Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Browser Redirect virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 MimiFouchon

MimiFouchon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 16 January 2010 - 04:26 PM

Problem,

I've a redirect virus that's infected both Firefox and IE. The browser window will be redirected when I don't do anything to cause it to happen and when I do a search. I've only tired a few searchers because it seems pointless to try to continue. Alta Vista doesn't seem to be included.

A couple of weeks ago my computer booted up with all of my desktop settings gone. Use Zune theme and my own wallpaper and everything was just put back to as it had been when first starting to use the computer. Welcome to Windows, etc. Did a search and thought I had found the solution. Saw that it was probably a corrupted User file and to create a new one and delete the old. Copied what I had and ceated a new user account but lost all e-mail addresses and from then on it just got worse.

I've run everything I have including Zone Alarm which runs all of the time, Malwarebytes anti-Malware, Spybot Search & Destroy, CCleaner. Nothing has gotten rid of this thing.

Followed the instructions and created the files you need so will post them. Any help would be greatly appreciated because I seem to have quite a mess here.


DDS (Ver_09-12-01.01) - NTFSx86
Run by SusanAdmin at 13:03:17.23 on Sat 01/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1533 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\SusanAdmin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&t=0
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187413718033
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187470499500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: EnhancedDialog - {6D972050-A934-44D7-AC67-7C9E0B264220} - c:\program files\stardock\object desktop\enhanceddialog\enhdlginit.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\susana~1\applic~1\mozilla\firefox\profiles\cqpv4k61.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&t=0
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\susan\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\susan\application data\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-6 128016]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-15 486280]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys --> c:\windows\system32\drivers\lv321av.sys [?]

=============== Created Last 30 ================

2010-01-16 17:39:59 0 d-----w- c:\program files\Trend Micro
2010-01-16 01:42:26 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-16 01:41:35 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 01:41:35 0 d-----w- c:\docume~1\susana~1\applic~1\SUPERAntiSpyware.com
2010-01-16 01:40:25 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-16 00:25:07 0 d-----w- c:\docume~1\susana~1\applic~1\FastStone
2010-01-15 00:15:04 0 d-----w- c:\docume~1\susana~1\applic~1\TweakNow RegCleaner
2010-01-15 00:01:22 0 d-----w- c:\docume~1\susana~1\applic~1\Malwarebytes
2010-01-12 16:24:19 0 d-----w- c:\docume~1\susana~1\applic~1\CoffeeCup Software
2010-01-08 19:04:45 0 d-----w- c:\program files\MSECache
2010-01-08 19:00:20 0 d-----w- c:\docume~1\susana~1\applic~1\Thinstall
2010-01-08 05:30:10 0 d-----w- c:\program files\SonicWallES
2010-01-07 19:47:54 0 d-----w- c:\docume~1\susana~1\applic~1\TeamViewer
2010-01-07 01:12:27 0 d-----w- c:\docume~1\susana~1\applic~1\SaffronOne
2010-01-06 19:32:28 17881 ----a-w- c:\documents and settings\susanadmin\AdobeFnt10.lst
2010-01-06 19:32:28 0 d-----w- c:\documents and settings\susanadmin\WINDOWS
2010-01-06 19:32:28 0 d-----w- c:\documents and settings\susanadmin\temp
2010-01-06 19:01:41 0 d-----w- c:\documents and settings\susanadmin\Downloads
2010-01-06 18:25:11 0 d-sh--w- c:\documents and settings\susanadmin\PrivacIE
2010-01-06 18:24:22 0 d-----w- c:\docume~1\susana~1\applic~1\MailFrontier
2010-01-06 04:31:30 0 d-----w- c:\program files\ClamWinPortable
2009-12-30 17:53:59 0 d-----w- c:\windows\Applian FLV Player

==================== Find3M ====================

2010-01-16 15:47:34 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 05:30:58 95360 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-10 03:54:07 261632 ----a-w- c:\windows\PEV.exe
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-25 11:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 13:04:16.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 23 January 2010 - 09:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
[We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 MimiFouchon

MimiFouchon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 25 January 2010 - 11:17 PM

The problem is still some sort of browser redirect virus. This doesn't just happen with Google searches, it happens when I open the browser to my home page. It also happens for no reason if I let the brower stay open to my home page and this occurs after a period of no activity. I ran Zone Alarm with no infections found and then Malwarebytes with the following results:

Files Infected:
C:\U.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\SusanAdmin\Local Settings\Temporary Internet Files\Content.IE5\WCMLD4BV\z002102801r0409J03000601R0143fdeeX8396cd6fYc8c1a98dZ03007f3530dP000501080[1] (Rootkit.TDSS) -> Quarantined and deleted successfully.

This is the only thing that's been done since my last post.

Both new reports that you requested are below.


OTL.txt

OTL logfile created on: 1/25/2010 10:33:44 PM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\SusanAdmin\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 21.38 Gb Free Space | 19.13% Space Free | Partition Type: NTFS
Drive D: | 111.79 Gb Total Space | 44.44 Gb Free Space | 39.76% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BAD-DOGGIE
Current User Name: SusanAdmin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/25 22:26:15 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SusanAdmin\Desktop\OTL.exe
PRC - [2010/01/22 14:28:59 | 00,135,664 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2010/01/08 01:22:39 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/17 01:41:10 | 02,384,240 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/10/17 01:39:40 | 01,037,192 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/10/14 08:30:26 | 00,476,528 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2009/09/10 11:15:42 | 00,870,672 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
PRC - [2009/08/05 10:37:58 | 12,313,432 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2009/06/22 20:23:38 | 00,196,424 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/30 17:47:56 | 00,421,888 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
PRC - [2006/03/29 19:53:34 | 00,028,672 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PRC - [2006/03/17 13:16:00 | 00,143,426 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2005/11/28 10:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/11/28 10:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/11/28 10:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/11/11 19:40:52 | 00,018,944 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2005/11/11 19:40:50 | 01,093,632 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2003/01/03 10:20:48 | 00,029,184 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\retrorun.exe
PRC - [2001/08/23 02:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe


========== Modules (SafeList) ==========

MOD - [2010/01/25 22:26:15 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SusanAdmin\Desktop\OTL.exe
MOD - [2009/09/10 11:15:48 | 00,013,072 | ---- | M] () -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MlfHook.dll
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2006/05/18 13:01:28 | 00,032,768 | ---- | M] (Stardock Corporation) -- C:\Program Files\Stardock\Object Desktop\EnhancedDialog\enhdlginit.dll
MOD - [2005/12/14 18:47:26 | 00,065,536 | ---- | M] (Stardock.net, Inc) -- C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll
MOD - [2005/10/11 12:18:54 | 00,028,672 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\SysHook.dll
MOD - [2004/08/03 18:56:44 | 01,028,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mfc42.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/22 14:28:59 | 00,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/17 01:41:10 | 02,384,240 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/10/14 08:30:26 | 00,476,528 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2006/03/29 19:53:34 | 00,028,672 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe -- (AcerMemUsageCheckService)
SRV - [2006/03/17 13:16:00 | 00,143,426 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/11/28 10:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2005/11/28 10:29:00 | 00,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2005/11/28 10:28:14 | 00,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2005/11/11 19:40:52 | 00,018,944 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2004/08/03 19:56:44 | 00,027,136 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/01/03 10:20:48 | 00,029,184 | ---- | M] (Dantz Development Corporation) [Auto | Running] -- C:\Program Files\Dantz\Retrospect\retrorun.exe -- (RetroLauncher)


========== Driver Services (SafeList) ==========

DRV - [2010/01/05 07:56:06 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/10/17 01:39:42 | 00,486,280 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2009/10/14 08:30:02 | 00,025,208 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2009/10/12 18:15:26 | 00,128,016 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\kl1.sys -- (kl1)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/06/26 06:15:34 | 03,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/01/15 19:17:58 | 04,652,544 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/17 23:56:02 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2007/08/15 06:27:18 | 00,009,600 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\n558.sys -- (n558)
DRV - [2006/04/14 14:27:46 | 00,014,544 | ---- | M] (EnTech Taiwan) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\TVicPort.sys -- (tvicport)
DRV - [2006/04/14 14:27:44 | 00,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\int15.sys -- (int15)
DRV - [2006/04/14 14:27:44 | 00,006,080 | ---- | M] (Zeal SoftStudio) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zntport.sys -- (zntport)
DRV - [2006/04/06 07:53:00 | 00,244,608 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/03/17 13:16:00 | 03,655,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/03/09 16:56:58 | 00,995,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/03/09 16:56:16 | 00,206,976 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/03/09 16:56:10 | 00,726,400 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/02/15 11:57:46 | 00,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/11/28 11:09:26 | 00,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/11/27 06:36:08 | 01,427,968 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/06/23 08:16:08 | 00,162,176 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/04/22 15:57:06 | 00,078,208 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd)
DRV - [2005/04/22 15:57:06 | 00,004,096 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd)
DRV - [2005/01/07 16:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/12/09 13:54:12 | 00,046,592 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2004/12/07 23:10:00 | 00,016,896 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKbFltr.SYS -- (DKbFltr)
DRV - [2004/08/03 22:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/04/26 13:47:42 | 00,163,456 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\vidstub.sys -- (BootScreen)
DRV - [2003/12/17 08:50:00 | 00,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2003/12/17 08:50:00 | 00,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)
DRV - [2003/12/17 08:50:00 | 00,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)
DRV - [2001/08/23 02:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1275210071-1284227242-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en&t=0
IE - HKU\S-1-5-21-1275210071-1284227242-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1275210071-1284227242-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1275210071-1284227242-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 28 32 44 95 FD 8E CA 01 [binary data]
IE - HKU\S-1-5-21-1275210071-1284227242-682003330-1007\S-1-5-21-1275210071-1284227242-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en&t=0"
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.5.53.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2009/12/08 12:30:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/14 18:56:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/08 01:22:42 | 00,000,000 | ---D | M]

[2010/01/06 19:14:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SusanAdmin\Application Data\Mozilla\Extensions
[2010/01/25 14:07:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SusanAdmin\Application Data\Mozilla\Firefox\Profiles\cqpv4k61.default\extensions
[2009/12/31 01:12:50 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/15 23:29:25 | 00,372,744 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 12872 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1275210071-1284227242-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1275210071-1284227242-682003330-1007\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1187413718033 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1187470499500 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.74.166 68.87.68.166
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\WBSrv: DllName - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll - C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll (Stardock Corporation)
O21 - SSODL: EnhancedDialog - {6D972050-A934-44D7-AC67-7C9E0B264220} - C:\Program Files\Stardock\Object Desktop\EnhancedDialog\enhdlginit.dll (Stardock Corporation)
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll (Stardock.net, Inc)
O24 - Desktop WallPaper: C:\WINDOWS\Elegance 1600.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Elegance 1600.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/17 19:32:03 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/08/17 15:10:23 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: ePower_DMC - hkey= - key= - C:\Acer\Empowering Technology\ePower\ePower_DMC.exe ()
MsConfig - StartUpReg: ISW - hkey= - key= - C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: RTHDCPL - hkey= - key= - C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: SpybotSD TeaTimer - hkey= - key= - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
MsConfig - StartUpReg: SUPERAntiSpyware - hkey= - key= - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: vsmon - C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3FE1B39A-49E2-51D4-4898-193A6A6346B2} - Browser Customizations
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5923D989-2C32-5E54-45A3-073E7CD8F0A3} - Internet Explorer
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8DE1867A-768E-5518-D44B-19CB80EDF8CD} - Internet Explorer
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F405EFFB-52A6-757E-62CE-D290D1247ED4} - Vector Graphics Rendering (VML)
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - lvcodec2.dll File not found
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/25 22:26:14 | 00,548,352 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\SusanAdmin\Desktop\OTL.exe
[2010/01/24 01:35:30 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\SusanAdmin\Recent
[2010/01/23 14:53:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Desktop\Famolare Shoes
[2010/01/23 14:40:39 | 00,020,480 | ---- | C] (IpVOPqgs) -- C:\WINDOWS\System32\winlogon32.exe
[2010/01/23 14:40:39 | 00,020,480 | ---- | C] (IpVOPqgs) -- C:\WINDOWS\System32\smss32.exe
[2010/01/22 14:32:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Google
[2010/01/22 14:29:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/01/22 14:29:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\Temp
[2010/01/22 14:29:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\Google
[2010/01/19 22:25:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\Apple Computer
[2010/01/16 12:57:58 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\SusanAdmin\Desktop\RootRepeal.exe
[2010/01/16 12:39:59 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/16 12:25:02 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\SusanAdmin\Desktop\HJTInstall.exe
[2010/01/16 12:19:44 | 03,012,768 | ---- | C] (Javacool Software LLC ) -- C:\Documents and Settings\SusanAdmin\Desktop\spywareblastersetup42.exe
[2010/01/15 20:42:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/15 20:41:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\SUPERAntiSpyware.com
[2010/01/15 20:41:35 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/15 20:40:25 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/15 20:24:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Move Networks
[2010/01/15 19:25:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\FastStone
[2010/01/14 19:15:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\TweakNow RegCleaner
[2010/01/14 19:01:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Malwarebytes
[2010/01/14 15:36:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Sun
[2010/01/12 11:24:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\CoffeeCup Software
[2010/01/11 23:32:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2010/01/08 14:04:45 | 00,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/01/08 14:00:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Thinstall
[2010/01/08 13:55:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Desktop\Portable Microsoft Office 2007 Enterprise
[2010/01/08 00:30:10 | 00,000,000 | ---D | C] -- C:\Program Files\SonicWallES
[2010/01/08 00:29:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\Identities
[2010/01/07 14:47:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\TeamViewer
[2010/01/06 20:12:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\SaffronOne
[2010/01/06 19:27:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Macromedia
[2010/01/06 19:14:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\Mozilla
[2010/01/06 19:14:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Mozilla
[2010/01/06 18:41:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Desktop\Mortgage
[2010/01/06 16:40:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\Adobe
[2010/01/06 16:40:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Adobe
[2010/01/06 14:32:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\WINDOWS
[2010/01/06 14:32:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\temp
[2010/01/06 14:32:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\AdobeStockPhotos
[2010/01/06 14:32:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Adobe Scripts
[2010/01/06 14:21:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\creativepack-120
[2010/01/06 14:21:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Copy to Mother
[2010/01/06 14:21:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\ConvertXtoDVD
[2010/01/06 14:21:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\ForceField Shared Files
[2010/01/06 14:21:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Duplicate Files
[2010/01/06 14:21:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Downloads
[2010/01/06 14:21:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Microsys
[2010/01/06 14:21:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Joe
[2010/01/06 14:06:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\My Themes
[2010/01/06 14:05:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\P8
[2010/01/06 14:04:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\ReleaseMMPF
[2010/01/06 14:04:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Royale_Remixed
[2010/01/06 14:04:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Version Cue
[2010/01/06 14:04:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Updater
[2010/01/06 14:04:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\SUSAN PASSWORDS
[2010/01/06 14:04:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\Stardock
[2010/01/06 14:04:45 | 04,930,808 | ---- | C] (TweakNow.com ) -- C:\Documents and Settings\SusanAdmin\My Documents\RegCleaner.exe
[2010/01/06 14:01:58 | 05,008,904 | ---- | C] (Macrovision Corporation) -- C:\Documents and Settings\SusanAdmin\My Documents\IsoBurner-Setup.exe
[2010/01/06 14:01:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Downloads
[2010/01/06 13:41:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Desktop\Photos
[2010/01/06 13:39:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Desktop\PureFaceJewels
[2010/01/06 13:39:21 | 00,000,000 | R--D | C] -- C:\Documents and Settings\SusanAdmin\Desktop\Tools
[2010/01/06 13:36:07 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\SusanAdmin\Desktop\spybotsd162.exe
[2010/01/06 13:35:49 | 06,345,368 | ---- | C] (PortableApps.com) -- C:\Documents and Settings\SusanAdmin\Desktop\ClamWinPortable_0.95.2_English.paf.exe
[2010/01/06 13:25:11 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\SusanAdmin\PrivacIE
[2010/01/06 13:24:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\MailFrontier
[2010/01/06 13:24:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\ApplicationHistory
[2010/01/06 13:24:12 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\SusanAdmin\IETldCache
[2010/01/06 13:24:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Identities
[2010/01/06 13:24:04 | 00,000,000 | R--D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\My Pictures
[2010/01/06 13:24:04 | 00,000,000 | R--D | C] -- C:\Documents and Settings\SusanAdmin\My Documents\My Music
[2010/01/06 13:24:04 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\SusanAdmin\Cookies
[2010/01/06 13:24:00 | 00,000,000 | --SD | C] -- C:\Documents and Settings\SusanAdmin\Application Data\Microsoft
[2010/01/06 13:24:00 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\SusanAdmin\SendTo
[2010/01/06 13:24:00 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\SusanAdmin\Application Data
[2010/01/06 13:24:00 | 00,000,000 | R--D | C] -- C:\Documents and Settings\SusanAdmin\Start Menu
[2010/01/06 13:24:00 | 00,000,000 | R--D | C] -- C:\Documents and Settings\SusanAdmin\My Documents
[2010/01/06 13:24:00 | 00,000,000 | R--D | C] -- C:\Documents and Settings\SusanAdmin\Favorites
[2010/01/06 13:24:00 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\SusanAdmin\Templates
[2010/01/06 13:24:00 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\SusanAdmin\PrintHood
[2010/01/06 13:24:00 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\SusanAdmin\NetHood
[2010/01/06 13:24:00 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings
[2010/01/06 13:24:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\Microsoft
[2010/01/06 13:24:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\SusanAdmin\Desktop
[2010/01/05 23:31:30 | 00,000,000 | ---D | C] -- C:\Program Files\ClamWinPortable
[2010/01/05 13:45:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\AA_Gallery
[2010/01/05 13:45:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\AA_Banners
[2010/01/05 13:45:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\ComputerStuff
[2010/01/05 13:45:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\AA_Zips
[2010/01/05 13:44:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\DNA-079_4
[2010/01/05 13:44:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\DNA-079_5
[2010/01/05 13:36:35 | 04,930,808 | ---- | C] (TweakNow.com ) -- C:\Documents and Settings\SusanAdmin\Desktop\RegCleaner.exe
[2010/01/05 13:33:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Downloads
[2010/01/05 13:33:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\DreamweaverPortable
[2010/01/05 13:33:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Eva
[2010/01/05 13:33:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\HairDesigner
[2010/01/05 13:32:03 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Desktop\Impoortant Text Files
[2010/01/05 13:32:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Illustrator CS4
[2010/01/05 13:29:05 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Desktop\Music
[2010/01/05 13:28:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Photo Ref
[2010/01/05 13:26:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\PoserTutorialLynda
[2010/01/05 13:26:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Render Studio
[2010/01/05 13:24:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Tutorials
[2010/01/05 13:23:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\ZBrush 3.5_R3
[2010/01/05 13:23:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\ZBrush Stuff
[2009/12/30 12:53:59 | 00,000,000 | ---D | C] -- C:\Program Files\FLV Player
[2009/12/30 12:53:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\Applian FLV Player
[2009/07/16 18:57:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/07/15 17:56:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/07/15 17:54:31 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/07/15 17:54:31 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/07/15 16:41:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2009/07/15 16:41:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2008/03/26 11:08:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\SDSD
[2008/03/26 11:08:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SDSD
[2007/10/13 17:36:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/08/17 23:49:06 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.Shell32.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/25 22:26:15 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SusanAdmin\Desktop\OTL.exe
[2010/01/25 14:14:30 | 00,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/01/25 13:56:43 | 00,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/25 13:55:16 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/25 13:55:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/25 13:55:03 | 21,455,62624 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/25 00:00:09 | 05,505,024 | -H-- | M] () -- C:\Documents and Settings\SusanAdmin\NTUSER.DAT
[2010/01/24 23:59:46 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\SusanAdmin\ntuser.ini
[2010/01/24 23:59:34 | 12,909,766 | -H-- | M] () -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\IconCache.db
[2010/01/23 15:59:58 | 00,000,072 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Application Data\SusanAdmin-01301201226-WhiteList.xml
[2010/01/23 15:59:57 | 00,000,070 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Application Data\SusanAdmin-01301201226-Keyword.xml
[2010/01/23 15:59:56 | 00,381,665 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Application Data\SusanAdmin-01301201226-Learning.xml
[2010/01/23 14:40:38 | 00,020,480 | ---- | M] (IpVOPqgs) -- C:\WINDOWS\System32\winlogon32.exe
[2010/01/23 14:40:38 | 00,020,480 | ---- | M] (IpVOPqgs) -- C:\WINDOWS\System32\smss32.exe
[2010/01/23 14:40:34 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/23 14:40:34 | 00,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/01/22 14:31:58 | 00,001,922 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/01/22 14:29:10 | 00,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/21 15:27:55 | 00,000,753 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/21 15:27:55 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/21 15:27:55 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/19 22:25:35 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/01/16 16:30:00 | 00,000,081 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\Infected with Browser Redirect virus.URL
[2010/01/16 16:21:39 | 00,005,632 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/16 13:05:20 | 00,003,703 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\Attach.zip
[2010/01/16 12:57:58 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\SusanAdmin\Desktop\RootRepeal.exe
[2010/01/16 12:54:36 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\dds.scr
[2010/01/16 12:39:59 | 00,001,741 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\HijackThis.lnk
[2010/01/16 12:32:12 | 03,827,010 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\ComboFix.exe
[2010/01/16 12:25:03 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\SusanAdmin\Desktop\HJTInstall.exe
[2010/01/16 12:19:47 | 03,012,768 | ---- | M] (Javacool Software LLC ) -- C:\Documents and Settings\SusanAdmin\Desktop\spywareblastersetup42.exe
[2010/01/15 23:29:25 | 00,372,744 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/15 23:22:25 | 00,000,940 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\Spybot - Search & Destroy.lnk
[2010/01/15 20:41:39 | 00,000,787 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/14 19:15:07 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk
[2010/01/14 01:20:46 | 00,153,600 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Application Data\SharedSettings.ccs
[2010/01/08 15:31:22 | 00,044,544 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\My Documents\Technology License Agreement.doc
[2010/01/08 15:26:31 | 00,056,678 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\My Documents\Technology_License_Agreement.zip
[2010/01/08 12:23:58 | 00,060,892 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\My Documents\Technology_License_Agreement.pdf
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 18:56:08 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/01/06 13:24:22 | 00,025,112 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/06 11:46:22 | 00,522,500 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/06 11:46:22 | 00,442,618 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/06 11:46:22 | 00,071,162 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/05 13:53:26 | 00,000,888 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TeamViewer 5.lnk
[2010/01/04 14:43:32 | 00,000,062 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\Software - ShareCG.URL
[2009/12/30 22:17:36 | 00,044,544 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\Technology License Agreement.doc
[2009/12/30 13:04:46 | 17,070,274 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\highrestexture.flv
[2009/12/30 12:53:59 | 00,001,580 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Applian FLV Player.lnk
[2009/12/30 12:50:40 | 08,337,228 | ---- | M] () -- C:\Documents and Settings\SusanAdmin\Desktop\clonebrushvideo.flv
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/23 14:40:34 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/23 14:40:34 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/01/22 14:31:58 | 00,001,922 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/01/22 14:29:10 | 00,000,890 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/16 16:30:00 | 00,000,081 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Infected with Browser Redirect virus.URL
[2010/01/16 13:05:20 | 00,003,703 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Attach.zip
[2010/01/16 12:54:35 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\dds.scr
[2010/01/16 12:39:59 | 00,001,741 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\HijackThis.lnk
[2010/01/16 12:32:09 | 03,827,010 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\ComboFix.exe
[2010/01/15 23:22:25 | 00,000,940 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Spybot - Search & Destroy.lnk
[2010/01/15 20:41:39 | 00,000,787 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/15 18:47:48 | 00,005,632 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/14 19:15:07 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TweakNow RegCleaner.lnk
[2010/01/12 11:24:00 | 00,153,600 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Application Data\SharedSettings.ccs
[2010/01/08 14:19:28 | 00,056,678 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Technology_License_Agreement.zip
[2010/01/08 12:23:58 | 00,060,892 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Technology_License_Agreement.pdf
[2010/01/07 15:07:11 | 00,044,544 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Technology License Agreement.doc
[2010/01/06 20:17:35 | 00,381,665 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Application Data\SusanAdmin-01301201226-Learning.xml
[2010/01/06 20:17:35 | 00,000,072 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Application Data\SusanAdmin-01301201226-WhiteList.xml
[2010/01/06 20:17:35 | 00,000,070 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Application Data\SusanAdmin-01301201226-Keyword.xml
[2010/01/06 14:32:28 | 00,017,881 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\AdobeFnt10.lst
[2010/01/06 14:04:53 | 01,722,880 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\ZuneDesktopTheme.msi
[2010/01/06 14:04:52 | 01,111,358 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\UXTheme Multi-Patcher 5.5.exe
[2010/01/06 14:04:52 | 00,071,189 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Sunset.jpg
[2010/01/06 14:04:51 | 03,082,870 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Royale_Remixed.rar
[2010/01/06 14:04:50 | 01,121,792 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Royale RemixedL.msi
[2010/01/06 14:04:49 | 02,836,992 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Royale Remixed.msi
[2010/01/06 14:03:19 | 15,810,7766 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\PoserPro Update.nrg
[2010/01/06 14:03:06 | 31,153,621 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Poser7-SR2.1.zip
[2010/01/06 14:01:58 | 24,275,7788 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\P7-Updates.nrg
[2010/01/06 14:01:58 | 06,668,469 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Daz3D___ps_ac1524b___Dynamic_Glamour_Halter_Gown_Set_for_IV___GV.exe
[2010/01/06 14:01:58 | 04,845,686 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Image.nrg
[2010/01/06 14:01:58 | 01,939,803 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\creativepack-120.zip
[2010/01/06 14:01:58 | 00,483,118 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Fish.jpg
[2010/01/06 14:01:58 | 00,346,516 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\cc_20080722_2309.reg
[2010/01/06 14:01:58 | 00,251,498 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\cc_20090712_221707.reg
[2010/01/06 14:01:58 | 00,096,800 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\cc_20090818_125203.reg
[2010/01/06 14:01:58 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\AA.doc
[2010/01/06 14:01:58 | 00,001,536 | -HS- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\drmv2.lic
[2010/01/06 14:01:58 | 00,000,963 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\abg-en-100c-ffffff[1].png
[2010/01/06 14:01:58 | 00,000,799 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\Launch Microsoft Office Outlook.lnk
[2010/01/06 14:01:58 | 00,000,020 | -HS- | C] () -- C:\Documents and Settings\SusanAdmin\My Documents\ntuser.ini
[2010/01/06 13:36:10 | 00,434,277 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\ucr2filespec_dec2004.pdf
[2010/01/06 13:36:10 | 00,044,544 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Technology License Agreement.doc
[2010/01/06 13:36:10 | 00,000,078 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Use MSconfig to setup for Normal Startup Mode - MajorGeeks Support Forums.URL
[2010/01/06 13:36:10 | 00,000,068 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\YouTube - Blacksmith3D - Using The Clone Brush - 3D Paint.URL
[2010/01/06 13:36:07 | 00,190,130 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\SaySay.jpg
[2010/01/06 13:36:07 | 00,000,062 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Software - ShareCG.URL
[2010/01/06 13:36:04 | 27,179,220 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Promo-JPG.zip
[2010/01/06 13:36:03 | 00,313,344 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\hjsplit.exe
[2010/01/06 13:36:03 | 00,000,081 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Joint Smoother_V4.URL
[2010/01/06 13:36:01 | 17,070,274 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\highrestexture.flv
[2010/01/06 13:35:50 | 08,337,228 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\clonebrushvideo.flv
[2010/01/06 13:35:49 | 00,001,555 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\CCleaner.lnk
[2010/01/06 13:35:42 | 00,000,077 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\AS Poser 8 Indirect Light - Aery Soul.URL
[2010/01/06 13:35:42 | 00,000,076 | ---- | C] () -- C:\Documents and Settings\SusanAdmin\Desktop\Alice list of products supporting her UPD 06 Jul - Aery Soul.URL
[2010/01/06 13:24:01 | 00,000,278 | -HS- | C] () -- C:\Documents and Settings\SusanAdmin\ntuser.ini
[2010/01/06 13:24:00 | 05,505,024 | -H-- | C] () -- C:\Documents and Settings\SusanAdmin\NTUSER.DAT
[2010/01/05 13:53:26 | 00,000,888 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TeamViewer 5.lnk
[2010/01/05 13:23:05 | 00,000,735 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Wardrobe Wizard.lnk
[2010/01/05 13:23:03 | 00,000,095 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Renderosity Digital Art Community.URL
[2010/01/05 13:23:02 | 14,602,484 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Que - Upgrading and Repairing PCs 19th Edition (2009).pdf
[2010/01/05 13:22:59 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\P3dO Explorer.lnk
[2010/01/05 13:22:59 | 00,000,071 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Pixologic ZClassroom Homeroom.URL
[2010/01/05 13:22:59 | 00,000,065 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Photoshop CS4 3d Tutorial.URL
[2010/01/05 13:22:59 | 00,000,063 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PhilC Designs Home Product Info Hair Designer.URL
[2010/01/05 13:22:59 | 00,000,060 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PhilC Designs Ltd --- Animation Editing.URL
[2010/01/05 13:22:56 | 01,598,019 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Gothic_Revival_Mini_Tut.jpg
[2010/01/05 13:22:51 | 00,087,351 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\G2Jessi_MegaResource_Help.pdf
[2010/01/05 13:22:46 | 63,518,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Focal Press Creative Photoshop CS4 Digital Illustration and Art Techniques Apr 2009.pdf
[2010/01/05 13:22:46 | 01,405,977 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\D3D_PerfectSkin.pdf
[2010/01/05 13:22:46 | 00,001,619 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CrossDresser 2.0.lnk
[2010/01/05 13:22:46 | 00,000,069 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Cult of Erotica - The Art of Bruce Colero.URL
[2010/01/05 13:22:44 | 08,008,141 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CreativeStudio01.pdf
[2010/01/05 13:22:36 | 04,922,698 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ACPromos.zip
[2010/01/05 13:22:36 | 00,000,054 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\3D Paint - Morph - Model - Blacksmith3D - 3D Painting, Morphing and Modeling Application.URL
[2009/12/30 12:53:59 | 00,001,580 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Applian FLV Player.lnk
[2009/12/16 19:11:18 | 00,004,018 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/08/18 17:33:49 | 00,000,208 | ---- | C] () -- C:\WINDOWS\System32\xpysys.dll
[2008/01/23 11:50:53 | 00,000,260 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2007/12/26 02:10:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/10/10 11:29:32 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/08/31 21:03:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\windowfx3.ini
[2007/08/21 18:52:04 | 00,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[2007/08/21 17:49:32 | 00,296,448 | ---- | C] () -- C:\WINDOWS\Xenofex.ini
[2007/08/18 22:22:20 | 00,000,024 | ---- | C] () -- C:\WINDOWS\LogonStudio.ini
[2007/08/18 22:22:12 | 00,187,392 | ---- | C] () -- C:\WINDOWS\System32\JPGUtils.dll
[2007/08/18 22:07:47 | 00,163,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\vidstub.sys
[2007/08/18 21:48:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\windowfx2.ini
[2007/08/18 20:45:22 | 00,000,081 | ---- | C] () -- C:\WINDOWS\WB.ini
[2007/08/18 15:32:10 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/17 23:55:28 | 00,868,352 | ---- | C] () -- C:\WINDOWS\System32\WirelessMgr.dll
[2007/08/17 23:50:49 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\int15.sys
[2007/08/17 23:50:49 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\int15_64.sys
[2007/08/17 23:49:06 | 00,331,776 | ---- | C] () -- C:\WINDOWS\System32\ScrollBarLib.dll
[2007/08/15 06:27:18 | 00,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2007/05/26 10:32:28 | 00,026,288 | ---- | C] () -- C:\WINDOWS\System32\wbload.dll
[2007/01/10 07:44:26 | 01,457,024 | R--- | C] () -- C:\WINDOWS\System32\SSCProt.dll
[2006/03/17 13:16:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/03/17 13:16:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/03/17 13:16:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/03/17 13:16:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/03/17 13:16:00 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/11/11 19:40:50 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2005/11/11 19:40:48 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 12:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 06:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2004/02/24 08:12:40 | 01,386,496 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2004/08/03 19:05:44 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 19:05:44 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2009/12/14 00:30:58 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2009/12/14 00:30:58 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/14 00:30:58 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 16:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[2004/08/03 18:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/03 18:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/03 18:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/03 18:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/03 18:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/03 18:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 18:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/03 18:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/03 18:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 178 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E79D0966
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:58CF2C8C
< End of report >


Extras.txt

OTL Extras logfile created on: 1/25/2010 10:33:44 PM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\SusanAdmin\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 21.38 Gb Free Space | 19.13% Space Free | Partition Type: NTFS
Drive D: | 111.79 Gb Total Space | 44.44 Gb Free Space | 39.76% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BAD-DOGGIE
Current User Name: SusanAdmin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1275210071-1284227242-682003330-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with FastStone] -- "C:\Program Files\FastStone Image Viewer\FSViewer.exe" "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpnsvr.exe" = C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"C:\WINDOWS\system32\dxdiag.exe" = C:\WINDOWS\system32\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool -- (Microsoft Corporation)
"C:\Program Files\Smith Micro\Poser Pro\PoserPro.exe" = C:\Program Files\Smith Micro\Poser Pro\PoserPro.exe:*:Enabled:Poser Pro executable file -- (Smith Micro Software, Inc)
"C:\Program Files\TeamViewer\Version5\TeamViewer.exe" = C:\Program Files\TeamViewer\Version5\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\WINDOWS\TEMP\ihxa.tmp\svchost.exe" = C:\WINDOWS\TEMP\ihxa.tmp\svchost.exe:*:Enabled:svchost -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1F2C8256-2773-46C7-9ABA-3E39C24ABB51}" = Acer eSettings Management
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{262175AE-A9D9-472B-9FA5-0AAEDADB0B6C}" = ELLA for Microsoft Outlook
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}" = QuickTime
"{7057702F-6D71-4F30-8000-9E72BC771887}" = Acer ePerformance Management
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77D2A9D3-5800-43E3-B274-87841BC87DB2}" = Adobe ExtendScript Toolkit 2
"{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}" = Zune Desktop Theme
"{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}" = Adobe Setup
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}" = Uniblue DriverScanner 2009
"{C4354214-B919-4C8F-84EB-4F9B84ACC02C}" = Retrospect 6.0
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFADE4AF-C0CF-4A04-A776-741318F1658F}" = Content Transfer
"{D70DE630-0D13-4394-A15B-5ACE6CF2A18D}" = Atheros Wireless LAN
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}" = SMSC IrCC V5.1.3600.7
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FF6F491D-BC82-4DCC-A72F-1824957C6466}" = TIxx21
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Advanced WindowsCare V2 Personal_is1" = Advanced WindowsCare Personal
"Applian FLV Player2.0.24" = Applian FLV Player
"Big Clock Pro_is1" = Big Clock Pro 4.1
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Network Adapter
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_1025006C" = HDAUDIO Soft Data Fax Modem with SmartCP
"CoffeeCup Free FTP 4.2" = CoffeeCup Free FTP
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"EditPad Lite" = JGsoft EditPad Lite 5.2.0
"ExtractNow_is1" = ExtractNow
"FastStone Image Viewer" = FastStone Image Viewer 4.0
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{FF6F491D-BC82-4DCC-A72F-1824957C6466}" = Texas Instruments PCIxx21/x515 drivers.
"InterActual Player" = InterActual Player
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"Nero - Burning Rom!UninstallKey" = Nero 6
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"P3dO Explorer" = P3dO Explorer (remove only)
"PC Wizard 2008_is1" = PC Wizard 2008.1.86
"Poser Pro_is1" = Poser Pro 7.0.4 Service Release
"ProInst" = Intel® PROSet/Wireless Software
"TeamViewer 5" = TeamViewer 5
"Tweak UI 2.10" = Tweak UI
"TweakNow RegCleaner_is1" = TweakNow RegCleaner
"Uniblue DriverScanner 2009" = Uniblue DriverScanner 2009
"Victoria 4.2 Base ps_pe069_Victoria4" = Victoria 4.2 Base
"Victoria 4.2 Morphs++ ps_pe070_V4Morphs" = Victoria 4.2 Morphs++
"Victoria 4.2 Muscle Morphs ps_mr259_V4MuscleMorphs" = Victoria 4.2 Muscle Morphs
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"WW Support Files - Expansion Pack 8_is1" = WW 2.0 Support Files - Expansion Pack 8
"ZBrush2" = ZBrush2
"ZoneAlarm Security Suite" = ZoneAlarm Security Suite
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


------------------------------------------------------------------------------

Thanks for the help with this. I'm just paralyzed and am getting very grumpy.





#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 26 January 2010 - 02:35 AM

Hi,

please run a scan with gmer as well:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 MimiFouchon

MimiFouchon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 26 January 2010 - 03:15 PM

myrti,

Apparently I have something really nasty. I followed your instructions, ran gmer, and once in Scan mode after the initial quick scan the entire system hung. Rebooted, tried again, same result.

Then ran in Safe Mode. Same results. Quick scan showed "suspicious modification" in C:\Windows\System32\drivers\ATAPI.sys

Started full Scan and program hung at C:\Windows\System32\drivers\ATAPI.sys wich, I assume it's supposed to be scanning.

Now what?


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 27 January 2010 - 09:52 AM

Hi,

the gmer found in atapi.sys suggest a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 MimiFouchon

MimiFouchon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 27 January 2010 - 01:47 PM

myrti,

I know I totally messed this up. Ran ComboFix without remembering to kill ZoneAlarm from startup. ComboFix told me it deleted a rootkit virus and then rebooted. Then I got all the ZoneAlarm popups upon starting and didn't know what to do and couldn't get a log so did everything all over again. I know ComboFix deleted files that aren't reflected in this report. There was no necessary reboot on second run.

This is the only system I use to go online. My main system too critical to take a chance on getting something like what I have. So, I need a clean because of activities going on for next few days. Then I can reformat.

I truly appreciate all the help you've given me. Without it I would just be wallowing. Brower redirect seems to have cleared up. For now....

-------------------------------------------------------------------------------------------------------



ComboFix 10-01-26.06 - SusanAdmin 01/27/2010 13:13:56.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1646 [GMT -5:00]
Running from: c:\documents and settings\SusanAdmin\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\smss32.exe
c:\windows\system32\twain_32.dll
c:\windows\system32\winlogon32.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-26 23:49 . 2010-01-27 17:16 -------- d-----w- c:\program files\Unlocker
2010-01-26 18:21 . 2010-01-26 18:23 -------- d-----w- C:\gmer
2010-01-23 19:40 . 2010-01-26 23:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-23 19:40 . 2010-01-23 19:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-22 19:29 . 2010-01-22 19:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-22 19:29 . 2010-01-22 19:29 -------- d-----w- c:\documents and settings\SusanAdmin\Local Settings\Application Data\Temp
2010-01-22 19:29 . 2010-01-22 19:32 -------- d-----w- c:\documents and settings\SusanAdmin\Local Settings\Application Data\Google
2010-01-20 03:25 . 2010-01-20 03:25 -------- d-----w- c:\documents and settings\SusanAdmin\Local Settings\Application Data\Apple Computer
2010-01-16 17:39 . 2010-01-16 17:39 -------- d-----w- c:\program files\Trend Micro
2010-01-16 03:18 . 2010-01-16 03:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-16 01:42 . 2010-01-16 01:42 52224 ----a-w- c:\documents and settings\SusanAdmin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-16 01:42 . 2010-01-16 01:42 117760 ----a-w- c:\documents and settings\SusanAdmin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-16 01:42 . 2010-01-16 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-16 01:41 . 2010-01-16 01:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 01:41 . 2010-01-16 01:41 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\SUPERAntiSpyware.com
2010-01-16 01:40 . 2010-01-16 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-16 01:24 . 2010-01-24 06:34 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\Move Networks
2010-01-16 00:25 . 2010-01-16 00:25 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\FastStone
2010-01-15 00:15 . 2010-01-15 00:15 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\TweakNow RegCleaner
2010-01-15 00:01 . 2010-01-15 00:01 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\Malwarebytes
2010-01-12 16:24 . 2010-01-12 16:24 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\CoffeeCup Software
2010-01-12 04:32 . 2010-01-12 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-01-08 19:04 . 2010-01-08 19:04 -------- d-----w- c:\program files\MSECache
2010-01-08 19:03 . 2010-01-08 19:03 53248 ----a-w- c:\documents and settings\SusanAdmin\Application Data\Thinstall\Microsoft Office Enterprise 2007\1000000ff00002h\explorer.exe
2010-01-08 19:01 . 2010-01-08 19:01 53248 ----a-w- c:\documents and settings\SusanAdmin\Application Data\Thinstall\Microsoft Office Enterprise 2007\400000df00002h\firefox.exe
2010-01-08 19:01 . 2010-01-08 19:01 53248 ----a-w- c:\documents and settings\SusanAdmin\Application Data\Thinstall\Microsoft Office Enterprise 2007\300000003f00002h\CLVIEW.EXE
2010-01-08 19:00 . 2010-01-08 19:00 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\Thinstall
2010-01-08 05:30 . 2010-01-08 05:30 -------- d-----w- c:\program files\SonicWallES
2010-01-08 05:29 . 2010-01-08 05:29 -------- d-----w- c:\documents and settings\SusanAdmin\Local Settings\Application Data\Identities
2010-01-07 19:47 . 2010-01-07 19:56 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\TeamViewer
2010-01-07 01:12 . 2010-01-07 01:12 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\SaffronOne
2010-01-07 00:34 . 2010-01-07 00:34 4710 ----a-r- c:\documents and settings\SusanAdmin\Application Data\Microsoft\Installer\{262175AE-A9D9-472B-9FA5-0AAEDADB0B6C}\ARPPRODUCTICON.exe
2010-01-07 00:14 . 2010-01-07 00:14 -------- d-----w- c:\documents and settings\SusanAdmin\Local Settings\Application Data\Mozilla
2010-01-06 21:40 . 2010-01-08 19:20 -------- d-----w- c:\documents and settings\SusanAdmin\Local Settings\Application Data\Adobe
2010-01-06 19:32 . 2010-01-06 19:32 -------- d-----w- c:\documents and settings\SusanAdmin\WINDOWS
2010-01-06 19:32 . 2010-01-06 19:32 -------- d-----w- c:\documents and settings\SusanAdmin\temp
2010-01-06 19:01 . 2010-01-06 20:49 -------- d-----w- c:\documents and settings\SusanAdmin\Downloads
2010-01-06 18:25 . 2010-01-06 18:25 -------- d-sh--w- c:\documents and settings\SusanAdmin\PrivacIE
2010-01-06 18:10 . 2010-01-06 18:10 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2010-01-06 04:31 . 2010-01-06 04:31 -------- d-----w- c:\program files\ClamWinPortable
2009-12-30 17:53 . 2009-12-30 17:53 -------- d-----w- c:\windows\Applian FLV Player
2009-12-30 17:53 . 2009-12-30 17:53 -------- d-----w- c:\program files\FLV Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 18:08 . 2008-10-14 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-27 17:14 . 2009-07-12 17:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-26 04:10 . 2009-07-12 03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 19:31 . 2007-08-19 04:49 -------- d-----w- c:\program files\Google
2010-01-16 04:24 . 2008-10-14 04:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 00:15 . 2009-12-17 05:10 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-01-08 05:30 . 2010-01-06 18:24 -------- d-----w- c:\documents and settings\SusanAdmin\Application Data\MailFrontier
2010-01-07 21:07 . 2009-07-12 03:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-07-12 03:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 23:53 . 2008-10-14 15:02 -------- d-----w- c:\program files\FastStone Image Viewer
2010-01-06 18:24 . 2010-01-06 18:24 25112 ----a-w- c:\documents and settings\SusanAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 18:10 . 2010-01-06 18:10 25112 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 04:20 . 2007-08-18 19:59 -------- d-----w- c:\program files\ExtractNow
2010-01-05 23:03 . 2010-01-05 23:07 396800 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-01-05 22:00 . 2007-10-20 01:58 -------- d-----w- c:\program files\Common Files\element5 Shared
2010-01-05 18:53 . 2009-11-27 16:47 -------- d-----w- c:\program files\TeamViewer
2009-12-31 04:17 . 2009-11-22 03:45 -------- d-----w- c:\program files\7-Zip
2009-12-28 05:41 . 2009-12-28 18:15 2825728 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-12-21 19:14 . 2004-08-03 23:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 05:30 . 2004-08-03 21:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 05:32 . 2009-08-28 05:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-27 16:42 . 2009-11-27 16:42 2547069 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-21 16:36 . 2004-08-03 23:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-17_18.15.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-27 18:03 . 2010-01-27 18:03 16384 c:\windows\Temp\Perflib_Perfdata_1a8.dat
+ 2010-01-27 17:22 . 2010-01-27 17:22 15573 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0003.dat
+ 2010-01-27 17:22 . 2010-01-27 17:22 56360 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0002.dat
+ 2009-12-04 16:29 . 2010-01-27 17:02 62754 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0009.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 77763 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 74445 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0007.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 69815 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0006.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 71053 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0005.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 80939 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0004.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 76120 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0003.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 90122 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0002.dat
- 2009-11-06 16:17 . 2009-11-09 15:48 90122 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0002.dat
- 2009-11-06 16:17 . 2009-11-09 15:48 90107 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0001.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 90107 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0001.dat
+ 2009-11-06 16:15 . 2010-01-14 17:38 51228 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0015.dat
+ 2009-11-06 16:15 . 2010-01-27 17:22 15701 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0003.dat
+ 2009-11-06 16:15 . 2010-01-27 17:22 56336 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0002.dat
+ 2009-11-06 16:15 . 2010-01-27 17:02 54518 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0001.dat
+ 2009-12-04 16:29 . 2010-01-27 17:02 62754 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0009.dat
+ 2009-11-06 16:17 . 2010-01-21 19:33 77763 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2009-11-06 16:04 . 2010-01-21 19:33 74445 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0007.dat
+ 2009-11-06 16:04 . 2010-01-21 19:33 69815 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0006.dat
+ 2009-11-06 16:04 . 2010-01-21 19:33 71053 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0005.dat
+ 2009-11-06 16:04 . 2010-01-21 19:33 80939 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0004.dat
+ 2009-11-06 16:04 . 2010-01-21 19:33 76120 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0003.dat
- 2009-11-06 16:04 . 2009-11-09 15:49 90122 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0002.dat
+ 2009-11-06 16:04 . 2010-01-21 19:33 90122 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0002.dat
- 2009-11-06 16:04 . 2009-11-09 15:49 90107 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0001.dat
+ 2009-11-06 16:04 . 2010-01-21 19:33 90107 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0001.dat
+ 2009-11-06 16:17 . 2010-01-14 17:38 51228 c:\windows\system32\ZoneLabs\avsys\bases\bl0015.dat
+ 2009-11-06 16:03 . 2010-01-27 17:22 15701 c:\windows\system32\ZoneLabs\avsys\bases\apu0003.dat
+ 2009-11-06 16:03 . 2010-01-27 17:22 56336 c:\windows\system32\ZoneLabs\avsys\bases\apu0002.dat
+ 2009-11-06 16:03 . 2010-01-27 17:02 54518 c:\windows\system32\ZoneLabs\avsys\bases\apu0001.dat
- 2001-08-23 07:00 . 2009-12-13 21:32 71162 c:\windows\system32\perfc009.dat
+ 2001-08-23 07:00 . 2010-01-06 16:46 71162 c:\windows\system32\perfc009.dat
+ 2006-11-08 01:03 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 01:03 . 2009-10-29 07:45 55296 c:\windows\system32\msfeedsbs.dll
+ 2008-01-23 16:58 . 2009-12-18 19:15 85019 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2004-08-03 23:56 . 2009-10-29 07:45 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
+ 2001-08-23 07:00 . 2009-10-15 17:21 82432 c:\windows\system32\fontsub.dll
- 2001-08-23 07:00 . 2009-06-16 14:55 82432 c:\windows\system32\fontsub.dll
- 2009-08-27 16:15 . 2009-10-29 07:45 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-08-27 16:15 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2007-06-27 14:34 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-06-27 14:34 . 2009-10-29 07:45 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2001-08-23 07:00 . 2009-06-16 14:55 82432 c:\windows\system32\dllcache\fontsub.dll
+ 2001-08-23 07:00 . 2009-10-15 17:21 82432 c:\windows\system32\dllcache\fontsub.dll
+ 2010-01-25 00:16 . 2010-01-24 23:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010012420100125\index.dat
+ 2010-01-23 05:10 . 2010-01-23 17:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010012320100124\index.dat
+ 2010-01-21 18:31 . 2010-01-21 16:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010012120100122\index.dat
+ 2010-01-21 00:17 . 2010-01-20 19:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010012020100121\index.dat
+ 2010-01-21 00:17 . 2010-01-20 19:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010011120100118\index.dat
+ 2007-08-18 00:36 . 2010-01-27 17:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-18 00:36 . 2009-12-17 17:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-12 02:59 . 2010-01-24 19:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
- 2009-12-12 02:59 . 2009-12-14 06:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2009-12-10 18:15 . 2010-01-27 17:16 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-12-10 18:15 . 2009-12-17 17:20 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-01-14 20:41 . 2010-01-27 17:16 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-08-18 00:36 . 2009-12-17 17:20 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-14 00:25 . 2010-01-27 00:30 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
- 2009-12-14 00:25 . 2009-12-15 19:59 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-01-20 21:04 . 2010-01-26 05:37 66123 c:\windows\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\UserCache.bin
+ 2010-01-22 19:29 . 2010-01-22 19:29 22528 c:\windows\Installer\e8230.msi
+ 2010-01-16 01:41 . 2010-01-16 01:41 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-01-16 01:41 . 2010-01-16 01:41 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-01-22 19:32 . 2010-01-22 19:32 25214 c:\windows\Installer\{C084BC61-E537-11DE-8616-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-01-22 19:32 . 2010-01-22 19:32 25214 c:\windows\Installer\{C084BC61-E537-11DE-8616-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-01-22 19:32 . 2010-01-22 19:32 25214 c:\windows\Installer\{C084BC61-E537-11DE-8616-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-01-22 19:32 . 2010-01-22 19:32 25214 c:\windows\Installer\{C084BC61-E537-11DE-8616-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-01-22 19:32 . 2010-01-22 19:32 25214 c:\windows\Installer\{C084BC61-E537-11DE-8616-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-01-22 19:32 . 2010-01-22 19:32 25214 c:\windows\Installer\{C084BC61-E537-11DE-8616-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-01-22 19:32 . 2010-01-22 19:32 25214 c:\windows\Installer\{C084BC61-E537-11DE-8616-005056806466}\ARPPRODUCTICON.exe
+ 2010-01-08 19:05 . 2010-01-08 19:05 35088 c:\windows\Installer\{90120000-00B2-0409-0000-0000000FF1CE}\expxic.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-01-23 05:27 . 2009-10-29 07:45 12800 c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 55296 c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 25600 c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2010-01-12 16:10 . 2010-01-19 19:49 6531 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0016.dat
+ 2010-01-12 16:10 . 2010-01-19 19:49 6531 c:\windows\system32\ZoneLabs\avsys\bases\bl0016.dat
+ 2008-03-15 00:19 . 2010-01-16 06:03 8628 c:\windows\system32\Restore\rstrlog.dat
+ 2010-01-16 01:41 . 2010-01-16 01:41 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-07-16 04:45 . 2010-01-06 00:02 121344 c:\windows\system32\ZoneLabs\zlqrtdb.dat
- 2004-08-03 23:56 . 2009-06-16 14:55 119808 c:\windows\system32\t2embed.dll
+ 2004-08-03 23:56 . 2009-10-16 03:51 119808 c:\windows\system32\t2embed.dll
- 2001-08-23 07:00 . 2009-12-13 21:32 442618 c:\windows\system32\perfh009.dat
+ 2001-08-23 07:00 . 2010-01-06 16:46 442618 c:\windows\system32\perfh009.dat
+ 2004-08-03 23:56 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 206848 c:\windows\system32\occache.dll
- 2006-11-08 01:03 . 2009-10-29 07:45 594432 c:\windows\system32\msfeeds.dll
+ 2006-11-08 01:03 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
+ 2009-10-28 03:31 . 2009-10-28 03:31 257440 c:\windows\system32\Macromed\Flash\FlashUtil10d.exe
- 2004-08-03 23:56 . 2009-10-29 07:45 184320 c:\windows\system32\iepeers.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-03 23:56 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
- 2004-08-03 23:56 . 2009-10-28 14:40 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-03 23:56 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-03 23:56 . 2009-10-16 03:51 119808 c:\windows\system32\dllcache\t2embed.dll
- 2004-08-03 23:56 . 2009-06-16 14:55 119808 c:\windows\system32\dllcache\t2embed.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2007-06-27 14:34 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2007-06-27 14:34 . 2009-10-29 07:45 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-08-27 16:15 . 2009-12-21 19:14 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2009-08-27 16:15 . 2009-10-29 07:45 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-03 23:56 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-03 23:56 . 2009-10-28 14:40 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-03 23:56 . 2009-11-21 16:36 470528 c:\windows\system32\dllcache\aclayers.dll
+ 2010-01-07 00:34 . 2010-01-07 00:34 983040 c:\windows\Installer\f39d6.msi
+ 2010-01-08 19:05 . 2010-01-08 19:05 124928 c:\windows\Installer\65120b.msi
+ 2009-07-22 18:12 . 2010-01-08 21:27 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
- 2009-07-22 18:12 . 2009-10-21 17:58 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-08-18 20:31 . 2010-01-14 06:52 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-08-18 20:31 . 2009-12-10 18:18 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-01-23 05:27 . 2009-10-29 07:45 916480 c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-01-23 05:27 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-01-23 05:27 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-01-23 05:27 . 2009-10-29 07:45 206848 c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 594432 c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 246272 c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 184320 c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 387584 c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-01-23 05:27 . 2009-10-28 14:40 173056 c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
+ 2009-12-30 17:53 . 2009-12-30 17:53 473600 c:\windows\Applian FLV Player\uninstall.exe
+ 2004-08-03 23:56 . 2009-12-21 19:14 1208832 c:\windows\system32\urlmon.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 1208832 c:\windows\system32\urlmon.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 5942784 c:\windows\system32\mshtml.dll
- 2006-10-17 15:57 . 2009-10-29 07:45 1985536 c:\windows\system32\iertutil.dll
+ 2006-10-17 15:57 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
- 2004-08-03 23:56 . 2009-10-29 07:45 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-03 23:56 . 2009-12-21 19:14 5942784 c:\windows\system32\dllcache\mshtml.dll
- 2007-06-27 14:34 . 2009-10-29 07:45 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2007-06-27 14:34 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2010-01-22 19:32 . 2010-01-22 19:32 1262080 c:\windows\Installer\e8237.msi
+ 2010-01-08 21:27 . 2010-01-08 21:27 1711616 c:\windows\Installer\e79e7e.msp
+ 2009-12-11 15:29 . 2009-12-11 15:29 5521408 c:\windows\Installer\2c29593.msp
+ 2009-12-17 03:58 . 2009-12-17 03:58 5382144 c:\windows\Installer\216a21c.msp
+ 2010-01-16 01:41 . 2010-01-16 01:41 1583616 c:\windows\Installer\1ad3600.msi
+ 2010-01-23 05:27 . 2009-10-29 07:45 1208832 c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 5940736 c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-01-23 05:27 . 2009-10-29 07:45 1985536 c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2009-10-28 01:31 . 2009-10-28 01:31 1956816 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2007-08-18 05:42 . 2010-01-05 00:17 29634504 c:\windows\system32\MRT.exe
+ 2006-11-08 01:03 . 2009-12-21 19:14 11070464 c:\windows\system32\ieframe.dll
+ 2007-06-27 14:34 . 2009-12-21 19:14 11070464 c:\windows\system32\dllcache\ieframe.dll
+ 2010-01-20 21:06 . 2010-01-20 21:06 35353088 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe\Updater5\Install\reader8rdr-en_US\AdbeRdr820_en_US.msi
+ 2010-01-23 05:27 . 2009-10-29 07:45 11069952 c:\windows\ie8updates\KB978207-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-03-13 13:57 221184 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
2006-03-30 22:47 421888 ----a-w- c:\acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW]
2009-10-14 13:30 730480 ----a-w- c:\program files\CheckPoint\ZAForceField\ForceField.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-17 18:16 7561216 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-10 20:27 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-01-09 20:25 16859648 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 12:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Smith Micro\\Poser Pro\\PoserPro.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 8:30 AM 476528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/22/2010 2:29 PM 135664]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\DRIVERS\lv321av.sys --> c:\windows\system32\DRIVERS\lv321av.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2007-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-22 19:28]

2009-07-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-17 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&t=0
FF - ProfilePath - c:\documents and settings\SusanAdmin\Application Data\Mozilla\Firefox\Profiles\cqpv4k61.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&t=0
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Susan\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Susan\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'explorer.exe'(712)
c:\windows\system32\WININET.dll
c:\program files\Stardock\Object Desktop\IconPackager\shellext.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Stardock\Object Desktop\EnhancedDialog\enhdlginit.dll
c:\program files\Stardock\Object Desktop\IconPackager\iprepair.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-27 13:19:41
ComboFix-quarantined-files.txt 2010-01-27 18:19
ComboFix2.txt 2009-12-17 18:42
ComboFix3.txt 2009-12-17 18:18

Pre-Run: 22,854,795,264 bytes free
Post-Run: 22,817,857,536 bytes free

- - End Of File - - 6912D3BC55B7FB7C941B5CC5C0ED0436







#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 29 January 2010 - 11:18 AM

Hi,

it seems ComboFix did not take out the infeciton, please try to run TDSSKiller instead:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 MimiFouchon

MimiFouchon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 30 January 2010 - 04:50 PM

I know this takes awhile to accomplish a clean system but was getting frantic thinking that my only online system still hosting a backdoor trojan.

Anyway, I downloaded Avir and ran a scan in Safe Mode. Avir found 15 Trojans and quarantined them. After that I ran TDSSKiller and got the following log.

----------------------------------------------
13:09:41:625 1248 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
13:09:41:625 1248 ================================================================================
13:09:41:625 1248 SystemInfo:

13:09:41:625 1248 OS Version: 5.1.2600 ServicePack: 2.0
13:09:41:625 1248 Product type: Workstation
13:09:41:625 1248 ComputerName: BAD-DOGGIE
13:09:41:625 1248 UserName: SusanAdmin
13:09:41:625 1248 Windows directory: C:\WINDOWS
13:09:41:625 1248 Processor architecture: Intel x86
13:09:41:625 1248 Number of processors: 2
13:09:41:625 1248 Page size: 0x1000
13:09:41:625 1248 Boot type: Normal boot
13:09:41:625 1248 ================================================================================
13:09:41:640 1248 UnloadDriverW: NtUnloadDriver error 2
13:09:41:640 1248 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:09:41:640 1248 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
13:09:41:640 1248 UtilityInit: KLMD drop and load success
13:09:41:640 1248 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
13:09:41:640 1248 UtilityInit: KLMD open success
13:09:41:640 1248 UtilityInit: Initialize success
13:09:41:640 1248
13:09:41:640 1248 Scanning Services ...
13:09:41:640 1248 CreateRegParser: Registry parser init started
13:09:41:640 1248 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
13:09:41:640 1248 CreateRegParser: DisableWow64Redirection error
13:09:41:640 1248 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:09:41:640 1248 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
13:09:41:640 1248 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:09:41:640 1248 wfopen_ex: Trying to KLMD file open
13:09:41:640 1248 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
13:09:41:640 1248 wfopen_ex: File opened ok (Flags 2)
13:09:41:640 1248 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 9C4928
13:09:41:640 1248 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:09:41:640 1248 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
13:09:41:640 1248 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:09:41:640 1248 wfopen_ex: Trying to KLMD file open
13:09:41:640 1248 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
13:09:41:640 1248 wfopen_ex: File opened ok (Flags 2)
13:09:41:640 1248 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 9C49D0
13:09:41:640 1248 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
13:09:41:640 1248 CreateRegParser: EnableWow64Redirection error
13:09:41:640 1248 CreateRegParser: RegParser init completed
13:09:41:765 1248 GetAdvancedServicesInfo: Raw services enum returned 368 services
13:09:41:765 1248 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:09:41:765 1248 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:09:41:765 1248
13:09:41:765 1248 Scanning Kernel memory ...
13:09:41:765 1248 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
13:09:41:765 1248 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A4ED338
13:09:41:765 1248 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
13:09:41:765 1248
13:09:41:765 1248 DetectCureTDL3: DEVICE_OBJECT: 8A4DFC68
13:09:41:765 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4DFC68
13:09:41:765 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A4DFC68[0x38]
13:09:41:765 1248 DetectCureTDL3: DRIVER_OBJECT: 8A4ED338
13:09:41:765 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A4ED338[0xA8]
13:09:41:765 1248 KLMD_ReadMem: Trying to ReadMemory 0xE101F840[0x18]
13:09:41:765 1248 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
13:09:41:765 1248 DetectCureTDL3: IrpHandler (0) addr: F765DC30
13:09:41:765 1248 DetectCureTDL3: IrpHandler (1) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (2) addr: F765DC30
13:09:41:765 1248 DetectCureTDL3: IrpHandler (3) addr: F7657D9B
13:09:41:765 1248 DetectCureTDL3: IrpHandler (4) addr: F7657D9B
13:09:41:765 1248 DetectCureTDL3: IrpHandler (5) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (6) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (7) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (8) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (9) addr: F7658366
13:09:41:765 1248 DetectCureTDL3: IrpHandler (10) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (11) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (12) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (13) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (14) addr: F765844D
13:09:41:765 1248 DetectCureTDL3: IrpHandler (15) addr: F765BFC3
13:09:41:765 1248 DetectCureTDL3: IrpHandler (16) addr: F7658366
13:09:41:765 1248 DetectCureTDL3: IrpHandler (17) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (18) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (19) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (20) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (21) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (22) addr: F7659EF3
13:09:41:765 1248 DetectCureTDL3: IrpHandler (23) addr: F765EA24
13:09:41:765 1248 DetectCureTDL3: IrpHandler (24) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (25) addr: 804F9709
13:09:41:765 1248 DetectCureTDL3: IrpHandler (26) addr: 804F9709
13:09:41:765 1248 TDL3_FileDetect: Processing driver: Disk
13:09:41:765 1248 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
13:09:41:765 1248 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
13:09:41:781 1248 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
13:09:41:781 1248
13:09:41:781 1248 DetectCureTDL3: DEVICE_OBJECT: 8A4E2C68
13:09:41:781 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4E2C68
13:09:41:781 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A4E2C68[0x38]
13:09:41:781 1248 DetectCureTDL3: DRIVER_OBJECT: 8A4ED338
13:09:41:781 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A4ED338[0xA8]
13:09:41:781 1248 KLMD_ReadMem: Trying to ReadMemory 0xE101F840[0x18]
13:09:41:781 1248 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
13:09:41:781 1248 DetectCureTDL3: IrpHandler (0) addr: F765DC30
13:09:41:781 1248 DetectCureTDL3: IrpHandler (1) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (2) addr: F765DC30
13:09:41:781 1248 DetectCureTDL3: IrpHandler (3) addr: F7657D9B
13:09:41:781 1248 DetectCureTDL3: IrpHandler (4) addr: F7657D9B
13:09:41:781 1248 DetectCureTDL3: IrpHandler (5) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (6) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (7) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (8) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (9) addr: F7658366
13:09:41:781 1248 DetectCureTDL3: IrpHandler (10) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (11) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (12) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (13) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (14) addr: F765844D
13:09:41:781 1248 DetectCureTDL3: IrpHandler (15) addr: F765BFC3
13:09:41:781 1248 DetectCureTDL3: IrpHandler (16) addr: F7658366
13:09:41:781 1248 DetectCureTDL3: IrpHandler (17) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (18) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (19) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (20) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (21) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (22) addr: F7659EF3
13:09:41:781 1248 DetectCureTDL3: IrpHandler (23) addr: F765EA24
13:09:41:781 1248 DetectCureTDL3: IrpHandler (24) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (25) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (26) addr: 804F9709
13:09:41:781 1248 TDL3_FileDetect: Processing driver: Disk
13:09:41:781 1248 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
13:09:41:781 1248 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
13:09:41:781 1248 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
13:09:41:781 1248
13:09:41:781 1248 DetectCureTDL3: DEVICE_OBJECT: 8A4E9AB8
13:09:41:781 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4E9AB8
13:09:41:781 1248 DetectCureTDL3: DEVICE_OBJECT: 8A5C1D80
13:09:41:781 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5C1D80
13:09:41:781 1248 DetectCureTDL3: DEVICE_OBJECT: 8A594D98
13:09:41:781 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A594D98
13:09:41:781 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A594D98[0x38]
13:09:41:781 1248 DetectCureTDL3: DRIVER_OBJECT: 8A599C28
13:09:41:781 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A599C28[0xA8]
13:09:41:781 1248 KLMD_ReadMem: Trying to ReadMemory 0xE1024A90[0x1A]
13:09:41:781 1248 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
13:09:41:781 1248 DetectCureTDL3: IrpHandler (0) addr: F7486572
13:09:41:781 1248 DetectCureTDL3: IrpHandler (1) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (2) addr: F7486572
13:09:41:781 1248 DetectCureTDL3: IrpHandler (3) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (4) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (5) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (6) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (7) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (8) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (9) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (10) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (11) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (12) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (13) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (14) addr: F7486592
13:09:41:781 1248 DetectCureTDL3: IrpHandler (15) addr: F74827B4
13:09:41:781 1248 DetectCureTDL3: IrpHandler (16) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (17) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (18) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (19) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (20) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (21) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (22) addr: F74865BC
13:09:41:781 1248 DetectCureTDL3: IrpHandler (23) addr: F748D164
13:09:41:781 1248 DetectCureTDL3: IrpHandler (24) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (25) addr: 804F9709
13:09:41:781 1248 DetectCureTDL3: IrpHandler (26) addr: 804F9709
13:09:41:781 1248 KLMD_ReadMem: Trying to ReadMemory 0xF74837C6[0x400]
13:09:41:781 1248 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
13:09:41:781 1248 TDL3_FileDetect: Processing driver: atapi
13:09:41:781 1248 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
13:09:41:781 1248 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
13:09:41:812 1248 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
13:09:41:812 1248
13:09:41:812 1248 DetectCureTDL3: DEVICE_OBJECT: 8A4EBA38
13:09:41:812 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4EBA38
13:09:41:812 1248 DetectCureTDL3: DEVICE_OBJECT: 8A59A7E0
13:09:41:812 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A59A7E0
13:09:41:812 1248 DetectCureTDL3: DEVICE_OBJECT: 8A4EAD98
13:09:41:812 1248 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4EAD98
13:09:41:812 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A4EAD98[0x38]
13:09:41:812 1248 DetectCureTDL3: DRIVER_OBJECT: 8A599C28
13:09:41:812 1248 KLMD_ReadMem: Trying to ReadMemory 0x8A599C28[0xA8]
13:09:41:812 1248 KLMD_ReadMem: Trying to ReadMemory 0xE1024A90[0x1A]
13:09:41:812 1248 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
13:09:41:812 1248 DetectCureTDL3: IrpHandler (0) addr: F7486572
13:09:41:812 1248 DetectCureTDL3: IrpHandler (1) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (2) addr: F7486572
13:09:41:812 1248 DetectCureTDL3: IrpHandler (3) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (4) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (5) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (6) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (7) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (8) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (9) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (10) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (11) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (12) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (13) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (14) addr: F7486592
13:09:41:812 1248 DetectCureTDL3: IrpHandler (15) addr: F74827B4
13:09:41:812 1248 DetectCureTDL3: IrpHandler (16) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (17) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (18) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (19) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (20) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (21) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (22) addr: F74865BC
13:09:41:812 1248 DetectCureTDL3: IrpHandler (23) addr: F748D164
13:09:41:812 1248 DetectCureTDL3: IrpHandler (24) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (25) addr: 804F9709
13:09:41:812 1248 DetectCureTDL3: IrpHandler (26) addr: 804F9709
13:09:41:812 1248 KLMD_ReadMem: Trying to ReadMemory 0xF74837C6[0x400]
13:09:41:812 1248 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
13:09:41:812 1248 TDL3_FileDetect: Processing driver: atapi
13:09:41:812 1248 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
13:09:41:812 1248 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
13:09:41:812 1248 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
13:09:41:812 1248
13:09:41:812 1248 Completed
13:09:41:812 1248
13:09:41:812 1248 Results:
13:09:41:812 1248 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
13:09:41:812 1248 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:09:41:812 1248 File objects infected / cured / cured on reboot: 0 / 0 / 0
13:09:41:812 1248
13:09:41:812 1248 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
13:09:41:812 1248 UtilityDeinit: KLMD(ARK) unloaded successfully


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 05 February 2010 - 07:52 AM

Hi,

could you please provide a log from the scan you did with Avira? Are you still getting redirected?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:40 AM

Posted 20 February 2010 - 08:31 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users