Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Security Antivirus, fraud.windowsprotectionsuite & microsoft.windows.redirectedhosts


  • This topic is locked This topic is locked
17 replies to this topic

#1 CMS19

CMS19

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 12 February 2010 - 04:30 PM


This computer (XP) was infected w/ Security Antivirus, fraud.windowsprotectionsuite & microsoft.windows.redirectedhosts (same as the problem posted here: http://forums.spybot.info/showthread.php?t=53464). Security Antivirus persists though I followed the removal instructions here: http://www.bleepingcomputer.com/virus-remo...urity-antivirus ....

Below is the DDS log, and attached is "Attach.txt" - but I am not having success with the GMER - the first time it froze after scanning for a long time; was probably almost finished. The second time, the whole computer screen froze and required rebooting by the power button. Again, it had scanned for a long time and was probably near the end of the scan. Should I try to do the GMER scan in Safe Mode?

Thanks.

Here's the DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Julie at 13:27:45.10 on Fri 02/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1080 [GMT -5:00]

AV: Security Antivirus *On-access scanning enabled* (Updated) {1913B679-BBD3-454F-A7F8-ECBEA6AF9CC7}
AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Security Antivirus *enabled* {C531EFFC-44A4-48BE-9D44-DC10C6B8D7D4}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Julie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [cdloader] "c:\documents and settings\julie\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265850148171
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\julie\applic~1\mozilla\firefox\profiles\6zmp7zvt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\chip\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\chip\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-23 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-2-11 1858144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-11-8 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-11-8 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-8 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-11-8 566872]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-11-8 280392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-21 30192]

=============== Created Last 30 ================

2010-02-12 01:28:24 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 01:27:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-12 00:56:25 0 d-s---w- C:\ComboFix
2010-02-12 00:23:13 0 d-----w- c:\program files\a-squared Free
2010-02-11 13:33:54 120 ----a-w- c:\windows\CIS_Setup_3.13.126709.581_XP_Vista_x32.INI
2010-02-11 12:43:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-11 12:43:02 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-11 01:20:28 0 d-----w- C:\_OTM
2010-02-10 20:19:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-10 16:38:07 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SAFBJJV
2010-02-05 00:51:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-04 03:25:26 0 d-sh--w- c:\docume~1\alluse~1\applic~1\b278746

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-07 02:54:17 38932 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-03-31 16:24:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033120090401\index.dat

============= FINISH: 13:28:39.14 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:38 PM

Posted 12 February 2010 - 05:22 PM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Click the "Run Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 CMS19

CMS19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 12 February 2010 - 06:23 PM

Thank you, Sam!

Here are the reports -

OTL Report:

OTL logfile created on: 2/12/2010 6:01:50 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Julie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.94 Gb Total Space | 42.46 Gb Free Space | 61.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DF12Z3F1
Current User Name: Julie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/12 18:00:55 | 001,066,320 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\pcclient.exe
PRC - [2010/02/12 17:59:49 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Julie\Desktop\OTL.exe
PRC - [2010/02/10 10:24:50 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/04 14:22:28 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/01/27 20:22:29 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/05 07:56:02 | 002,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/10/27 20:28:36 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/09/05 01:54:42 | 000,417,792 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/06/29 19:10:18 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/05/19 15:17:14 | 001,475,936 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/08 20:19:18 | 000,345,696 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe
PRC - [2007/11/08 20:18:46 | 000,853,592 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\PccUpdUI.exe
PRC - [2007/07/09 23:21:56 | 000,851,968 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/04/16 17:10:26 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/03/16 04:10:54 | 001,392,640 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2007/03/16 04:10:54 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2007/03/16 04:10:52 | 001,253,376 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2006/11/21 13:02:24 | 001,807,960 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
PRC - [2006/11/09 15:04:02 | 000,566,872 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe
PRC - [2006/11/09 15:03:42 | 000,923,216 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe
PRC - [2006/11/05 12:13:00 | 000,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
PRC - [2006/11/03 19:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/08/04 17:15:28 | 000,321,040 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
PRC - [2004/08/04 06:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe


========== Modules (SafeList) ==========

MOD - [2010/02/12 17:59:49 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Julie\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/04 14:22:28 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/01/31 13:13:04 | 000,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/28 20:21:14 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/27 20:28:36 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-093009-130223)
SRV - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/06/29 19:10:16 | 000,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/05/19 15:17:14 | 001,475,936 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe -- (PcCtlCom)
SRV - [2007/11/08 20:19:18 | 000,345,696 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe -- (Tmntsrv)
SRV - [2007/03/19 13:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/03/16 04:10:54 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2006/11/09 15:04:02 | 000,566,872 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe -- (tmproxy)
SRV - [2006/11/09 15:03:42 | 000,923,216 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe -- (TmPfw)
SRV - [2006/11/05 12:15:12 | 000,880,640 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2006/11/05 12:13:00 | 000,159,744 | ---- | M] (Sonic Solutions) [Auto | Running] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2006/09/14 15:54:34 | 000,073,728 | ---- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2004/10/22 04:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/07/15 02:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)


========== Driver Services (SafeList) ==========

DRV - [2010/01/05 07:56:06 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/23 07:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/08/28 19:42:52 | 000,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 14:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/11/26 17:42:42 | 000,205,328 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2008/11/26 17:42:40 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2008/11/26 17:39:56 | 001,195,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vsapint.sys -- (vsapint)
DRV - [2008/11/20 14:19:06 | 000,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 05:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/07/16 21:26:46 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/07/16 21:26:46 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/07/16 21:26:46 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/07/16 21:26:46 | 000,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2007/07/10 16:07:56 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007/07/10 15:22:22 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/10 15:22:20 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/07/10 15:22:18 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/07/09 23:21:54 | 000,202,912 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/07/09 23:03:04 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/07/09 22:58:42 | 005,707,744 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/05/08 21:22:58 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/03/16 04:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/09 16:04:20 | 000,280,392 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2006/11/09 16:04:20 | 000,073,288 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2006/11/02 13:31:38 | 000,103,168 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec02.sys -- (DXEC02)
DRV - [2006/10/05 18:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/18 14:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 14:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 14:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 14:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 14:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 14:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 14:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 14:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 12:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 11:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 11:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 12:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2004/08/04 06:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 13:12:10 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-333419700-563927531-67471420-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
IE - HKU\S-1-5-21-333419700-563927531-67471420-1006\S-1-5-21-333419700-563927531-67471420-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-333419700-563927531-67471420-1006\S-1-5-21-333419700-563927531-67471420-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/10 19:02:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/10 10:25:01 | 000,000,000 | ---D | M]

[2009/11/09 11:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Julie\Application Data\Mozilla\Extensions
[2009/11/09 11:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\6zmp7zvt.default\extensions
[2009/11/08 18:44:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/11 11:38:14 | 000,000,735 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.securityantivirus.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-333419700-563927531-67471420-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [dscactivate] c:\dell\dsca.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-333419700-563927531-67471420-1006..\Run: [cdloader] C:\Documents and Settings\Julie\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-333419700-563927531-67471420-1006..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-333419700-563927531-67471420-1006..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-333419700-563927531-67471420-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-333419700-563927531-67471420-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-333419700-563927531-67471420-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-333419700-563927531-67471420-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKU\S-1-5-21-333419700-563927531-67471420-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-333419700-563927531-67471420-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-333419700-563927531-67471420-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-333419700-563927531-67471420-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 63 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 63 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-333419700-563927531-67471420-1006\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-333419700-563927531-67471420-1006\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Trusted sites)
O15 - HKU\S-1-5-21-333419700-563927531-67471420-1006\..Trusted Domains: windowsupdate.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-333419700-563927531-67471420-1006\..Trusted Domains: 71 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-333419700-563927531-67471420-1006\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1005.cab (MySpace Uploader Control)
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab (DeviceEnum Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1265850148171 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Julie\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Julie\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/12/01 12:06:19 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/10 13:52:56 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/12 17:59:47 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Julie\Desktop\OTL.exe
[2010/02/12 13:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Julie\Desktop\gmer
[2010/02/11 20:28:24 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/11 20:27:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/02/11 19:56:25 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/02/11 19:53:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Julie\Recent
[2010/02/11 19:52:12 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/02/11 19:23:13 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/02/11 11:12:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/11 11:05:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/11 07:43:02 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/02/11 07:43:02 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/02/10 21:10:52 | 040,603,920 | ---- | C] (COMODO) -- C:\Documents and Settings\Julie\Desktop\CIS_Setup_3.13.126709.581_XP_Vista_x32.exe
[2010/02/10 20:20:28 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/02/10 11:38:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SAFBJJV
[2010/02/04 19:51:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/02/03 22:25:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\b278746
[2010/01/31 15:18:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/31 13:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/03/31 11:24:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/01/09 21:56:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/12/01 23:02:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/11/21 04:32:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2004/08/10 14:08:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/08/10 13:57:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/12 17:59:49 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Julie\Desktop\OTL.exe
[2010/02/12 17:57:48 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/12 17:57:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/12 17:57:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/12 17:57:46 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/12 17:57:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/12 17:54:56 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/12 17:54:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/12 17:54:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/12 17:54:27 | 2137,038,848 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/12 16:50:34 | 007,864,320 | -H-- | M] () -- C:\Documents and Settings\Julie\NTUSER.DAT
[2010/02/12 16:50:27 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Julie\ntuser.ini
[2010/02/12 15:18:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/12 14:59:52 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Julie\Desktop\Microsoft Word.lnk
[2010/02/12 13:32:06 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Julie\Desktop\gmer(2).zip
[2010/02/12 13:30:48 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Julie\Desktop\gmer.zip
[2010/02/12 13:26:30 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Julie\Desktop\dds.scr
[2010/02/12 13:08:54 | 000,000,120 | ---- | M] () -- C:\WINDOWS\CIS_Setup_3.13.126709.581_XP_Vista_x32.INI
[2010/02/11 20:35:28 | 000,000,000 | ---- | M] () -- C:\Qoobox
[2010/02/11 11:38:14 | 000,000,735 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/02/11 11:03:33 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/11 07:50:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/10 21:14:52 | 040,603,920 | ---- | M] (COMODO) -- C:\Documents and Settings\Julie\Desktop\CIS_Setup_3.13.126709.581_XP_Vista_x32.exe
[2010/02/10 20:45:13 | 000,363,008 | ---- | M] () -- C:\Documents and Settings\Julie\Desktop\rkill.com
[2010/02/10 20:22:42 | 000,000,698 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-202422.backup
[2010/02/10 12:27:36 | 000,379,087 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-140756.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165016.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165014.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165011.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165010.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165005.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165004.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165003.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-165001.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-164959.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-164957.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-164849.backup
[2010/02/10 12:27:36 | 000,379,087 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100210-144859.backup
[2010/02/06 13:44:26 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/05 13:15:34 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Julie\Desktop\Hattie 2-5-2010.doc
[2010/02/05 08:31:27 | 000,048,632 | ---- | M] () -- C:\Documents and Settings\Julie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/03 21:09:31 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/27 20:23:32 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/26 09:25:58 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Julie\Desktop\Daily Office Devotional.doc

========== Files Created - No Company Name ==========

[2010/02/12 17:54:27 | 2137,038,848 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/12 13:32:05 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Julie\Desktop\gmer(2).zip
[2010/02/12 13:30:47 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Julie\Desktop\gmer.zip
[2010/02/12 13:26:28 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Julie\Desktop\dds.scr
[2010/02/11 20:35:28 | 000,000,000 | ---- | C] () -- C:\Qoobox
[2010/02/11 08:33:54 | 000,000,120 | ---- | C] () -- C:\WINDOWS\CIS_Setup_3.13.126709.581_XP_Vista_x32.INI
[2010/02/10 20:45:11 | 000,363,008 | ---- | C] () -- C:\Documents and Settings\Julie\Desktop\rkill.com
[2010/02/10 15:19:53 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/02/05 13:15:34 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Julie\Desktop\Hattie 2-5-2010.doc
[2010/01/31 13:13:32 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/31 13:13:31 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/26 09:25:58 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Julie\Desktop\Daily Office Devotional.doc
[2009/12/01 17:08:45 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\OutlookFail.20091201.log
[2009/11/27 13:26:29 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Julie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/30 16:14:17 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/03/06 09:50:11 | 000,000,342 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2008/06/07 22:55:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Julie\Application Data\wklnhst.dat
[2008/05/08 13:58:35 | 000,001,783 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/12/01 21:13:55 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/12/01 17:21:41 | 000,010,615 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
[2007/12/01 16:46:00 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Julie\Local Settings\Application Data\fusioncache.dat
[2007/12/01 16:13:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/21 04:32:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/11/21 04:22:48 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2007/11/21 04:19:39 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2007/11/21 04:19:39 | 000,000,193 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/11/21 04:11:41 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/11/21 04:11:39 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/11/21 03:46:19 | 000,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/11/21 03:46:19 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
[2007/11/21 03:46:17 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/11/21 03:44:51 | 000,001,121 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/11/07 05:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/03/31 10:59:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/03/31 10:59:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/03/31 10:59:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/03/31 10:59:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/05/08 21:22:56 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\drivers\storage\R154200\iastor.sys
[2007/05/08 21:22:58 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\i386\iastor.sys
[2007/05/08 21:22:58 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\WINDOWS\system32\drivers\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >


OTL Extras:

OTL Extras logfile created on: 2/12/2010 6:01:50 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Julie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.94 Gb Total Space | 42.46 Gb Free Space | 61.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DF12Z3F1
Current User Name: Julie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-333419700-563927531-67471420-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Dell\MediaDirect\PCMService.exe" = C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\Hattie\Application Data\mjusbsp\magicJack.exe" = C:\Documents and Settings\Hattie\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack -- (magicJack L.P.)
"C:\Documents and Settings\Julie\Application Data\mjusbsp\magicJack.exe" = C:\Documents and Settings\Julie\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack -- (magicJack L.P.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}" = HP Driver Diagnostics
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23E8D2D6-F7C8-4A35-816C-6C914EE0A601}" = Citrix Presentation Server Client - Web Only
"{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}" = Dell DataSafe Online
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40D538B1-39FA-46AF-A644-9F8D86FC7EAA}" = Switched-On Schoolhouse 2007 - Student DL
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91A5B6C0-EF4E-4830-AC7D-6761C0A9B292}" = hp deskjet 3600
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A7DB362E-16DC-4E29-8A34-E74381E00B5B}" = Adobe Shockwave Player
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{C0E5147E-C9F3-4360-9ED0-2E875F11766C}" = Respondus LockDown Browser
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370}" = IntelliSonic Speech Enhancement
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E8C06CB3-5DB2-4689-B1DC-4A0220DEA96C}" = Consumer Complete Care Services Agreement
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}" = Trend Micro PC-cillin Internet Security 14
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"a-squared Free_is1" = a-squared Free 4.5
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"ESET Online Scanner" = ESET Online Scanner v3
"Google Desktop" = Google Desktop
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa 3" = Picasa 3
"RealPlayer 6.0" = RealPlayer
"SearchAssist" = SearchAssist
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SynTPDeinstKey" = Dell Touchpad
"The Rosetta Stone" = The Rosetta Stone
"TmPcc" = Trend Micro PC-cillin Internet Security 14
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/15/2009 10:41:45 PM | Computer Name = DF12Z3F1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 2/21/2009 1:06:07 AM | Computer Name = DF12Z3F1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16791, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/21/2009 2:48:51 PM | Computer Name = DF12Z3F1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16791, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/1/2009 3:54:26 PM | Computer Name = DF12Z3F1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 3/1/2009 6:43:25 PM | Computer Name = DF12Z3F1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 3/6/2009 11:11:52 PM | Computer Name = DF12Z3F1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 3/10/2009 12:12:13 AM | Computer Name = DF12Z3F1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 3/13/2009 5:10:02 PM | Computer Name = DF12Z3F1 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/21/2009 3:05:02 PM | Computer Name = DF12Z3F1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 3/29/2009 8:18:56 PM | Computer Name = DF12Z3F1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16791, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/12/2010 5:23:52 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the RpcSs service.

Error - 2/12/2010 5:24:49 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Bonjour Service service.

Error - 2/12/2010 5:24:49 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Schedule service.

Error - 2/12/2010 5:24:49 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Apple Mobile Device service.

Error - 2/12/2010 5:25:53 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Schedule service.

Error - 2/12/2010 5:28:08 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Apple Mobile Device service.

Error - 2/12/2010 5:28:42 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the w32time service.

Error - 2/12/2010 5:51:27 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7001
Description = The Trend Micro Proxy Service service depends on the Trend Micro TDI
Driver service which failed to start because of the following error: %%31

Error - 2/12/2010 5:51:27 PM | Computer Name = DF12Z3F1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
APPDRV Fips intelppm SASDIFSV SASKUTIL tmtdi

Error - 2/12/2010 5:51:45 PM | Computer Name = DF12Z3F1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >




#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:38 PM

Posted 14 February 2010 - 08:09 AM

Let me know the exact issues you are having currently.



We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 CMS19

CMS19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 14 February 2010 - 10:19 AM


When I opened the TDSSKiller file, there was this notification from Trend PC-Cillin firewall:

********************************
Notification

Real-time Virus Protection
Real-time Virus Protection has detected a virus or other security risk, and performed the action specified.
.
Action taken: This file shows signs of infection by an unidentified virus.
.
Incident name: C:\documents and settings\julie\desktop\tdsskiller.exe
Detection name: Cryp_Xed-16
********************************

Is that a problem?

Also, as for current issues - I cannot update the Trend PC-Cillin firewall, but get this message: "Update unsuccessful. Check your internet connection and then try again." There is nothing wrong with the internet connection, and I have attempted this update multiple times, with the same result.

And the original problem - the presence of the malware, "Security Antivirus" - persists.

Thanks again for your help.


Here is the TDSSKiller.exe report:

10:01:47:281 3164 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:0
10:01:47:281 3164 ================================================================================
10:01:47:281 3164 SystemInfo:

10:01:47:281 3164 OS Version: 5.1.2600 ServicePack: 3.0
10:01:47:281 3164 Product type: Workstation
10:01:47:281 3164 ComputerName: DF12Z3F1
10:01:47:281 3164 UserName: Julie
10:01:47:281 3164 Windows directory: C:\WINDOWS
10:01:47:281 3164 Processor architecture: Intel x86
10:01:47:281 3164 Number of processors: 2
10:01:47:281 3164 Page size: 0x1000
10:01:47:296 3164 Boot type: Normal boot
10:01:47:296 3164 ================================================================================
10:01:47:296 3164 UnloadDriverW: NtUnloadDriver error 2
10:01:47:296 3164 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:01:47:296 3164 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:01:47:328 3164 UtilityInit: KLMD drop and load success
10:01:47:328 3164 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
10:01:47:328 3164 UtilityInit: KLMD open success
10:01:47:328 3164 UtilityInit: Initialize success
10:01:47:328 3164
10:01:47:328 3164 Scanning Services ...
10:01:47:328 3164 CreateRegParser: Registry parser init started
10:01:47:328 3164 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
10:01:47:328 3164 CreateRegParser: DisableWow64Redirection error
10:01:47:328 3164 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:01:47:328 3164 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
10:01:47:328 3164 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:01:47:328 3164 wfopen_ex: Trying to KLMD file open
10:01:47:328 3164 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
10:01:47:328 3164 wfopen_ex: File opened ok (Flags 2)
10:01:47:328 3164 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384BD0
10:01:47:328 3164 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:01:47:328 3164 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
10:01:47:328 3164 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:01:47:328 3164 wfopen_ex: Trying to KLMD file open
10:01:47:328 3164 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
10:01:47:328 3164 wfopen_ex: File opened ok (Flags 2)
10:01:47:328 3164 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384C78
10:01:47:328 3164 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
10:01:47:328 3164 CreateRegParser: EnableWow64Redirection error
10:01:47:328 3164 CreateRegParser: RegParser init completed
10:01:48:093 3164 GetAdvancedServicesInfo: Raw services enum returned 358 services
10:01:48:093 3164 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:01:48:093 3164 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:01:48:093 3164
10:01:48:093 3164 Scanning Kernel memory ...
10:01:48:093 3164 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:01:48:093 3164 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A6046E8
10:01:48:093 3164 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
10:01:48:093 3164
10:01:48:093 3164 DetectCureTDL3: DEVICE_OBJECT: 8A582C68
10:01:48:093 3164 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A582C68
10:01:48:093 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A582C68[0x38]
10:01:48:093 3164 DetectCureTDL3: DRIVER_OBJECT: 8A6046E8
10:01:48:093 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A6046E8[0xA8]
10:01:48:093 3164 KLMD_ReadMem: Trying to ReadMemory 0xE183EB30[0x18]
10:01:48:093 3164 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:01:48:093 3164 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
10:01:48:093 3164 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
10:01:48:093 3164 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
10:01:48:093 3164 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
10:01:48:093 3164 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
10:01:48:093 3164 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
10:01:48:093 3164 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
10:01:48:093 3164 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
10:01:48:093 3164 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
10:01:48:093 3164 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
10:01:48:093 3164 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:01:48:093 3164 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:01:48:093 3164 TDL3_FileDetect: Processing driver: Disk
10:01:48:093 3164 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:093 3164 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:140 3164 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:01:48:140 3164
10:01:48:140 3164 DetectCureTDL3: DEVICE_OBJECT: 8A582030
10:01:48:140 3164 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A582030
10:01:48:140 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A582030[0x38]
10:01:48:140 3164 DetectCureTDL3: DRIVER_OBJECT: 8A6046E8
10:01:48:140 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A6046E8[0xA8]
10:01:48:140 3164 KLMD_ReadMem: Trying to ReadMemory 0xE183EB30[0x18]
10:01:48:140 3164 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:01:48:140 3164 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
10:01:48:140 3164 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:01:48:140 3164 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
10:01:48:140 3164 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
10:01:48:140 3164 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
10:01:48:140 3164 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:01:48:140 3164 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:01:48:140 3164 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:01:48:140 3164 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:01:48:140 3164 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
10:01:48:140 3164 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:01:48:140 3164 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:01:48:140 3164 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
10:01:48:156 3164 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
10:01:48:156 3164 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
10:01:48:156 3164 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
10:01:48:156 3164 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
10:01:48:156 3164 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:01:48:156 3164 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:01:48:156 3164 TDL3_FileDetect: Processing driver: Disk
10:01:48:156 3164 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:156 3164 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:171 3164 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:01:48:171 3164
10:01:48:171 3164 DetectCureTDL3: DEVICE_OBJECT: 8A4F0C68
10:01:48:171 3164 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4F0C68
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A4F0C68[0x38]
10:01:48:171 3164 DetectCureTDL3: DRIVER_OBJECT: 8A6046E8
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A6046E8[0xA8]
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0xE183EB30[0x18]
10:01:48:171 3164 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:01:48:171 3164 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
10:01:48:171 3164 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
10:01:48:171 3164 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
10:01:48:171 3164 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
10:01:48:171 3164 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
10:01:48:171 3164 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
10:01:48:171 3164 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
10:01:48:171 3164 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
10:01:48:171 3164 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
10:01:48:171 3164 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
10:01:48:171 3164 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:01:48:171 3164 TDL3_FileDetect: Processing driver: Disk
10:01:48:171 3164 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:171 3164 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:171 3164 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:01:48:171 3164
10:01:48:171 3164 DetectCureTDL3: DEVICE_OBJECT: 8A584C68
10:01:48:171 3164 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A584C68
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A584C68[0x38]
10:01:48:171 3164 DetectCureTDL3: DRIVER_OBJECT: 8A6046E8
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A6046E8[0xA8]
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0xE183EB30[0x18]
10:01:48:171 3164 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:01:48:171 3164 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
10:01:48:171 3164 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
10:01:48:171 3164 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
10:01:48:171 3164 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
10:01:48:171 3164 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
10:01:48:171 3164 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
10:01:48:171 3164 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
10:01:48:171 3164 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
10:01:48:171 3164 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
10:01:48:171 3164 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
10:01:48:171 3164 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:01:48:171 3164 TDL3_FileDetect: Processing driver: Disk
10:01:48:171 3164 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:171 3164 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:48:171 3164 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:01:48:171 3164
10:01:48:171 3164 DetectCureTDL3: DEVICE_OBJECT: 8A585AB8
10:01:48:171 3164 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A585AB8
10:01:48:171 3164 DetectCureTDL3: DEVICE_OBJECT: 8A586D98
10:01:48:171 3164 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A586D98
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A586D98[0x38]
10:01:48:171 3164 DetectCureTDL3: DRIVER_OBJECT: 8A5A0C28
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0x8A5A0C28[0xA8]
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0xE18218A8[0x1A]
10:01:48:171 3164 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:01:48:171 3164 DetectCureTDL3: IrpHandler (0) addr: B9F3B6F2
10:01:48:171 3164 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (2) addr: B9F3B6F2
10:01:48:171 3164 DetectCureTDL3: IrpHandler (3) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (4) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (14) addr: B9F3B712
10:01:48:171 3164 DetectCureTDL3: IrpHandler (15) addr: B9F37852
10:01:48:171 3164 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (22) addr: B9F3B73C
10:01:48:171 3164 DetectCureTDL3: IrpHandler (23) addr: B9F42336
10:01:48:171 3164 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:01:48:171 3164 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:01:48:171 3164 KLMD_ReadMem: Trying to ReadMemory 0xB9F38864[0x400]
10:01:48:187 3164 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:01:48:187 3164 TDL3_FileDetect: Processing driver: atapi
10:01:48:187 3164 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:01:48:187 3164 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
10:01:48:203 3164 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
10:01:48:203 3164
10:01:48:203 3164 Completed
10:01:48:218 3164
10:01:48:218 3164 Results:
10:01:48:218 3164 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
10:01:48:218 3164 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:01:48:218 3164 File objects infected / cured / cured on reboot: 0 / 0 / 0
10:01:48:218 3164
10:01:48:218 3164 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:01:48:218 3164 UtilityDeinit: KLMD(ARK) unloaded successfully


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:38 PM

Posted 15 February 2010 - 01:58 AM

QUOTE
And the original problem - the presence of the malware, "Security Antivirus" - persists.

Where are you getting this indication?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 CMS19

CMS19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 15 February 2010 - 11:22 AM

It shows up at the top of the DDS report:

"AV: Security Antivirus *On-access scanning enabled* (Updated) {1913B679-BBD3-454F-A7F8-ECBEA6AF9CC7}
AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Security Antivirus *enabled* {C531EFFC-44A4-48BE-9D44-DC10C6B8D7D4}....."

(and it also showed up on a different scan, when I requested help from an IT friend who was leaving for overseas, before I posted here).



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:38 PM

Posted 15 February 2010 - 04:54 PM

That's not necessarily an accurate way to detect the presence of a rogue, but let's see if we can dig it out and remove it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :regfind
    1913B679-BBD3-454F-A7F8-ECBEA6AF9CC7
    C531EFFC-44A4-48BE-9D44-DC10C6B8D7D4

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 CMS19

CMS19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 15 February 2010 - 08:47 PM

Thank you, Sam!

Here are the results:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:44 on 15/02/2010 by Julie (Administrator - Elevation successful)

========== regfind ==========

Searching for "1913B679-BBD3-454F-A7F8-ECBEA6AF9CC7"
No data found.

Searching for "C531EFFC-44A4-48BE-9D44-DC10C6B8D7D4"
No data found.

-=End Of File=-


Just in case it's of any use, while I was waiting I ran the Gmer scan in Safe Mode (since I couldn't get it to run in regular mode) - but the screen was too large for me to manipulate, so the "Save" button was not visible - but I typed out what I could see of the report when it finished. I don't know if it will be of any help, but here it is:

SSDT Lbd.sys [Boot Driver/Lavasoft AB] ZwCreateKey [0xF764787E]

SSDT Lbd.sys [Boot Driver/Lavasoft AB] ZwSetValueKey [0xF7647B7E]

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys [Synaptics Touchpad Driver/Synapt…

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys [Synaptics Touchpad Driver/Synapt…

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys {Microsoft Filesystem Filter Manager/…


Thanks again!

Edited by CMS19, 15 February 2010 - 08:58 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:38 PM

Posted 16 February 2010 - 11:05 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 CMS19

CMS19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 16 February 2010 - 10:45 PM

I ran ComboFix, but before it got started, it said that "Security Antivirus" malware was still running, and it gave me this message: "The directory or file cannot be created. The system cannot find the path specified."

It proceeded to run, but between stages 38 & 39, it gave this message: "Cannot create file "C:\Qoobox\Quarantine\Registry_backups\tcpip.reg". The system cannot find the path specified"....

At the end, after completing Stage 50, it said:

Deleting Files:
C:\Documents and Settings\Julie\Application Data\Microsoft\Microsoft\Internet Explorer|Quick Launch\SUPERAntiSpyware Free Edition.lnk (lowercase letter "l")

It just stops and just hangs there for hours.



#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:38 PM

Posted 17 February 2010 - 12:34 PM

It looks like you had run Combofix once before. Did you download a new copy to run, or did you just run the copy you already had?

Run Systemlook again with this code.

CODE
:regfind
Security Antivirus


Post back with the resulting log.


======================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 CMS19

CMS19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 17 February 2010 - 02:48 PM

Thank you!


I did uninstall the earlier ComboFix and then reinstalled to do the scan. I also tried it in Safe Mode, and got the same result.


Here is the SystemLook report:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:49 on 17/02/2010 by Julie (Administrator - Elevation successful)

========== regfind ==========

Searching for "Security Antivirus"
No data found.

-=End Of File=-

**************************

And here is the MBAM report:

Malwarebytes' Anti-Malware 1.44
Database version: 3751
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/17/2010 2:34:16 PM
mbam-log-2010-02-17 (14-34-16).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 215345
Time elapsed: 41 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*************

MBAM has pretty much been clean even when I had to go to Safe Mode originally to get the computer to function w/o freezing, to try the "Security Antivirus" removal procedures...

(Also, they had PC Cillin on this computer, and it was no longer updating - I found this link ( http://community.trendmicro.com/t5/Home-an...02751CECA5BCEEF ) and saw that this was a common problem - so we uninstalled it. Maybe the Security Antivirus got through because of a firewall failure? But it needs some kind of firewall besides the Windows one, I think? I've used Zone Alarm in past years, but these people need something with very little or no interaction. I haven't used Zone Alarm lately, and I've heard of people having trouble with Comodo and Outpost - maybe you have a recommendation on a good firewall for them? Or I guess we can just think about that more once we know the computer is clean?)

Thanks again!


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:38 PM

Posted 18 February 2010 - 09:17 AM

I don't think the firewall was the reason this computer became infected. Zone Alarm is very good, but as you noted it does take some time to get used to. In light of that I'd recommend just using the Windows firewall.

Just to be clear, the computer is not infected with Security Antivirus at this point. In fact there doesn't seem to be any indication of an active infection. The information that you are seeing in the DDS log is reported based off what WMI sees as registered. This is not always accurate. There is a combofix directive that will remove that notification just as a matter of cleaning up, which is why we've been trying to run it. So your options are 1)Ignore it as there are not other indications of the infection or 2)We try to figure out Combofix and remove it.

While I recommend option 1, I'm willing to proceed with option 2 if you'd like.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 CMS19

CMS19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 18 February 2010 - 09:34 AM

Thank you; I have to give the computer back to a family that is not very good at keeping it free of malware, though they are at least running MBAM and SuperAntispyware every week or so. I try to do CCleaner and maybe Spybot when I see the computer every couple months or so. They are using the Windows firewall at least. I'm willing to skip the Combofix message problem if you think that is okay. Is there anything else you suggest we do to make sure that it is clean and protected before I return the computer? Maybe Avast? (It expired, but I can put it on there again.) Thanks so much for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users