GMER log I ran a few days ago
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-20 21:54:21
Windows 5.2.3790 Service Pack 2
Running: xuekmoh7.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awtdrpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp TfNetMon.sys (ThreatFire Network Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A336618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:48 PM

Posted 24 January 2010 - 12:38 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 cranberry2

cranberry2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 24 January 2010 - 01:15 AM

The ComboFix download would not download unless I renamed it to something else.
The download would fail with a write access error.
I download with a different name and tried to run after disabling my anti virus apps.
I kept getting
Some Files cannot be created. Close all programs and Please reboot
I don't think anything was running.
I rebooted several times but got the same error each time.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:48 PM

Posted 24 January 2010 - 11:39 AM

Hi,

please try running TDSSKiller instead:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

lg myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 cranberry2

cranberry2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 24 January 2010 - 02:07 PM

Here isthe TDskiller log:
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.2 Jan 13 2010 08:42:25

Scanning Services ...

Scanning Kernel memory ...
Driver "atapi" Irp handler infected by TDSS rootkit ... cured
Driver "atapi" StartIo handler infected by TDSS rootkit ... cured
File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... will be
cured on next reboot

Completed

Results:
Memory objects infected / cured / cured on reboot: 2 / 2 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1

To finalize removal of infection and avoid loosing of data program will
reboot your PC now.
Close all programs and choose Y to restart or N to continue


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:48 PM

Posted 24 January 2010 - 07:10 PM

Hi,

please reboot. smile.gif

The log looks promising, let me know if you still get redirected after reboot.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 cranberry2

cranberry2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 24 January 2010 - 10:09 PM

I have rebooted and no redirects yet.
I will see how it goes for a day.
Does this infection usually come from an infected website, email, etc.?
I am trying to figure out how to limit it from happening again.

I am really glad there are people like you around to solve these infections. Thanks.
I will update after the PC has been up for a while.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:48 PM

Posted 25 January 2010 - 07:41 AM

Hi,

the infection often comes from malicious or hacked websites. I will offer you a couple of advices at the end that may help preventing infection in future.
For now I would like to make sure that nothing is left on your PC:

Please run a scan with Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 cranberry2

cranberry2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 25 January 2010 - 08:27 PM

The MBAM log follows:
Malwarebytes' Anti-Malware 1.44
Database version: 3638
Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

1/25/2010 6:21:18 PM
mbam-log-2010-01-25 (18-21-18).txt

Scan type: Quick Scan
Objects scanned: 118188
Time elapsed: 8 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

I ran the ESET online. It came up with no infected files, but seem to hang at Step 3.
It never went on to step 4.
I will try to run it again to see if goes all the way to the end.

I am really glad to have your help. Thanks.

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:48 PM

Posted 25 January 2010 - 08:44 PM

Hi,

if the scan finished and found no threats there is no need to repeat it.

Please provide a log from OTL in your next reply as well.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users