Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with: GenPack:Trojan.Spy.Delf.NRT


  • This topic is locked This topic is locked
14 replies to this topic

#1 jreynolds2

jreynolds2

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 11 February 2010 - 10:45 PM

BitDefender and Panda Activescan both identify a trojan in a certain file:

BitDefender:

C:\home.exe=>(ZIP Sfx o)=>19.sfx.exe
Infected with: GenPack:Trojan.Spy.Delf.NRT

C:\home.exe=>(ZIP Sfx o)=>19.sfx.exe
Deleted

C:\home.exe=>(ZIP Sfx o)
Updated

C:\home.exe
Update failed

C:\home.exe=>(Dropped 0)=>(ZIP Sfx o)=>19.exe
Infected with: GenPack:Trojan.Spy.Delf.NRT

C:\home.exe=>(Dropped 0)=>(ZIP Sfx o)=>19.exe
Deleted

C:\home.exe=>(Dropped 0)=>(ZIP Sfx o)
Updated

C:\home.exe=>(Dropped 0)
Update failed

Activescan:

04383461 Generic Trojan Virus/Trojan No 0 Yes No c:\home.exe[19.sfx.exe][19.exe]

A hidden or system folder named home.exe shows up on Windows Explorer under the C: directory.

I cannot run DDS. IE returns:
High security alert!!!
You are not permitted to download the file "dds.scr".

URL = http://download.bleepingcomputer.com/sUBs/dds.scr

I don't know how to allow this.

Thank you.

Jim

Attached Files

  • Attached File  ark.txt   6.94KB   9 downloads


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 12 February 2010 - 06:42 AM

Hi jreynolds2,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open, copy and paste them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


#3 jreynolds2

jreynolds2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 13 February 2010 - 12:29 AM

Hi Farbar:

Thanks for your help. I will be away from the computer with the problem for about a week. The system will not be used until I return. Can I just reply to you when I get back to it?

Jim


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 13 February 2010 - 05:36 AM

Hi Jim,

Of course we can wait. Take your time and post back when ready.smile.gif

#5 jreynolds2

jreynolds2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 February 2010 - 10:02 AM

Hello:

OTL logfile created on: 2/22/2010 10:50:59 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\hadyn\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 182.00 Mb Available Physical Memory | 36.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 44.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.01 Gb Total Space | 25.39 Gb Free Space | 63.47% Space Free | Partition Type: NTFS
Drive D: | 34.52 Gb Total Space | 31.15 Gb Free Space | 90.24% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 34.52 Gb Total Space | 24.62 Gb Free Space | 71.31% Space Free | Partition Type: NTFS
Drive Z: | 34.52 Gb Total Space | 24.62 Gb Free Space | 71.31% Space Free | Partition Type: NTFS

Computer Name: DKEA
Current User Name: hadyn
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/22 22:50:17 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hadyn\Desktop\OTL.exe
PRC - [2010/02/10 15:44:07 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/08/25 18:11:04 | 000,231,952 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
PRC - [2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004/12/01 17:07:20 | 000,139,264 | ---- | M] (OTi) -- C:\WINDOWS\system32\UStorSrv.exe
PRC - [2004/08/04 20:00:00 | 000,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe


========== Modules (SafeList) ==========

MOD - [2010/02/22 22:50:17 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hadyn\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/10 15:44:07 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/11/04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/08/25 18:11:04 | 000,231,952 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe -- (AVP)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2004/12/01 17:07:20 | 000,139,264 | ---- | M] (OTi) [Auto | Running] -- C:\WINDOWS\System32\UStorSrv.exe -- (UStorage Server Service)


========== Driver Services (SafeList) ==========

DRV - [2010/01/05 07:56:06 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/04/03 16:06:50 | 000,201,504 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (klif)
DRV - [2008/05/29 16:08:33 | 000,112,144 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2007/11/13 18:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/05/30 18:49:06 | 000,024,344 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2005/08/19 17:31:52 | 003,644,800 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 20:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 06:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/04 06:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/08/14 07:27:22 | 000,065,280 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 02 7F 5F 00 9C 8E CA 01 [binary data]
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\S-1-5-21-1757981266-1677128483-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/12 12:52:45 | 000,000,000 | ---D | M]

[2010/02/10 13:32:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/27 15:18:06 | 000,373,587 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 12876 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\..Trusted Domains: bleepingcomputer.com ([download] http in Trusted sites)
O15 - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} https://ofscan.taitra.org.tw/officescan/con...ll/WinNTChk.cab (Reg Error: Key error.)
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} https://ofscan.taitra.org.tw/officescan/con...ll/setupini.cab (Reg Error: Key error.)
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} https://ofscan.taitra.org.tw/officescan/con...stall/setup.cab (Reg Error: Key error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://bitdefender.ervedo.nl/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} https://ofscan.taitra.org.tw/officescan/con.../RemoveCtrl.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1142456450015 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/16 02:35:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\Shell\AutoRun\command - "" = 1irqtv.cmd
O33 - MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\Shell\explore\Command - "" = 1irqtv.cmd
O33 - MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\Shell\open\Command - "" = 1irqtv.cmd
O33 - MountPoints2\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\Shell\AutoRun\command - "" = G:\
O33 - MountPoints2\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\Shell\open\Command - "" = RECYCLER\appmgmt.exe
O33 - MountPoints2\{e5fe895b-700c-11dd-8532-0040f4eb2eb9}\Shell - "" = AutoRun
O33 - MountPoints2\{e5fe895b-700c-11dd-8532-0040f4eb2eb9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e5fe895b-700c-11dd-8532-0040f4eb2eb9}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/22 22:50:16 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hadyn\Desktop\OTL.exe
[2010/02/12 12:47:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/02/12 12:46:36 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/02/12 12:46:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/02/10 18:16:51 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/02/10 18:16:33 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/02/10 16:32:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\Desktop\gmer
[2010/02/10 15:45:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/10 15:44:34 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/10 15:44:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/10 15:44:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/10 15:10:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\Desktop\Autoruns
[2010/02/10 13:50:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\Computer and Computing
[2010/02/10 13:42:39 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\hadyn\Recent
[2010/02/10 11:58:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\For all classes
[2010/02/10 11:54:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\Culture Resources
[2010/02/10 11:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\SUDS and Class Feedback
[2010/02/10 11:42:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\Grammar Resources
[2010/02/09 22:24:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/02/09 16:10:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/02/06 12:27:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\10 02 06 To HP
[2010/02/04 15:40:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\Desktop\10 02 04 Homeworks Emailed
[2010/02/03 16:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/02/03 16:29:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/02/03 16:27:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/02/02 15:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\Desktop\New Folder2
[2010/02/01 18:16:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\10 02 A3 Modern Bus Issues
[2010/02/01 16:31:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\Application Data\vlc
[2010/01/27 14:18:29 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/01/27 14:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/01/26 15:22:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\Application Data\Malwarebytes
[2010/01/26 15:22:39 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/26 15:22:37 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/26 15:22:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/26 15:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/25 14:00:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\Application Data\Leadertech
[2010/01/25 14:00:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hadyn\My Documents\My Music
[2010/01/20 18:53:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/03 11:57:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/05/10 16:50:40 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/05/09 19:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/11/29 10:23:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2006/03/16 02:38:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/22 22:50:17 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hadyn\Desktop\OTL.exe
[2010/02/22 22:48:27 | 002,461,216 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/02/22 22:48:23 | 000,010,608 | ---- | M] () -- C:\Documents and Settings\hadyn\Desktop\Understanding and Using Articles.docx
[2010/02/22 22:48:19 | 007,602,176 | -H-- | M] () -- C:\Documents and Settings\hadyn\NTUSER.DAT
[2010/02/22 22:44:46 | 075,416,352 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/02/22 18:48:33 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EE725E57-A749-459D-83CE-E6D43FDEA72A}.job
[2010/02/12 14:14:17 | 000,010,891 | ---- | M] () -- C:\Documents and Settings\hadyn\My Documents\10 02 12 Improving Listening Comprehension with Various Accents.docx
[2010/02/12 13:53:20 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/02/12 13:51:29 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/12 13:50:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/12 13:50:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/12 13:50:08 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/12 13:49:25 | 000,233,012 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/02/12 13:49:23 | 001,012,952 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/02/12 13:48:33 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\hadyn\ntuser.ini
[2010/02/10 16:31:47 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\hadyn\Desktop\gmer.zip
[2010/02/10 15:44:06 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/02/10 15:44:06 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/10 15:44:06 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/10 15:44:06 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/10 15:44:06 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/10 15:32:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/09 23:44:19 | 000,020,535 | ---- | M] () -- C:\Documents and Settings\hadyn\Desktop\10 02 10 Bitdefender.html
[2010/02/04 15:52:59 | 000,019,085 | ---- | M] () -- C:\Documents and Settings\hadyn\My Documents\Trekie-Meeting-HW3[1].docx
[2010/02/03 18:25:16 | 000,014,061 | ---- | M] () -- C:\Documents and Settings\hadyn\Desktop\EMAIL-Apologies-Exercises - Selected Answers.docx
[2010/02/03 16:57:14 | 000,141,507 | ---- | M] () -- C:\Documents and Settings\hadyn\Desktop\Email HW5 - Cooltech - Apologies.pdf
[2010/02/03 16:54:37 | 000,326,386 | ---- | M] () -- C:\Documents and Settings\hadyn\Desktop\Email HW4 - Cooltech - Complaints.pdf
[2010/02/03 16:32:39 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/03 16:30:44 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/02/03 16:21:14 | 000,151,549 | ---- | M] () -- C:\Documents and Settings\hadyn\Desktop\Email HW3 - Cooltech - Good News, Bad News.pdf
[2010/02/03 12:29:25 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/27 15:18:06 | 000,373,587 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/22 22:48:23 | 000,010,608 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\Understanding and Using Articles.docx
[2010/02/12 13:47:48 | 000,010,891 | ---- | C] () -- C:\Documents and Settings\hadyn\My Documents\10 02 12 Improving Listening Comprehension with Various Accents.docx
[2010/02/12 11:07:03 | 000,133,120 | ---- | C] () -- C:\WINDOWS\System32\found.exe
[2010/02/10 16:31:46 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\gmer.zip
[2010/02/10 15:21:34 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/02/10 10:18:45 | 000,020,535 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\10 02 10 Bitdefender.html
[2010/02/04 15:52:59 | 000,019,085 | ---- | C] () -- C:\Documents and Settings\hadyn\My Documents\Trekie-Meeting-HW3[1].docx
[2010/02/03 18:25:16 | 000,014,061 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\EMAIL-Apologies-Exercises - Selected Answers.docx
[2010/02/03 16:57:13 | 000,141,507 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\Email HW5 - Cooltech - Apologies.pdf
[2010/02/03 16:56:53 | 000,036,895 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\Email HW5 - Cooltech - Apologies.docx
[2010/02/03 16:54:36 | 000,326,386 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\Email HW4 - Cooltech - Complaints.pdf
[2010/02/03 16:48:49 | 000,098,038 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\Email HW4 - Cooltech - Complaints.docx
[2010/02/03 16:32:39 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/03 16:30:44 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/02/03 16:21:14 | 000,151,549 | ---- | C] () -- C:\Documents and Settings\hadyn\Desktop\Email HW3 - Cooltech - Good News, Bad News.pdf
[2009/02/20 19:54:07 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\OPDSL.DLL
[2008/12/11 22:04:04 | 000,000,711 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/08/15 18:00:37 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\hadyn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/09 07:59:58 | 000,004,264 | ---- | C] () -- C:\WINDOWS\cfgrs.ini
[2006/11/09 07:59:58 | 000,003,521 | ---- | C] () -- C:\WINDOWS\cfgrs_ex.ini
[2006/09/15 08:39:20 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/07/26 07:58:41 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/07/18 07:59:42 | 000,000,358 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2006/03/16 05:58:05 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/16 05:20:56 | 000,007,827 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2006/03/16 03:52:21 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/03/01 15:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
< End of report >


OTL Extras logfile created on: 2/22/2010 10:51:00 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\hadyn\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 182.00 Mb Available Physical Memory | 36.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 44.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.01 Gb Total Space | 25.39 Gb Free Space | 63.47% Space Free | Partition Type: NTFS
Drive D: | 34.52 Gb Total Space | 31.15 Gb Free Space | 90.24% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 34.52 Gb Total Space | 24.62 Gb Free Space | 71.31% Space Free | Partition Type: NTFS
Drive Z: | 34.52 Gb Total Space | 24.62 Gb Free Space | 71.31% Space Free | Partition Type: NTFS

Computer Name: DKEA
Current User Name: hadyn
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-1677128483-725345543-1005\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{79B986AD-54D8-4498-AA06-89808829ACC0}" = Kaspersky Anti-Virus 6.0 for Windows Workstations
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallWIX_{79B986AD-54D8-4498-AA06-89808829ACC0}" = Kaspersky Anti-Virus 6.0 for Windows Workstations
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROPLUS" = Microsoft Office Professional Plus 2007
"RealPlayer 6.0" = RealPlayer
"VLC media player" = VLC media player 1.0.3
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/14/2010 6:47:17 AM | Computer Name = DKEA | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application winword.exe, version 12.0.6504.5000, stamp 49e7f5b6,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x030ffd57.

Error - 1/15/2010 3:04:22 AM | Computer Name = DKEA | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6504.5000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/19/2010 6:56:07 AM | Computer Name = DKEA | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application winword.exe, version 12.0.6504.5000, stamp 49e7f5b6,
faulting module olconnector.dll, version 2.0.2313.0, stamp 491c07db, debug? 0,
fault address 0x0000fd57.

Error - 1/25/2010 10:13:46 AM | Computer Name = DKEA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/27/2010 3:26:10 AM | Computer Name = DKEA | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/29/2010 6:48:04 AM | Computer Name = DKEA | Source = Ci | ID = 4124
Description = Content index on c:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 1/29/2010 6:48:04 AM | Computer Name = DKEA | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 2/1/2010 4:02:10 AM | Computer Name = DKEA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/9/2010 5:27:52 AM | Computer Name = DKEA | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application winword.exe, version 12.0.6504.5000, stamp 49e7f5b6,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x030cfd57.

Error - 2/12/2010 12:44:49 AM | Computer Name = DKEA | Source = Application Error | ID = 1000
Description = Faulting application notepad.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x000449cf.

[ OSession Events ]
Error - 1/14/2010 6:47:05 AM | Computer Name = DKEA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/19/2010 6:56:03 AM | Computer Name = DKEA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

Error - 2/9/2010 5:27:40 AM | Computer Name = DKEA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 28
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 2/8/2010 6:38:20 AM | Computer Name = DKEA | Source = Print | ID = 6161
Description = The document Microsoft Word - 10 02 08 Crystal-MBT-HW1.docx owned
by hadyn failed to print on printer Auto HP LaserJet 4100 Series PCL on 123-A8B775351DD.
Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes
printed: 0. Total number of pages in the document: 5. Number of pages printed:
0. Client machine: \\DKEA. Win32 error code returned by the print processor: 64
(0x40).

Error - 2/8/2010 6:39:47 AM | Computer Name = DKEA | Source = Print | ID = 6161
Description = The document Microsoft Word - 10 02 08 Crystal-MBT-HW1.docx owned
by hadyn failed to print on printer Auto HP LaserJet 4100 Series PCL on 123-A8B775351DD.
Data type: NT EMF 1.008. Size of the spool file in bytes: 143960. Number of bytes
printed: 0. Total number of pages in the document: 5. Number of pages printed:
0. Client machine: \\DKEA. Win32 error code returned by the print processor: 53
(0x35).

Error - 2/8/2010 6:42:14 AM | Computer Name = DKEA | Source = Print | ID = 6161
Description = The document Microsoft Word - 10 02 08 Crystal-MBT-HW1.docx owned
by hadyn failed to print on printer Auto HP LaserJet 8150 Series PCL on TWTC0755.
Data type: NT EMF 1.008. Size of the spool file in bytes: 196536. Number of bytes
printed: 0. Total number of pages in the document: 5. Number of pages printed:
0. Client machine: \\DKEA. Win32 error code returned by the print processor: 53
(0x35).

Error - 2/9/2010 2:41:00 AM | Computer Name = DKEA | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 2/9/2010 2:40:54 AM | Computer Name = DKEA | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 2/9/2010 2:40:54 AM | Computer Name = DKEA | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 2/9/2010 2:40:31 AM | Computer Name = DKEA | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 2/10/2010 4:54:53 AM | Computer Name = DKEA | Source = DCOM | ID = 10010
Description = The server {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C} did not register
with DCOM within the required timeout.

Error - 2/10/2010 4:55:24 AM | Computer Name = DKEA | Source = DCOM | ID = 10010
Description = The server {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C} did not register
with DCOM within the required timeout.

Error - 2/10/2010 4:55:54 AM | Computer Name = DKEA | Source = DCOM | ID = 10010
Description = The server {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C} did not register
with DCOM within the required timeout.


< End of report >


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 22 February 2010 - 10:39 AM

Your computer shows traces of an autorun worm or a flash drive infection. Do you have a flash drive or any other external storage device? We need to disinfect them. Don't use them on this on any computer at this stage in case you have them.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the wrong download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.



#7 jreynolds2

jreynolds2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 23 February 2010 - 02:28 AM

Thanks. I have a USB "memory stick" that I've used several times lately. I cannot find that right now; if it turns up, I'll let you know. I also have an external USB hard drive which I have used on this machine and one other. I do have that one, and will wait for you advice before using it again.

ComboFix 10-02-22.04 - hadyn 02/23/2010 14:57:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.312 [GMT 8:00]
Running from: c:\documents and settings\hadyn\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\windows\system32\found.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-12 04:47 . 2010-02-12 04:47 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-12 04:46 . 2010-02-12 05:50 -------- d-----w- c:\program files\McAfee
2010-02-12 04:46 . 2010-02-12 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-10 10:16 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-10 10:16 . 2010-02-10 10:16 -------- d-----w- c:\program files\Panda Security
2010-02-10 07:45 . 2010-02-10 07:45 503808 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e85e15e-n\msvcp71.dll
2010-02-10 07:45 . 2010-02-10 07:45 499712 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e85e15e-n\jmc.dll
2010-02-10 07:45 . 2010-02-10 07:45 348160 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e85e15e-n\msvcr71.dll
2010-02-10 07:45 . 2010-02-10 07:45 61440 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2d78670d-n\decora-sse.dll
2010-02-10 07:45 . 2010-02-10 07:45 12800 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2d78670d-n\decora-d3d.dll
2010-02-10 05:05 . 2010-02-10 05:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-02-09 14:24 . 2010-02-09 15:44 -------- d-----w- c:\windows\BDOSCAN8
2010-02-03 08:33 . 2010-02-03 08:33 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-03 08:30 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\hadyn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-03 08:30 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-03 08:29 . 2010-02-03 08:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-03 08:28 . 2010-02-03 08:28 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-03 08:27 . 2010-02-09 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-01 08:31 . 2010-02-12 07:06 -------- d-----w- c:\documents and settings\hadyn\Application Data\vlc
2010-01-27 06:18 . 2010-02-10 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-27 06:18 . 2010-01-27 06:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-26 07:22 . 2010-01-26 07:22 -------- d-----w- c:\documents and settings\hadyn\Application Data\Malwarebytes
2010-01-26 07:22 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 07:22 . 2010-01-26 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 07:22 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 07:22 . 2010-01-26 07:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 06:00 . 2010-01-25 06:00 -------- d-----w- c:\documents and settings\hadyn\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 07:06 . 2007-12-04 08:41 75507744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-23 07:06 . 2007-12-04 08:41 2467872 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-23 07:03 . 2007-12-04 08:41 234476 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-23 07:03 . 2007-12-04 08:41 1015376 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-23 06:29 . 2007-12-04 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-10 08:02 . 2007-05-25 08:11 -------- d-----w- c:\program files\Java
2010-02-10 08:02 . 2007-05-25 07:51 -------- d-----w- c:\program files\Common Files\Java
2010-02-10 07:44 . 2009-03-24 07:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-10 05:06 . 2010-01-05 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 04:30 . 2006-08-04 23:41 -------- d-----w- c:\program files\Yahoo!
2010-02-10 04:29 . 2008-09-09 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-10 04:27 . 2008-04-01 07:59 -------- d-----w- c:\documents and settings\hadyn\Application Data\Yahoo!
2010-02-10 04:18 . 2009-12-02 13:23 -------- d-----w- c:\program files\Windows Live
2010-02-03 08:32 . 2006-08-04 23:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-03 08:12 . 2007-02-09 10:30 -------- d-----w- c:\program files\MSECache
2010-01-22 06:07 . 2010-01-22 06:07 52224 ----a-w- c:\documents and settings\hadyn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-22 06:07 . 2010-01-22 06:07 117760 ----a-w- c:\documents and settings\hadyn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-22 06:06 . 2010-01-22 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 06:05 . 2010-01-22 06:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-22 06:05 . 2010-01-22 06:05 -------- d-----w- c:\documents and settings\hadyn\Application Data\SUPERAntiSpyware.com
2010-01-22 06:03 . 2010-01-22 06:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-22 05:57 . 2009-12-02 13:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 10:33 . 2010-01-20 10:33 -------- d-----w- c:\program files\Windows Defender
2010-01-14 03:12 . 2010-01-20 10:35 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 06:35 . 2010-01-08 06:35 152576 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-08 06:34 . 2009-12-04 08:03 79488 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-06 07:36 . 2008-04-17 08:32 77272 ----a-w- c:\documents and settings\hadyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 06:40 . 2010-01-05 10:24 -------- d-----w- c:\program files\Microsoft Works
2010-01-05 10:24 . 2009-12-07 06:14 -------- d-----w- c:\program files\MSBuild
2010-01-05 10:22 . 2010-01-05 10:22 -------- d-----w- c:\program files\Microsoft.NET
2010-01-05 10:12 . 2010-01-05 10:12 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-03-15 18:31 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 06:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/10/2010 6:16 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/12/2010 12:46 PM 93320]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/30/2007 6:49 PM 24344]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-07 20:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 11:20]

2010-02-23 c:\windows\Tasks\User_Feed_Synchronization-{EE725E57-A749-459D-83CE-E6D43FDEA72A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bleepingcomputer.com\download
TCP: {FFBE48D4-9532-4D4B-A400-A00BFE44FABA} = 172.26.1.74,172.26.1.76,203.66.210.1
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://bitdefender.ervedo.nl/scan8/oscan8.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 15:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\Debug\\found32.dll"
"ThreadingModel"="Apartment"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\klogon.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\UStorSrv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-23 15:11:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-23 07:11

Pre-Run: 27,128,512,512 bytes free
Post-Run: 27,207,090,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C24AFDF240A05DEBA813EF55DE4E53F8


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 23 February 2010 - 02:43 PM

Well done. thumbup2.gif

Combofix removed the worm. But we have yet a few things to take care of.
  1. Your computer is set to a domain in US and also in Taiwan. The domain in US is safe. Tell me if you know this domain in Taiwan:

    Taiwan Taipei Taiwan External Trade Development Council Taitra

  2. Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      CODE
      :Processes
      :otl
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O3 - HKU\S-1-5-21-1757981266-1677128483-725345543-1005\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
      O33 - MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\Shell\AutoRun\command - "" = 1irqtv.cmd
      O33 - MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\Shell\explore\Command - "" = 1irqtv.cmd
      O33 - MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\Shell\open\Command - "" = 1irqtv.cmd
      O33 - MountPoints2\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\Shell\AutoRun\command - "" = G:\
      O33 - MountPoints2\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\Shell\open\Command - "" = RECYCLER\appmgmt.exe
      :files
      c:\RECYCLER

    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.

  3. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Turn of the auto-protect or resident-shield of your antivirus.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please please attach your external hard drive.
    • Wait until it has finished scanning which takes only a few seconds and then exit the program.
    • Reboot your computer when done.

    Note 1:Please temporarily disable your anti-virus program before downloading this tool as it can be falsely flagged as malware: How to disable anti-virus programs
    Note 2: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.



#9 jreynolds2

jreynolds2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 24 February 2010 - 01:49 AM

Hi.

1. Yes. The Taiwan domain is my employer's.

2.

========== PROCESSES ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-1757981266-1677128483-725345543-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\ not found.
File 1irqtv.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\ not found.
File 1irqtv.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e50d5df-9075-11de-862c-0040f4eb2eb9}\ not found.
File 1irqtv.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\ not found.
File G:\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82f85410-ff16-11dd-85ac-0040f4eb2eb9}\ not found.
File C:\RECYCLER\appmgmt.exe not found.
========== FILES ==========
File\Folder c:\RECYCLER not found.

OTL by OldTimer - Version 3.1.30.1 log created on 02242010_142634

3. Done.

4. Should I do anything special to check my other computer that's been involved with this external drive? Or just run the basic scanning instruction set on the other security forum?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 24 February 2010 - 01:39 PM

You can run OTL on other computer and attach just the Otl.txt log to your reply. I'll take a look at it. No need for Extra.txt

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}]
Skipfix::


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.




#11 jreynolds2

jreynolds2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 25 February 2010 - 01:02 AM

Hi. I post the log file for the other computer below.

Panda's Activescan found the following on the other computer. It identified "Application/Psexec.A" as malware (I have combofix installed on that computer), but also three "suspicious files":

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-02-25 09:32:45
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AntiVir Desktop 9.0.1.32 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
01674996 Application/Psexec.A HackTools No 0 No No c:\documents and settings\jim\my documents\combofix.exe[32788r22fwjfw\psexec.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\documents and settings\jim\my documents\combofix.exe[32788r22fwjfw\nircmdc.cfexe]
No c:\swsetup\audio\smartaudio\data1.cab[smartaudio.cpl]
No c:\windows\system32\smartaudio.cpl
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
217831 HIGH MS10-005
;===================================================================================================================================================================================








OTL logfile created on: 2/25/2010 1:49:48 PM - Run 1
OTL by OldTimer - Version 3.1.30.2 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 503.00 Mb Available Physical Memory | 53.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.55 Gb Total Space | 20.38 Gb Free Space | 31.58% Space Free | Partition Type: NTFS
Drive D: | 8.95 Gb Total Space | 1.17 Gb Free Space | 13.07% Space Free | Partition Type: FAT32
Drive E: | 5.12 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC308331842599
Current User Name: Jim
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/25 13:48:25 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
PRC - [2009/12/18 21:05:43 | 000,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/08/07 00:54:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/16 13:45:35 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/06/10 11:55:13 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/10/01 13:06:14 | 000,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/05/21 04:24:26 | 000,148,768 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
PRC - [2008/04/28 06:14:00 | 000,073,728 | ---- | M] (Software 2000 Limited) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE
PRC - [2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/28 01:28:00 | 001,040,384 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/10/06 10:11:34 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe


========== Modules (SafeList) ==========

MOD - [2010/02/25 13:48:25 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/25 10:00:54 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/30 00:34:37 | 001,184,912 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/08/07 00:54:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/16 13:45:35 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/06/10 11:55:13 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2008/11/04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/28 16:42:30 | 000,156,968 | ---- | M] (Seagate Technology LLC) [On_Demand | Stopped] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2008/10/01 18:57:00 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/10/01 13:06:14 | 000,116,040 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 10:18:44 | 000,238,888 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/05/21 04:24:26 | 000,394,608 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2008/05/21 04:24:26 | 000,148,768 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe -- (tgsrvc_chatsupport.palm.com) SupportSoft Repair Service (chatsupport.palm.com)
SRV - [2007/08/08 17:51:48 | 000,410,904 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2006/10/26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/06 10:11:34 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/09/28 06:10:00 | 000,143,426 | ---- | M] (NVIDIA Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/04/04 15:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/04/01 22:08:30 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)


========== Driver Services (SafeList) ==========

DRV - [2009/12/08 17:08:55 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/09/23 20:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/09/04 14:50:02 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/09/04 14:50:00 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/09/04 14:49:58 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/18 00:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/18 00:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/10 11:55:13 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/05/04 05:00:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2008/10/23 01:58:36 | 001,391,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/01 13:01:28 | 000,032,000 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2008/04/28 20:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/17 13:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/14 02:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023x.sys -- (usb_rndisx)
DRV - [2008/04/14 02:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/14 02:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 02:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 00:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/28 01:14:00 | 000,224,672 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/12/04 17:10:30 | 000,016,640 | R--- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2007/11/13 18:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/07/24 18:00:00 | 000,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/09/28 06:10:00 | 003,694,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/08/30 03:12:28 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/30 03:11:08 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/30 03:10:56 | 000,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/07/26 22:44:42 | 000,581,632 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/06/20 03:26:58 | 000,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2006/06/19 12:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/07 04:39:56 | 000,061,952 | ---- | M] (Ricoh) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\5U870CAP.sys -- (5U870CAP_VID_1262&PID_25FD)
DRV - [2006/05/13 04:05:02 | 000,057,320 | ---- | M] (Broadcom Corporation.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/03/06 07:49:36 | 000,011,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/03 08:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/03 08:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/27 08:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/11/16 12:28:32 | 000,028,928 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/11/01 10:08:00 | 000,308,992 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/11/01 09:54:50 | 000,051,584 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/10/13 17:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005/09/20 05:24:20 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/09/20 05:23:52 | 000,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/07/15 23:17:42 | 000,051,120 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2005/07/15 23:17:42 | 000,021,744 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2005/07/15 23:17:42 | 000,016,496 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2004/08/05 05:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 14:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/11/28 21:23:24 | 000,039,048 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IcdUsb2.sys -- (ICDUSB2) Sony IC Recorder (ST)
DRV - [2001/08/18 13:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 13:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 13:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 13:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 13:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 12:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 12:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 12:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 12:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 12:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 12:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 12:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 12:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 12:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 12:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=f...//www.yahoo.com
IE - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\S-1-5-21-2494624023-100126842-2653291218-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/18 21:24:10 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/10/09 10:48:13 | 000,342,982 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11784 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..\Toolbar\WebBrowser: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3C} - No CLSID value found.
O3 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/12/11 01:02:48 | 000,000,000 | -H-D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\Web\graburl.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll ()
O9 - Extra 'Tools' menuitem : Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: adobe.com ([kb] https in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: bitdefender.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: bleepingcomputer.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: bluecrossca.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: bluecrossca.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: ca.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: ccleaner.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: chinese-tools.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: ea.com ([forums] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: eie.com.tw ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: eset.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: eugrowth.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: filehippo.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: f-secure.com ([support] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: google.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: google.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: google.com.tw ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: hp.com ([ipgweb.cce] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: hp.com ([welcome] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: hp.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: hsbccreditcard.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: ign.com ([faqs] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: majorgeeks.com ([forums] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: mediafire.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: meebo.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: nickjr.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: noggin.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: optmd.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: pandasecurity.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: pcinspector.de ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: pcpitstop.com ([forums] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: pcpitstop.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: purdue.edu ([owl.english] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: siteadvisor.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: spywarewarrior.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: tealit.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: thomasandfriends.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: uesp.net ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: wikipedia.org ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: wikipedia.org ([en] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: wikipedia.org ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: yahoo.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: zhongwen.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2494624023-100126842-2653291218-1005\..Trusted Domains: 96 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab (F-Secure Online Scanner Launcher)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 168.95.1.1 168.95.192.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2007/03/08 02:53:02 | 000,000,000 | R--D | M] - E:\Autorun -- [ UDF ]
O32 - AutoRun File - [2007/02/25 12:23:24 | 000,000,047 | R--- | M] () - E:\Autorun.inf -- [ UDF ]
O32 - AutoRun File - [2007/03/02 17:31:43 | 000,162,880 | R--- | M] () - E:\autorun.exe -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/25 13:48:20 | 000,549,888 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2010/02/24 20:41:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/02/07 23:13:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\10 02 07 Homeworks to review
[2010/02/03 16:31:11 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/02/03 16:31:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/12/03 12:40:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/11/30 00:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/11/30 00:49:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/11/29 22:29:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/16 20:06:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/09/24 22:36:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/07/20 23:26:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\SACore
[2008/09/12 19:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/01/21 08:57:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/12/29 15:06:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[97 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Jim\Desktop\*.tmp files -> C:\Documents and Settings\Jim\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/25 13:48:25 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2010/02/24 20:26:33 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/02/24 20:26:13 | 000,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/02/24 20:25:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/24 20:23:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/24 20:22:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/24 20:22:52 | 1005,170,688 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/24 20:21:29 | 010,223,616 | -H-- | M] () -- C:\Documents and Settings\Jim\NTUSER.DAT
[2010/02/24 20:21:29 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Jim\ntuser.ini
[2010/02/24 20:09:44 | 000,051,048 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[97 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Jim\Desktop\*.tmp files -> C:\Documents and Settings\Jim\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/09/04 10:22:32 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\housecall.guid.cache
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/11/07 11:26:16 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2008/09/23 12:31:21 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2008/02/11 09:39:26 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll
[2008/02/11 09:39:18 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll
[2008/02/08 13:53:46 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll
[2007/12/18 02:28:52 | 000,000,032 | ---- | C] () -- C:\WINDOWS\System32\thxcfg.ini
[2007/11/12 11:46:51 | 000,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/09 15:11:41 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/09/08 00:31:36 | 000,000,051 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Installer.log
[2007/09/06 12:53:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2007/09/06 12:38:41 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2007/09/06 12:38:40 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2007/09/01 23:34:42 | 000,002,508 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc
[2007/08/14 23:25:17 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/07/27 14:49:02 | 000,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll
[2007/07/27 14:49:02 | 000,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll
[2007/07/16 22:44:40 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/07/16 22:44:39 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/04/22 22:28:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2007/04/21 20:44:41 | 000,000,027 | ---- | C] () -- C:\WINDOWS\SmartAudio.INI
[2007/03/27 12:57:59 | 000,166,912 | ---- | C] () -- C:\WINDOWS\lame_enc.dll
[2007/03/27 10:45:22 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[2007/03/20 10:49:59 | 000,027,968 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\Comma Separated Values (Windows).ADR
[2007/03/13 10:09:37 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/03/13 10:04:26 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE CX4900Asia.ini
[2007/02/14 00:10:09 | 000,002,508 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\$_hpcst$.hpc
[2007/01/30 19:31:46 | 000,002,787 | ---- | C] () -- C:\WINDOWS\EaseAudioConverter.ini
[2006/12/30 22:52:23 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\WINKRNME.DLL
[2006/12/27 03:10:48 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/12/10 11:43:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\FnF4.txt
[2006/11/24 02:10:17 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/11/01 02:56:44 | 000,031,744 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/27 09:33:16 | 000,111,376 | ---- | C] () -- C:\WINDOWS\System32\expat.dll
[2006/10/27 09:33:16 | 000,040,352 | ---- | C] () -- C:\WINDOWS\System32\agcrypto.dll
[2006/10/26 15:41:01 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\fusioncache.dat
[2006/10/26 15:41:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\QSwitch.txt
[2006/10/26 15:41:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DSwitch.txt
[2006/10/26 15:41:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\AtStart.txt
[2006/08/17 00:24:24 | 000,000,174 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/08/17 00:20:04 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/08/17 00:08:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/17 00:04:50 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/11 05:51:00 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/11 05:03:42 | 000,011,820 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/05/11 05:01:12 | 000,000,107 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/05/11 04:57:30 | 000,000,831 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/04/27 03:48:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/04/27 03:48:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/04/27 03:48:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/04/27 03:48:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/04/27 03:48:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/04/14 10:37:26 | 000,000,032 | ---- | C] () -- C:\WINDOWS\aceg.ini
[2005/12/05 19:25:22 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll
[2005/12/05 12:37:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll
[2005/12/03 02:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/05/06 10:06:32 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[1999/03/01 11:03:28 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\webzone.dll
[1999/02/23 18:00:28 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\oline.dll
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Files - Unicode (All) ==========
[2010/01/28 09:37:47 | 000,013,985 | ---- | M] ()(C:\Documents and Settings\Jim\Desktop\??????.docx) -- C:\Documents and Settings\Jim\Desktop\期末成績自評.docx
[2010/01/28 09:00:12 | 000,013,985 | ---- | C] ()(C:\Documents and Settings\Jim\Desktop\??????.docx) -- C:\Documents and Settings\Jim\Desktop\期末成績自評.docx
[2009/05/10 11:01:16 | 000,261,120 | ---- | M] ()(C:\Documents and Settings\Jim\Desktop\20090506???-????????? 250W??????????-.doc) -- C:\Documents and Settings\Jim\Desktop\20090506新聞稿-全漢電源技術新突破 250W低瓦特數通過金牌認證-.doc
[2009/05/10 09:41:32 | 000,261,120 | ---- | C] ()(C:\Documents and Settings\Jim\Desktop\20090506???-????????? 250W??????????-.doc) -- C:\Documents and Settings\Jim\Desktop\20090506新聞稿-全漢電源技術新突破 250W低瓦特數通過金牌認證-.doc

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >



#12 jreynolds2

jreynolds2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 25 February 2010 - 01:06 AM

Note that some MS Windows Updates were installed since my last post. I forgot that you asked me not to do such.

This is from the combofix script run on the original computer:

ComboFix 10-02-24.01 - hadyn 02/25/2010 13:40:28.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.337 [GMT 8:00]
Running from: c:\documents and settings\hadyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\hadyn\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-24 06:26 . 2010-02-24 06:26 -------- d-----w- C:\_OTL
2010-02-12 04:47 . 2010-02-12 04:47 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-12 04:46 . 2010-02-12 05:50 -------- d-----w- c:\program files\McAfee
2010-02-12 04:46 . 2010-02-12 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-10 10:16 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-10 10:16 . 2010-02-10 10:16 -------- d-----w- c:\program files\Panda Security
2010-02-10 07:45 . 2010-02-10 07:45 503808 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e85e15e-n\msvcp71.dll
2010-02-10 07:45 . 2010-02-10 07:45 499712 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e85e15e-n\jmc.dll
2010-02-10 07:45 . 2010-02-10 07:45 348160 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e85e15e-n\msvcr71.dll
2010-02-10 07:45 . 2010-02-10 07:45 61440 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2d78670d-n\decora-sse.dll
2010-02-10 07:45 . 2010-02-10 07:45 12800 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2d78670d-n\decora-d3d.dll
2010-02-10 05:05 . 2010-02-10 05:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-02-09 14:24 . 2010-02-09 15:44 -------- d-----w- c:\windows\BDOSCAN8
2010-02-03 08:33 . 2010-02-03 08:33 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-03 08:30 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\hadyn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-03 08:30 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-03 08:29 . 2010-02-03 08:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-03 08:28 . 2010-02-03 08:28 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-03 08:27 . 2010-02-09 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-01 08:31 . 2010-02-12 07:06 -------- d-----w- c:\documents and settings\hadyn\Application Data\vlc
2010-01-27 06:18 . 2010-02-10 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-27 06:18 . 2010-01-27 06:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-26 07:22 . 2010-01-26 07:22 -------- d-----w- c:\documents and settings\hadyn\Application Data\Malwarebytes
2010-01-26 07:22 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 07:22 . 2010-01-26 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 07:22 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 07:22 . 2010-01-26 07:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 05:42 . 2007-12-04 08:41 75636768 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-25 05:42 . 2007-12-04 08:41 2477600 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-25 05:11 . 2007-12-04 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-25 05:09 . 2007-12-04 08:41 234956 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-25 05:09 . 2007-12-04 08:41 1016552 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-24 01:16 . 2010-01-20 10:35 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 08:02 . 2007-05-25 08:11 -------- d-----w- c:\program files\Java
2010-02-10 08:02 . 2007-05-25 07:51 -------- d-----w- c:\program files\Common Files\Java
2010-02-10 07:44 . 2009-03-24 07:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-10 05:06 . 2010-01-05 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 04:30 . 2006-08-04 23:41 -------- d-----w- c:\program files\Yahoo!
2010-02-10 04:29 . 2008-09-09 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-10 04:27 . 2008-04-01 07:59 -------- d-----w- c:\documents and settings\hadyn\Application Data\Yahoo!
2010-02-10 04:18 . 2009-12-02 13:23 -------- d-----w- c:\program files\Windows Live
2010-02-03 08:32 . 2006-08-04 23:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-03 08:12 . 2007-02-09 10:30 -------- d-----w- c:\program files\MSECache
2010-01-25 06:00 . 2010-01-25 06:00 -------- d-----w- c:\documents and settings\hadyn\Application Data\Leadertech
2010-01-22 06:07 . 2010-01-22 06:07 52224 ----a-w- c:\documents and settings\hadyn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-22 06:07 . 2010-01-22 06:07 117760 ----a-w- c:\documents and settings\hadyn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-22 06:06 . 2010-01-22 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 06:05 . 2010-01-22 06:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-22 06:05 . 2010-01-22 06:05 -------- d-----w- c:\documents and settings\hadyn\Application Data\SUPERAntiSpyware.com
2010-01-22 06:03 . 2010-01-22 06:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-22 05:57 . 2009-12-02 13:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 10:33 . 2010-01-20 10:33 -------- d-----w- c:\program files\Windows Defender
2010-01-08 06:35 . 2010-01-08 06:35 152576 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-08 06:34 . 2009-12-04 08:03 79488 ----a-w- c:\documents and settings\hadyn\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-06 07:36 . 2008-04-17 08:32 77272 ----a-w- c:\documents and settings\hadyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 06:40 . 2010-01-05 10:24 -------- d-----w- c:\program files\Microsoft Works
2010-01-05 10:24 . 2009-12-07 06:14 -------- d-----w- c:\program files\MSBuild
2010-01-05 10:22 . 2010-01-05 10:22 -------- d-----w- c:\program files\Microsoft.NET
2010-01-05 10:12 . 2010-01-05 10:12 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-03-15 18:31 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 06:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/10/2010 6:16 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/12/2010 12:46 PM 93320]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/30/2007 6:49 PM 24344]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-07 20:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 11:20]

2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{EE725E57-A749-459D-83CE-E6D43FDEA72A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bleepingcomputer.com\download
TCP: {FFBE48D4-9532-4D4B-A400-A00BFE44FABA} = 172.26.1.74,172.26.1.76,203.66.210.1
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://bitdefender.ervedo.nl/scan8/oscan8.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 13:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\klogon.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll

- - - - - - - > 'explorer.exe'(3572)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-25 13:45:32
ComboFix-quarantined-files.txt 2010-02-25 05:45
ComboFix2.txt 2010-02-23 07:11

Pre-Run: 27,107,291,136 bytes free
Post-Run: 27,078,713,344 bytes free

- - End Of File - - 2410C8E2B58BBAF75ADD78BE07BEC7C1


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 25 February 2010 - 08:11 AM

It looks good. thumbup2.gif

It is important to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

*********
The other computer is at the moment clean. The files flagged by Panda are all ComboFix components and are safe.

The only thing I see is that you have many sites in the Trusted Zone of IE. I would remove most of them. Even antvirus sites. The sites put in Trusted Zone would not pass security checkpint and it is not a good idea to give even trusted sites a free pass for ever.

Happy Surfing.

#14 jreynolds2

jreynolds2
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 25 February 2010 - 11:33 AM

Great. I'll uninstall the utility and take your advice on the trusted zone.

Lots of thanks.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 25 February 2010 - 11:46 AM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users