Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, but still google


  • This topic is locked This topic is locked
26 replies to this topic

#1 copotay

copotay

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 21 February 2010 - 11:29 AM

This is posted at the request of Moderator "boopme". DDS logs and Gmer log. Defogger was ran, however did not make me restart.

Situation: XP SP2 and IE8: Two weeks ago I had Zooclicker and with the help of m0le we got it cleaned, however currently when I search off of the main google page for instance "test", I get the results, and upon clicking a link in my browser for "http://www.test.com/" it redirects to this shown below for a split second but then goes to the correct page:

/url?sa=t&source=web&ct=res&cd=1&ved=0CAsQFjAA&url=http%3A%2F%2Fwww.test.com%2F&rct=j&q=test&ei=W1iBS_zZKqH2Mrax0IsK&usg=AFQjCNH21KLjC0CBkjon2DwD_CZ0HApLMw

I have even tried another browser, Firefox, and its doing it there too.This occurs from the main google page and when clicking a link in the results it gives that double mouse click before going to the chosen page showing the correct url. If you hover over the link it will not show this redirect link in the status bar, it only appears in the status bar when you right click, left click and hold, or if you look at the properties of the link it will be displayed in the properties window. It appears to be something related to a mousedown event. I have deleted all cookies and temp files and it still does this.

I have two other computers connected wirelessly to the same IP, an XP SP2 desktop with IE8 and a Vista IE7, through a Linksys router. Neither of these two computers show this problem in the browser. I have researched and found other people with the same problem and that it could be Google Analytics and Google randomley choosing me for testing, however I cannot figure out why it would be just this computer and not the other two if they were going off of IPs for testing. If it is google my mac address to the net is the routers so it can't be them honing in on the Mac address of this computer. It must be something hidden on my system that I have been unable to find. Any help greatly appreciated.

Edit: added from AII topic ~~boopme
QUOTE
when I ran Defogger it did not make me restart and gave me this log, it looks like it did not find any cd emulation to turn off, do I still to run it and press enable after the assistance is finished?

Defogger_disable by jpshortstuff (29.01.10.1)
Log created at 08:00 on 21/02/2010 (TED)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-




DDS LOG:

DDS (Ver_09-12-01.01) - NTFSx86
Run by at 8:03:42.60 on Sun 02/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1474 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\ASWL2K.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Iconoid\iconoid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\TED\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/search?hl=en&q=google
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Iconoid] "c:\program files\iconoid\iconoid.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.fastaccess.com/sdccommon/download/tgctlcm.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260112725015
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15106/CTPID.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tedheb~1\applic~1\mozilla\firefox\profiles\cig8h06z.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\ted hebert\application data\mozilla\plugins\npPxPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-2-6 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-2-6 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-2-6 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSXpx86.sys [2010-2-20 329592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-6 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100220.022\NAVENG.SYS [2010-2-21 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100220.022\NAVEX15.SYS [2010-2-21 1324720]
S2 EFAINIT2;EFAINIT2;c:\windows\system32\drivers\efainit2.sys [2006-7-10 12334]
S2 EFAW;EFAW;c:\windows\system32\drivers\EFAW.sys [2006-7-10 16680]
S2 msnsdrs;Microsoft Windows Device Management Service; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
S3 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-6-26 204800]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2007-7-21 104320]
S4 AAWService;Lavasoft Ad-Aware Service; [x]

=============== Created Last 30 ================

2010-02-21 14:00:43 0 ----a-w- c:\documents and settings\ted hebert\defogger_reenable
2010-02-19 01:39:36 0 d-----w- c:\windows\system32\Adobe
2010-02-07 00:40:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-07 00:40:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-07 00:40:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-06 17:22:06 0 d-----w- c:\program files\Shuangs Audio Joiner

==================== Find3M ====================

2010-02-07 03:48:39 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-12 18:03:34 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 18:03:34 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 18:03:34 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 18:03:34 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 18:03:34 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 18:03:34 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 18:03:34 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 18:03:34 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 18:03:34 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 18:03:34 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 18:03:34 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-12 18:03:34 10276768 ----a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-01-12 04:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 04:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 04:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 04:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 04:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 04:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 23:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-11 08:38:55 69120 ----a-w- c:\windows\system32\dllcache\iecompat.dll
2009-12-08 18:14:02 2185984 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:11:44 2142720 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:11:44 2142720 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 17:35:25 2020864 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 17:35:25 2020864 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 17:35:22 2063104 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 08:59:48 474112 ----a-w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55 453760 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:04:16 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:04:16 1291776 ----a-w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 17:04:15 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:04:15 17920 ----a-w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\dllcache\msrle32.dll

============= FINISH: 8:04:29.54 ===============

Attached Files


Edited by boopme, 21 February 2010 - 03:09 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:42 PM

Posted 23 February 2010 - 05:49 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 copotay

copotay
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 23 February 2010 - 11:23 AM

Tks Elise, here are the logs:

OTL log

OTL logfile created on: 2/23/2010 6:55:33 AM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\TED HEBERT\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.14 Gb Total Space | 167.44 Gb Free Space | 73.40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 110.32 Gb Total Space | 62.03 Gb Free Space | 56.23% Space Free | Partition Type: NTFS

Computer Name: TED
Current User Name: TED HEBERT
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/23 06:53:55 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TED HEBERT\Desktop\OTL.exe
PRC - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/20 07:28:14 | 000,181,312 | ---- | M] () -- C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
PRC - [2009/08/22 01:21:19 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
PRC - [2009/06/01 13:51:52 | 001,468,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/05/16 06:11:44 | 000,648,504 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/05/16 06:11:44 | 000,648,504 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/02/19 16:05:24 | 000,591,696 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/03 17:38:24 | 000,274,432 | ---- | M] (SillySot Software) -- C:\Program Files\Iconoid\iconoid.exe
PRC - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2005/06/17 06:56:14 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2005/06/17 06:55:58 | 000,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
PRC - [2005/04/19 20:05:00 | 000,516,096 | ---- | M] () -- C:\WINDOWS\system32\ASWL2K.exe
PRC - [2005/03/22 04:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2004/06/03 02:51:27 | 000,172,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2004/05/06 11:21:04 | 000,496,640 | ---- | M] () -- C:\WINDOWS\system32\ASWLSVC.exe


========== Modules (SafeList) ==========

MOD - [2010/02/23 06:53:55 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TED HEBERT\Desktop\OTL.exe
MOD - [2009/08/22 01:21:16 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\asOEHook.dll
MOD - [2006/08/25 09:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 04:00:00 | 001,852,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\AcGenral.dll
MOD - [2004/08/10 04:00:00 | 000,071,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msacm32.dll
MOD - [2004/08/10 04:00:00 | 000,065,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shimeng.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [Auto | Stopped] -- -- (msnsdrs)
SRV - File not found [On_Demand | Stopped] -- -- (FirebirdServerMAGIXInstance)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - File not found [Disabled | Stopped] -- -- (AAWService)
SRV - [2010/01/11 22:17:44 | 000,154,216 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/20 07:28:14 | 000,181,312 | ---- | M] () [Auto | Running] -- C:\Program Files\Photodex\ProShowGold\scsiaccess.exe -- (ScsiAccess)
SRV - [2009/08/22 01:21:19 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2008/12/20 10:00:31 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/10/10 04:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/06/26 12:52:42 | 000,204,800 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -- (LinksysUpdater)
SRV - [2008/05/16 06:11:44 | 000,648,504 | ---- | M] (Pure Networks, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2007/11/06 14:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/10/30 20:51:44 | 000,492,720 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 20:07:38 | 000,427,288 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [2006/07/05 22:11:44 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2005/12/12 15:52:32 | 000,180,224 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe -- (ELService)
SRV - [2005/06/17 06:55:58 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel®
SRV - [2004/11/19 10:26:40 | 000,147,456 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2004/10/22 02:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/05/06 11:21:04 | 000,496,640 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ASWLSVC.exe -- (ASWLSVC)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/02/06 21:48:39 | 000,872,064 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iastor)
DRV - [2010/02/06 10:20:46 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\ccHPx86.sys -- (ccHP)
DRV - [2010/02/05 03:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100221.021\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/05 03:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100221.021\NAVENG.SYS -- (NAVENG)
DRV - [2009/11/20 20:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/10/28 16:37:22 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/09/19 07:26:07 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/09/02 02:05:00 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI32)
DRV - [2009/08/27 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/27 02:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/22 01:21:19 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1008000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/22 01:21:19 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/22 01:21:19 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/08/22 01:21:19 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/22 01:21:19 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/08/22 01:21:19 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1008000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/22 01:21:19 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/08/22 01:21:19 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/08/22 01:21:06 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/08/22 01:21:06 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/06/01 13:51:54 | 000,027,792 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32)
DRV - [2009/06/01 13:51:54 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/01/17 02:35:20 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/01/17 02:35:20 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/01/17 02:35:16 | 000,129,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/01/17 02:35:12 | 000,368,544 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2008/08/20 11:58:58 | 000,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/05/16 06:10:32 | 000,023,992 | ---- | M] (Pure Networks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/05/16 06:10:30 | 000,025,272 | ---- | M] (Pure Networks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2008/02/27 12:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/11/13 04:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/11/06 14:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/07/21 11:32:58 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2007/05/11 02:10:50 | 000,034,704 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2007/05/09 00:59:40 | 000,036,496 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2007/03/05 05:00:04 | 000,027,792 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)
DRV - [2007/03/05 04:59:04 | 000,018,320 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btnetdrv.sys -- (BT)
DRV - [2007/03/05 04:56:18 | 000,035,600 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2007/03/05 04:55:12 | 000,020,880 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2007/03/05 04:53:18 | 000,044,304 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2007/03/05 04:52:18 | 000,034,448 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2007/02/21 08:25:35 | 000,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (Pcouffin)
DRV - [2007/02/02 03:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 03:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/01/18 09:24:58 | 000,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2006/11/25 18:02:05 | 000,094,080 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ezplay.sys -- (ezplay)
DRV - [2006/10/18 16:52:16 | 000,022,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbsermpt.sys -- (usbsermpt)
DRV - [2006/07/11 11:18:04 | 000,260,224 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2006/07/11 11:18:04 | 000,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2006/07/11 11:18:04 | 000,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2006/07/11 11:18:04 | 000,022,777 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2006/07/11 11:18:04 | 000,021,993 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2006/07/05 22:20:07 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2006/07/05 22:16:05 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/12/12 15:52:34 | 000,010,112 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELhid.sys -- (ELhid)
DRV - [2005/12/12 15:52:34 | 000,007,040 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELmon.sys -- (ELmon)
DRV - [2005/12/12 15:52:34 | 000,006,912 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELkbd.sys -- (ELkbd)
DRV - [2005/12/12 15:52:34 | 000,006,400 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELmou.sys -- (ELmou)
DRV - [2005/12/12 15:52:32 | 000,007,808 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ELacpi.sys -- (ELacpi)
DRV - [2005/09/09 14:43:08 | 000,104,320 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2500usb.sys -- (u2kg54)
DRV - [2005/08/25 18:05:24 | 000,176,128 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2005/06/06 02:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/05/25 03:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005/03/24 20:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005/01/10 04:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005/01/10 04:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2004/08/12 16:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/10 04:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2004/08/10 04:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/10 04:00:00 | 000,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2004/08/03 23:10:12 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2004/08/03 23:10:12 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2004/08/03 23:10:00 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2004/08/03 22:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 22:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/06/23 01:37:50 | 000,012,334 | ---- | M] (USTC) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\efainit2.sys -- (EFAINIT2)
DRV - [2004/04/14 10:08:00 | 000,044,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2004/04/14 10:08:00 | 000,021,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2004/04/14 10:08:00 | 000,014,432 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmHidLo.sys -- (WmHidLo)
DRV - [2004/04/14 10:08:00 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2004/04/14 10:08:00 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2003/01/17 02:59:56 | 000,001,984 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\DRIVERS\papycpu2.sys -- (papycpu2)
DRV - [2003/01/17 02:59:56 | 000,001,856 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\DRIVERS\papyjoy.sys -- (papyjoy)
DRV - [2002/10/10 05:18:12 | 000,016,680 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\EFAW.sys -- (EFAW)
DRV - [2002/09/09 18:54:06 | 000,016,269 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\ASNDIS5.sys -- (ASNDIS5)
DRV - [2001/08/17 13:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 11:12:10 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

IE - HKU\S-1-5-21-2133653562-2648691403-3732290369-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/search?hl=en&q=google
IE - HKU\S-1-5-21-2133653562-2648691403-3732290369-1005\S-1-5-21-2133653562-2648691403-3732290369-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2133653562-2648691403-3732290369-1005\S-1-5-21-2133653562-2648691403-3732290369-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.ftp: ":"
FF - prefs.js..network.proxy.gopher: ":"
FF - prefs.js..network.proxy.http: ":"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: ":"
FF - prefs.js..network.proxy.ssl: ":"

FF - HKLM\software\mozilla\Firefox\Extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/02/23 06:48:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/20 10:26:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/20 10:26:40 | 000,000,000 | ---D | M]

[2010/02/20 10:27:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TED HEBERT\Application Data\Mozilla\Extensions
[2010/02/20 10:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TED HEBERT\Application Data\Mozilla\Firefox\Profiles\cig8h06z.default\extensions
[2010/02/23 06:48:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/20 07:37:21 | 000,000,773 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts:
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2133653562-2648691403-3732290369-1005\..\Toolbar\WebBrowser: (no name) - {4064EA35-578D-4073-A834-C96D82CBCF40} - No CLSID value found.
O3 - HKU\S-1-5-21-2133653562-2648691403-3732290369-1005\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Pure Networks, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2133653562-2648691403-3732290369-1005..\Run: [Iconoid] C:\Program Files\Iconoid\iconoid.exe (SillySot Software)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2133653562-2648691403-3732290369-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://support.fastaccess.com/sdccommon/download/tgctlcm.cab (Reg Error: Key error.)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} http://downloads.ewido.net/ewidoOnlineScan.cab (Reg Error: Key error.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab (ActiveDataInfo Class)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} http://www.xblock.com/download/xclean_micro.exe (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1260112725015 (WUWebControl Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Reg Error: Key error.)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} http://ax.emsisoft.com/asquared.cab (a-squared Scanner)
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://support.f-secure.com/ols/fscax.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareup...15106/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Pure Networks, Inc.)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2005/08/16 03:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{6ab209fe-0e7e-11df-83df-0013722f94b7}\Shell - "" = AutoRun
O33 - MountPoints2\{6ab209fe-0e7e-11df-83df-0013722f94b7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6ab209fe-0e7e-11df-83df-0013722f94b7}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O33 - MountPoints2\{b37dbc20-2995-11dc-8153-0013722f94b7}\Shell - "" = AutoRun
O33 - MountPoints2\{b37dbc20-2995-11dc-8153-0013722f94b7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b37dbc20-2995-11dc-8153-0013722f94b7}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
O33 - MountPoints2\{ba435113-2a38-11dc-8154-0013722f94b7}\Shell - "" = AutoRun
O33 - MountPoints2\{ba435113-2a38-11dc-8154-0013722f94b7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ba435113-2a38-11dc-8154-0013722f94b7}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/23 06:53:49 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\TED HEBERT\Desktop\OTL.exe
[2010/02/21 22:00:20 | 095,297,040 | ---- | C] (NVIDIA Corporation ) -- C:\Documents and Settings\TED HEBERT\Desktop\6.05_nvidia_system_tools.exe
[2010/02/21 14:33:52 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\plugin.ocx
[2010/02/21 10:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TED HEBERT\Desktop\ran new logs
[2010/02/20 13:22:24 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/02/20 10:30:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TED HEBERT\My Documents\Downloads
[2010/02/20 10:26:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\Mozilla
[2010/02/20 10:26:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/18 19:39:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010/02/18 19:36:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/18 19:36:32 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/18 19:36:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/18 19:36:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/17 17:48:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TED HEBERT\Recent
[2010/02/07 08:31:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TED HEBERT\Desktop\rootkit redirector
[2010/02/06 18:40:04 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/06 18:40:01 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/06 18:40:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/06 11:22:06 | 000,000,000 | ---D | C] -- C:\Program Files\Shuangs Audio Joiner
[2010/02/06 09:46:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TED HEBERT\My Documents\LocalCDDB
[2009/01/23 12:22:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/01/17 02:38:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2008/10/19 14:44:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2007/11/23 12:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/08/12 10:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/11/25 18:02:05 | 000,094,080 | ---- | C] (VSO Software) -- C:\Documents and Settings\TED HEBERT\Application Data\ezplay.sys
[2006/11/25 18:01:55 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\TED HEBERT\Application Data\pcouffin.sys
[2005/08/16 03:30:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/08/16 03:30:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/23 06:53:55 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TED HEBERT\Desktop\OTL.exe
[2010/02/23 06:53:20 | 000,000,287 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Desktop\Google redirect, but still google.url
[2010/02/23 06:49:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/23 06:48:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/23 06:48:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/21 22:28:05 | 010,223,616 | -H-- | M] () -- C:\Documents and Settings\TED HEBERT\NTUSER.DAT
[2010/02/21 22:28:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\TED HEBERT\ntuser.ini
[2010/02/21 22:00:24 | 095,297,040 | ---- | M] (NVIDIA Corporation ) -- C:\Documents and Settings\TED HEBERT\Desktop\6.05_nvidia_system_tools.exe
[2010/02/21 19:31:33 | 000,269,336 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/02/21 08:00:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\defogger_reenable
[2010/02/20 13:21:18 | 001,146,492 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1008000.029\Cat.DB
[2010/02/20 12:30:56 | 000,867,964 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Desktop\boondock.nzb
[2010/02/20 12:30:01 | 000,043,185 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Desktop\user109336_pic31536_1266652138.jpg
[2010/02/20 10:26:43 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/20 07:00:04 | 000,000,365 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Desktop\Google search redirection.url
[2010/02/17 21:14:54 | 000,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/17 21:14:53 | 000,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/17 21:14:51 | 000,523,844 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/17 21:12:29 | 000,289,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/17 21:09:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/17 17:43:59 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/02/14 12:13:05 | 000,000,227 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Desktop\Free ESET Online Antivirus Scanner.url
[2010/02/07 08:21:45 | 000,012,236 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Desktop\old hijack this file.rtf
[2010/02/06 21:48:39 | 000,872,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2010/02/06 10:20:46 | 000,482,432 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1008000.029\cchpx86.sys
[2010/02/06 10:20:43 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1008000.029\isolate.ini
[2010/01/31 07:21:47 | 000,089,040 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/31 07:15:33 | 000,221,696 | ---- | M] () -- C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/21 10:39:35 | 000,000,287 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Desktop\Google redirect, but still google.url
[2010/02/21 08:00:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\defogger_reenable
[2010/02/20 12:31:12 | 000,043,185 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Desktop\user109336_pic31536_1266652138.jpg
[2010/02/20 12:30:56 | 000,867,964 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Desktop\boondock.nzb
[2010/02/20 10:26:43 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/20 07:00:04 | 000,000,365 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Desktop\Google search redirection.url
[2010/02/17 21:05:59 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/02/14 12:13:05 | 000,000,227 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Desktop\Free ESET Online Antivirus Scanner.url
[2010/02/07 08:21:45 | 000,012,236 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Desktop\old hijack this file.rtf
[2009/11/20 07:04:18 | 000,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2009/11/20 07:02:25 | 000,006,211 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2009/09/05 17:15:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/09/05 15:09:06 | 000,122,296 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/09/05 10:03:07 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/09/05 10:01:38 | 000,000,079 | ---- | C] () -- C:\WINDOWS\EPWF600.ini
[2009/04/30 12:24:39 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/30 12:24:36 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/30 12:24:35 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/30 12:24:33 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/30 12:24:33 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/04/05 07:53:38 | 000,000,347 | ---- | C] () -- C:\WINDOWS\CTWave32.INI
[2009/04/05 07:53:35 | 000,000,029 | ---- | C] () -- C:\WINDOWS\sfbm.INI
[2009/03/01 10:50:40 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2009/02/01 19:06:01 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/08/16 15:20:45 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2008/08/16 15:20:45 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2008/08/16 15:20:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2008/08/16 15:20:45 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2008/08/15 11:40:52 | 000,072,728 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\IFO_GLADIATOR.LOG
[2008/08/15 11:07:37 | 000,023,375 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\wnaspi32.log.log
[2008/08/15 11:07:36 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DVDBurner.log.log
[2008/08/15 11:07:35 | 000,222,518 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DVDConverter.log.log
[2008/08/15 11:07:35 | 000,017,269 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\MainApp.log.log
[2008/08/15 11:07:35 | 000,011,114 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\MainApp.dll
[2008/08/15 11:07:35 | 000,002,905 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DVDDeviceCtrl.log.log
[2008/08/15 11:07:35 | 000,001,565 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\isoConverter.log.log
[2008/08/15 11:07:35 | 000,001,535 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Configure.log.log
[2008/08/15 11:02:02 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo3.dll
[2008/08/15 09:50:04 | 003,049,984 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/08/15 09:50:04 | 000,404,480 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/08/15 09:50:04 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2008/08/15 09:50:04 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2007/11/06 14:19:28 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/06/28 23:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/17 16:55:27 | 000,111,260 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Svclog.log
[2007/04/17 16:07:25 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2007/02/16 14:10:02 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2007/02/13 18:06:49 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2006/12/30 11:16:11 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2006/12/30 09:22:00 | 000,003,120 | ---- | C] () -- C:\WINDOWS\System32\cd1c8e9d-d926-48fa-ad0b-c38db4938309.dll
[2006/11/25 18:02:06 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\FLLDCKBW.log
[2006/11/25 18:02:05 | 000,007,172 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\ezplay.cat
[2006/11/25 18:02:05 | 000,001,104 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\FLLDCKBW.inf
[2006/11/25 18:02:05 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\FLLDCKBW.ini
[2006/11/25 18:01:56 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\pcouffin.log
[2006/11/25 18:01:55 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\ezpinst.exe
[2006/11/25 18:01:55 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\pcouffin.inf
[2006/11/25 18:01:55 | 000,001,074 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\pcouffin.cat
[2006/11/12 11:12:23 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/07/25 20:06:55 | 000,000,434 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/07/19 21:03:05 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Application Data\dvd.bmk
[2006/07/16 15:56:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/16 09:48:12 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2006/07/16 09:48:09 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2006/07/12 10:06:10 | 000,001,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\papycpu2.sys
[2006/07/12 10:06:10 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\papyjoy.sys
[2006/07/12 10:03:49 | 000,000,194 | ---- | C] () -- C:\WINDOWS\Sierra.ini
[2006/07/12 09:56:19 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/11 18:25:34 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\ldf252.dll
[2006/07/11 17:00:31 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2006/07/10 21:13:39 | 000,000,072 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2006/07/10 20:26:00 | 000,016,680 | ---- | C] () -- C:\WINDOWS\System32\drivers\EFAW.sys
[2006/07/10 19:21:21 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/07/10 19:09:21 | 000,221,696 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/07/10 18:50:05 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\FASTWiz.html
[2006/07/10 18:49:44 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\FASTWiz.log
[2006/07/10 17:18:35 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\TED HEBERT\Local Settings\Application Data\fusioncache.dat
[2006/07/05 22:27:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/07/05 22:17:36 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/07/05 22:10:19 | 000,004,969 | ---- | C] () -- C:\WINDOWS\System32\Sigfilt.ini
[2006/07/05 22:10:19 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2006/07/05 21:53:20 | 000,872,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2006/07/05 21:52:58 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/06/23 10:13:54 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\liclock.dll
[2006/06/21 04:43:05 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/06/21 04:33:40 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2005/09/05 16:17:40 | 000,258,560 | ---- | C] () -- C:\WINDOWS\System32\MusicTagsAX.dll
[2005/08/05 13:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/10/05 16:37:20 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2004/05/22 00:44:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/08/07 13:01:50 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/01/13 13:21:58 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2000/04/14 15:50:02 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[1998/06/11 12:08:06 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 166 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D287FACF
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C39E55C5
< End of report >

_________________

Extras log:

OTL Extras logfile created on: 2/23/2010 6:55:34 AM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\TED HEBERT\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.14 Gb Total Space | 167.44 Gb Free Space | 73.40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 110.32 Gb Total Space | 62.03 Gb Free Space | 56.23% Space Free | Partition Type: NTFS

Computer Name: TED
Current User Name: TED HEBERT
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation.)
"C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" = C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Platform Service -- (Pure Networks, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1F06E28C-A6DC-4341-A9E3-6B0F6C641B6B}" = Linksys EasyLink Advisor
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{232FDC0C-12DE-41F2-9701-27EFCA18BEF9}" = MediaJoin
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 18
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2B0CDD4D-5C1A-47F7-89E2-9BF604670ABC}" = EpsonNet Config V3
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{438BB9B4-65FE-4626-91D9-A8F57B18001D}" = Bluesoleil2.6.0.8 Release 070517
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Sonic Advanced Decoder
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CEA6811-DFAD-4892-828D-49941FE3B779}" = Intel® PROSet for Wired Connections
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}" = Acronis True Image Home
"{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}" = Easy CD & DVD Creator 6
"{6A8A3B60-52B4-437F-9281-D63930B42535}" = AudioAlchemy MP3 Edition
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{850C4C12-57E2-43E4-B66B-B08B120C55F3}" = FireBurner
"{85AF94EC-55DE-452A-8FD7-C34E598B3F1F}" = Adobe Premiere Elements 7.0 Templates
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C22F265-DE76-44D1-8A79-A71D819137DA}" = Intel® Quick Resume Technology Drivers
"{8F722FA9-B994-4C9B-B292-FD32D6206EDF}" = ASUS WLAN Card Utilities/Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{903CE8F7-6C7B-41E6-A1CF-3BF1176264EC}" = IntelŽ Viiv™
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{ACC2E059-40E9-4464-B18D-C9BDD9A02CED}" = NASCARŽ Racing 2003 Season
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B9242864-2841-4ADE-86E0-8F90F91B04DD}" = Logitech Gaming Software
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.1.14.223
"{BBE18EBD-CD44-4C51-8BC5-577ECCCEC68F}" = MX vs ATV Unleashed
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C34FAEF3-4241-4C4E-9CFF-7BBD8BCEABE7}" = WebEx Support Manager for Internet Explorer
"{C9507D0D-1A9C-486E-91D6-33A71CCA55F2}" = Pure Networks Platform
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D564B5E2-CCB5-4A5C-B35E-2FC30BBC9336}" = Adobe Premiere Elements 7.0
"{D64DCF1C-7A95-49A4-BAFA-C42B5CF6B8B6}" = Works Suite OS Pack
"{D713411E-32F8-41E4-9B7A-51DEF258D12F}" = 3D Home Architect Landscape Design Deluxe 6
"{D781A6EC-12AC-4993-BF13-B4CF12F1F20C}" = 3D Home Architect Home Design Deluxe 6
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E744BFEA-E027-441E-83A2-36202F661E31}" = Light-O-Rama
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}" = Microsoft IntelliPoint 7.0
"{F6234880-85BE-4DCB-8A45-1FF85A1A8552}" = SmartSound Quicktracks for Premiere Elements
"{FB36174F-6AA4-4532-B011-F86FD597D471}" = TurboTax 2008 wlaiper
"4U WMA MP3 Converter_is1" = 4U WMA MP3 Converter 6.2.6
"ACDSee Classic" = ACDSee Classic
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Any Video Converter_is1" = Any Video Converter 2.6.1
"Astro Gemini Screensaver Manager_is1" = Astro Gemini Screensaver Manager 1.2
"Audacity_is1" = Audacity 1.2.6
"AudioAlchemy MP3 Edition" = AudioAlchemy MP3 Edition
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Batch Image Resizer_is1" = Batch Image Resizer 2.76
"Belarc Advisor" = Belarc Advisor 7.2
"BlindWrite 6_is1" = BlindWrite 6
"CCleaner" = CCleaner (remove only)
"Christmas Eve 3D Screensaver_is1" = Christmas Eve 3D Screensaver 1.0
"ClassicPro" = ClassicProŠ v1.11
"DVD Decrypter" = DVD Decrypter (Remove Only)
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 600 Series" = EPSON WorkForce 600 Series Printer Uninstall
"Firebird SQL Server UK" = Firebird SQL Server - MAGIX Edition
"FLV Player" = FLV Player 2.0, build 24
"Forte Agent" = Forté Agent
"FTP Navigator" = FTP Navigator
"HijackThis" = HijackThis 2.0.2
"Iconoid_is1" = Iconoid Version 3.8.5
"ie8" = Windows Internet Explorer 8
"InstallShield_{1F06E28C-A6DC-4341-A9E3-6B0F6C641B6B}" = Linksys EasyLink Advisor
"InstallShield_{D713411E-32F8-41E4-9B7A-51DEF258D12F}" = 3D Home Architect Landscape Design Deluxe 6
"InstallShield_{D781A6EC-12AC-4993-BF13-B4CF12F1F20C}" = 3D Home Architect Home Design Deluxe 6
"InstallShield_{F6234880-85BE-4DCB-8A45-1FF85A1A8552}" = SmartSound Quicktracks for Premiere Elements
"IntelŽ Quick Resume Technology" = Intel® Quick Resume Technology Drivers
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.8.0 (Full)
"MainApp.exe_is1" = CloneDVD 4.2.5.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MasterSplitter" = MasterSplitter Program
"MediaJoin" = MediaJoin
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MoffFreeCalc_is1" = Moffsoft FreeCalc
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NewsLeecher" = NewsLeecher
"NewsLeecher_is1" = NewsLeecher v3.9 Final
"NIS" = Norton Internet Security
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Photodex Presenter" = Photodex Presenter
"PicaView" = PicaView
"PremElem70" = Adobe Premiere Elements 7.0
"PremElem70Templates" = Adobe Premiere Elements 7.0 Templates
"PROSet" = Intel® PRO Network Connections Drivers
"ProShow Gold" = ProShow Gold
"PSP Max Media Manager Pro_is1" = PSP Max Media Manager Pro
"QuadSucker/News_is1" = QuadSucker/News v 4.5
"QuickPar" = QuickPar 0.9
"RealPlayer 6.0" = RealPlayer Basic
"RegSupreme_is1" = RegSupreme 1.1
"Replay Media Catcher 3.02" = Replay Media Catcher 3.02
"Replay Media Catcher2.10D" = Replay Media Catcher
"Revo Uninstaller" = Revo Uninstaller 1.83
"Riva FLV Encoder 2.0_is1" = Riva FLV Encoder 2.0
"Shuangs Audio Joiner_is1" = Shuangs Audio Joiner 1.21
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"SystemRequirementsLab" = System Requirements Lab
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"Tweak UI 2.10" = Tweak UI
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Web Page Maker V2_is1" = Web Page Maker V2
"WebCam Recorder_is1" = WebCam Recorder
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinPcapInst" = WinPcap 4.0.2
"WinRAR archiver" = WinRAR archiver
"Wisdom-soft ScreenHunter 5.0 Free" = Wisdom-soft ScreenHunter 5.0 Free
"WM Recorder" = WM Recorder
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2003Setup" = Microsoft Works 2003 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xilisoft DVD to DivX Converter 5" = Xilisoft DVD to DivX Converter 5
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2133653562-2648691403-3732290369-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"SIModified.com Car of Tomorrow MOD" = SIModified.com Car of Tomorrow MOD

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/26/2009 9:34:17 AM | Computer Name = TED | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 10/26/2009 9:37:17 AM | Computer Name = TED | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 10/26/2009 9:37:47 AM | Computer Name = TED | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 10/26/2009 10:17:31 AM | Computer Name = TED | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 10/27/2009 9:35:38 AM | Computer Name = TED | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 11/24/2009 7:59:44 AM | Computer Name = TED | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 11/24/2009 7:59:45 AM | Computer Name = TED | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 12/19/2009 7:33:07 PM | Computer Name = TED | Source = MsiInstaller | ID = 11706
Description = Product: Dell CinePlayer -- Error 1706. An installation package for
the product Dell CinePlayer cannot be found. Try the installation again using a
valid copy of the installation package 'DMX.MSI'.

Error - 12/31/2009 8:43:07 AM | Computer Name = TED | Source = MsiInstaller | ID = 11704
Description = Product: Microsoft Fix it 50198 -- Error 1704. An installation for
Dell CinePlayer is currently suspended. You must undo the changes made by that
installation to continue. Do you want to undo those changes?

Error - 12/31/2009 8:43:12 AM | Computer Name = TED | Source = MsiInstaller | ID = 11712
Description = Product: Microsoft Fix it 50198 -- Error 1712. One or more of the
files required to restore your computer to its previous state could not be found.
Restoration will not be possible.

[ IntelDH Events ]
Error - 2/17/2010 11:12:53 PM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/18/2010 7:11:49 PM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/20/2010 7:04:47 AM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/20/2010 3:24:30 PM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/20/2010 3:47:27 PM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/21/2010 9:38:36 AM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/21/2010 12:45:25 PM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/21/2010 7:11:00 PM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/21/2010 8:19:17 PM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

Error - 2/22/2010 12:11:10 AM | Computer Name = TED | Source = IntelQRTD | ID = 7
Description = Could not attach to EL Acpi driver.

[ System Events ]
Error - 2/22/2010 12:11:00 AM | Computer Name = TED | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 2/22/2010 12:11:32 AM | Computer Name = TED | Source = Service Control Manager | ID = 7000
Description = The EFAINIT2 service failed to start due to the following error: %%1058

Error - 2/22/2010 12:11:32 AM | Computer Name = TED | Source = Service Control Manager | ID = 7000
Description = The EFAW service failed to start due to the following error: %%1058

Error - 2/22/2010 12:11:32 AM | Computer Name = TED | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%2

Error - 2/22/2010 12:11:32 AM | Computer Name = TED | Source = Service Control Manager | ID = 7023
Description = The IntelŽ Quick Resume Technology Drivers service terminated with
the following error: %%203

Error - 2/23/2010 8:48:48 AM | Computer Name = TED | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 2/23/2010 8:49:53 AM | Computer Name = TED | Source = Service Control Manager | ID = 7000
Description = The EFAINIT2 service failed to start due to the following error: %%1058

Error - 2/23/2010 8:49:53 AM | Computer Name = TED | Source = Service Control Manager | ID = 7000
Description = The EFAW service failed to start due to the following error: %%1058

Error - 2/23/2010 8:49:53 AM | Computer Name = TED | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%2

Error - 2/23/2010 8:49:53 AM | Computer Name = TED | Source = Service Control Manager | ID = 7023
Description = The IntelŽ Quick Resume Technology Drivers service terminated with
the following error: %%203


< End of report >


Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-23 10:02:02
Windows 5.1.2600 Service Pack 2
Running: e3e559ej.exe; Driver: C:\DOCUME~1\TEDHEB~1\LOCALS~1\Temp\pxtdipob.sys


---- System - GMER 1.0.15 ----

SSDT 89AFDB78 ZwAlertResumeThread
SSDT 89AFDC58 ZwAlertThread
SSDT 89B61B98 ZwAllocateVirtualMemory
SSDT 89809C40 ZwAssignProcessToJobObject
SSDT 89B240C0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA685C130]
SSDT 89B18B48 ZwCreateMutant
SSDT 89809A60 ZwCreateSymbolicLinkObject
SSDT 899E1478 ZwCreateThread
SSDT 897E9A98 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA685C3B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA685C910]
SSDT 89B61D28 ZwDuplicateObject
SSDT 89A2BBD0 ZwFreeVirtualMemory
SSDT 89B18C38 ZwImpersonateAnonymousToken
SSDT 89B18CF8 ZwImpersonateThread
SSDT 899D14C0 ZwLoadDriver
SSDT 899AC978 ZwMapViewOfSection
SSDT 89903CF8 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xA685C6C0]
SSDT 898042B0 ZwOpenProcess
SSDT 89B61C68 ZwOpenProcessToken
SSDT 89903B38 ZwOpenSection
SSDT 89A53C08 ZwOpenThread
SSDT 89809B50 ZwProtectVirtualMemory
SSDT 89D062D8 ZwResumeThread
SSDT 89AB1948 ZwSetContextThread
SSDT 89AB19C8 ZwSetInformationProcess
SSDT 897E9B78 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA685CB60]
SSDT 89903C18 ZwSuspendProcess
SSDT 899E87E8 ZwSuspendThread
SSDT 899C8A70 ZwTerminateProcess
SSDT 89AB1888 ZwTerminateThread
SSDT 899AC8B8 ZwUnmapViewOfSection
SSDT 89A2BCA0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FCC 80504838 5 Bytes [70, 8A, 9C, 89, 88]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD2 8050483E 2 Bytes [AB, 89]
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xA8E2E380, 0x5414D5, 0xE8000020]
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xA6ABBF80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1664] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3576] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[1664] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3148] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A3770C8A

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:42 PM

Posted 23 February 2010 - 01:44 PM

Hello copotay,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 copotay

copotay
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 23 February 2010 - 04:31 PM

Here is the log, I had to name it, but this is the log that came up after combo stopped, I also found the quarantine log under Qoobox so I posted that txt too. Btw, I went into Norton and disabled everything but it still gave me those warnings before it ran

ComboFix 10-02-23.02 - TED HEBERT 02/23/2010 15:03:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1537 [GMT -6:00]
Running from: c:\documents and settings\TED HEBERT\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\windows\54a4d677-8964-4e73-8301-69524506acff.ocx
c:\windows\jestertb.dll
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\cd1c8e9d-d926-48fa-ad0b-c38db4938309.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSNSDRS
-------\Service_msnsdrs


((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-20 16:26 . 2010-02-20 16:26 -------- d-----w- c:\documents and settings\TED HEBERT\Local Settings\Application Data\Mozilla
2010-02-19 01:39 . 2010-02-19 01:39 -------- d-----w- c:\windows\system32\Adobe
2010-02-07 00:40 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-07 00:40 . 2010-02-07 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 00:40 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 17:22 . 2010-02-06 17:22 -------- d-----w- c:\program files\Shuangs Audio Joiner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 19:22 . 2009-12-06 15:42 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-19 01:36 . 2006-07-06 04:07 -------- d-----w- c:\program files\Common Files\Java
2010-02-19 01:36 . 2006-07-06 04:07 -------- d-----w- c:\program files\Java
2010-02-17 23:48 . 2006-10-01 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-12 23:41 . 2010-02-23 21:10 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-07 03:48 . 2006-07-06 03:53 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-07 00:40 . 2010-02-07 00:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-06 15:45 . 2008-08-15 17:26 -------- d-----w- c:\program files\Xilisoft
2010-02-05 09:00 . 2010-02-23 20:27 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.004\NAVENG.SYS
2010-02-05 09:00 . 2010-02-23 20:27 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.004\NAVEX15.SYS
2010-02-02 01:20 . 2010-02-23 21:10 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-01-31 22:52 . 2007-07-03 22:30 -------- d-----w- c:\documents and settings\TED HEBERT\Application Data\U3
2010-01-31 13:21 . 2006-07-10 23:52 89040 ----a-w- c:\documents and settings\TED HEBERT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-30 15:17 . 2006-12-08 19:40 -------- d-----w- c:\program files\MP3Gain
2010-01-12 04:17 . 2010-01-12 04:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 04:17 . 2010-01-12 04:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 04:17 . 2010-01-12 04:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 04:17 . 2010-01-12 04:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 04:17 . 2010-01-12 04:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 04:17 . 2010-01-12 04:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-31 16:14 . 2006-07-06 03:52 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 12:51 . 2009-12-31 12:51 152576 ----a-w- c:\documents and settings\TED HEBERT\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-31 12:51 . 2009-12-31 12:51 79488 ----a-w- c:\documents and settings\TED HEBERT\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-21 19:14 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 23:14 . 2009-10-10 11:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 12:58 . 2005-08-16 09:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2005-08-16 09:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 09:00 . 2010-02-23 20:27 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.004\CCERASER.DLL
2009-12-08 18:11 . 2005-08-16 09:18 2142720 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:35 . 2004-08-04 03:59 2020864 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-05 13:30 . 2009-12-05 13:30 2380538 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2009-12-04 14:41 . 2006-07-06 03:52 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:04 . 2005-08-16 09:18 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:04 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2005-08-16 09:18 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2005-08-16 09:18 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2005-08-16 09:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iconoid"="c:\program files\Iconoid\iconoid.exe" [2007-02-03 274432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-22 339968]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TED HEBERT^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShellPicture
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-10-31 02:07 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-31 02:11 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]
2005-12-04 18:23 1668096 ----a-w- c:\program files\ASUS\WLAN Card Utilities\Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 07:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 08:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 15:50 205480 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 09:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LELA]
2008-09-04 16:31 159744 ----a-w- c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 --sha-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 11:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 14:21 253952 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-07-11 17:18 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2006-07-11 17:17 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-10-31 02:06 2595616 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AcrSch2Svc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/6/2010 10:21 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/6/2010 10:21 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/6/2010 10:20 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [2/20/2010 5:15 AM 329592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/6/2010 10:21 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 5:56 AM 102448]
S2 EFAINIT2;EFAINIT2;c:\windows\system32\drivers\efainit2.sys [7/10/2006 8:26 PM 12334]
S2 EFAW;EFAW;c:\windows\system32\drivers\EFAW.sys [7/10/2006 8:26 PM 16680]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
S3 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [6/26/2008 12:52 PM 204800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 2:22 PM 34064]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [7/21/2007 11:31 AM 104320]
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 19:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/default
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\TED HEBERT\Application Data\Mozilla\Firefox\Profiles\cig8h06z.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\TED HEBERT\Application Data\Mozilla\plugins\npPxPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Firebird SQL Server UK - c:\program files\MAGIX\Common\Database\unwise.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1564)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Iconoid\tr3dll.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\windows\system32\ASWLSVC.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ASWL2K.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-23 15:21:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-23 21:21

Pre-Run: 183,979,401,216 bytes free
Post-Run: 183,886,143,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - 689A82E421F1B6CEF221B8D6AA578764


combofix quarantine log:

2010-02-23 21:20:35 . 2010-02-23 21:20:35 1,222 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-NVIDIA Display Control Panel.reg.dat
2010-02-23 21:20:35 . 2010-02-23 21:20:35 1,106 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Firebird SQL Server UK.reg.dat
2010-02-23 21:20:15 . 2010-02-23 21:20:15 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2010-02-23 21:07:15 . 2010-02-23 21:07:15 2,110 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_msnsdrs.reg.dat
2010-02-23 21:07:14 . 2010-02-23 21:07:14 870 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MSNSDRS.reg.dat
2010-02-23 21:06:57 . 2010-02-23 21:06:57 9,922 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-02-23 20:38:58 . 2010-02-23 20:58:57 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-11-04 20:40:12 . 2009-11-04 20:40:12 90,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ccrpTmr6.dll.vir
2007-04-17 22:07:25 . 2007-04-17 22:07:25 21,504 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\jestertb.dll.vir
2006-12-30 15:22:00 . 2006-12-30 15:22:00 3,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\54a4d677-8964-4e73-8301-69524506acff.ocx.vir
2006-12-30 15:22:00 . 2006-12-30 15:22:00 3,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cd1c8e9d-d926-48fa-ad0b-c38db4938309.dll.vir
2006-07-14 14:55:55 . 2008-09-16 01:02:38 0 ----a-w- C:\Qoobox\Quarantine\C\Log.txt.vir

Edited by copotay, 23 February 2010 - 04:32 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:42 PM

Posted 24 February 2010 - 03:15 AM

That looks fine smile.gif

However, before continuing, I need to know how everything is running now. Do you still experience the redirects.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 copotay

copotay
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 February 2010 - 07:58 AM

I checked in both browsers, it is still redirecting like before, giving that same "/url?sa=t&source=" before the link but then going to the correct page. Do you think Google is doing this, but I still can't figure out why its not happening on my other computers on the same Ip with the only mac address showing as the routers for google to know its me. Even after cleaning all cookies.

As for the errors under the Extras log, are they ok, some of it looks like processer errors?

Btw, so far the only thing that appears not working right now after combofix is the Nvidia control panel that has dissappeared and will not launch, but I will fix that by reloading the drivers, it is giving me an imcompatible error with the control panel and the driver installed. I had to rollback a driver for the card because the new driver was causing the fan on the card to run all the time. I am sure I can fix this, I was just leaving everything alone until your expert opinion was given on the logs.

Tks

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:42 PM

Posted 24 February 2010 - 08:15 AM

Well, this confirms something I was seeing in your Combofix log. I am afraid we still have a rootkit on board and sadly neither Combofix nor GMER did see it.
  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do not run the file yet!
  • Click start > run and copy paste the following bolded text in the run box
    "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  • When it finished press any key to continue.
  • If needed reboot the computer.
A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

Edited by elise025, 24 February 2010 - 08:18 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 copotay

copotay
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 February 2010 - 11:26 AM

Here it is:

10:24:35:656 2560 TDSS rootkit removing tool 2.2.6 Feb 21 2010 21:24:13
10:24:35:656 2560 ================================================================================
10:24:35:656 2560 SystemInfo:

10:24:35:656 2560 OS Version: 5.1.2600 ServicePack: 2.0
10:24:35:656 2560 Product type: Workstation
10:24:35:656 2560 ComputerName: TED
10:24:35:656 2560 UserName: TED HEBERT
10:24:35:656 2560 Windows directory: C:\WINDOWS
10:24:35:656 2560 Processor architecture: Intel x86
10:24:35:656 2560 Number of processors: 2
10:24:35:656 2560 Page size: 0x1000
10:24:35:656 2560 Boot type: Normal boot
10:24:35:656 2560 ================================================================================
10:24:35:671 2560 UnloadDriverW: NtUnloadDriver error 2
10:24:35:671 2560 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:24:35:718 2560 Initialize success
10:24:35:718 2560
10:24:35:718 2560 Scanning Services ...
10:24:35:718 2560 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:24:35:718 2560 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:24:35:718 2560 wfopen_ex: Trying to KLMD file open
10:24:35:718 2560 wfopen_ex: File opened ok (Flags 2)
10:24:35:718 2560 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:24:35:718 2560 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:24:35:718 2560 wfopen_ex: Trying to KLMD file open
10:24:35:718 2560 wfopen_ex: File opened ok (Flags 2)
10:24:35:906 2560 GetAdvancedServicesInfo: Raw services enum returned 424 services
10:24:35:921 2560 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:24:35:921 2560 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:24:35:921 2560
10:24:35:921 2560 Scanning Kernel memory ...
10:24:35:921 2560 Devices to scan: 12
10:24:35:921 2560
10:24:35:921 2560 Driver Name: Disk
10:24:35:921 2560 IRP_MJ_CREATE : B80EEC30
10:24:35:921 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:35:921 2560 IRP_MJ_CLOSE : B80EEC30
10:24:35:921 2560 IRP_MJ_READ : B80E8D9B
10:24:35:921 2560 IRP_MJ_WRITE : B80E8D9B
10:24:35:921 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:35:921 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:35:921 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:35:921 2560 IRP_MJ_SET_EA : 804F4544
10:24:35:921 2560 IRP_MJ_FLUSH_BUFFERS : B80E9366
10:24:35:921 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:35:921 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:35:921 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:35:921 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:35:921 2560 IRP_MJ_DEVICE_CONTROL : B80E944D
10:24:35:921 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECFC3
10:24:35:921 2560 IRP_MJ_SHUTDOWN : B80E9366
10:24:35:921 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:35:921 2560 IRP_MJ_CLEANUP : 804F4544
10:24:35:921 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:35:921 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:35:921 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:35:921 2560 IRP_MJ_POWER : B80EAEF3
10:24:35:921 2560 IRP_MJ_SYSTEM_CONTROL : B80EFA24
10:24:35:921 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:35:921 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:35:921 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:35:968 2560 sion
10:24:35:968 2560 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:24:35:968 2560
10:24:35:968 2560 Driver Name: Disk
10:24:35:968 2560 IRP_MJ_CREATE : B80EEC30
10:24:35:968 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:35:968 2560 IRP_MJ_CLOSE : B80EEC30
10:24:35:968 2560 IRP_MJ_READ : B80E8D9B
10:24:35:968 2560 IRP_MJ_WRITE : B80E8D9B
10:24:35:968 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:35:968 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:35:968 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:35:968 2560 IRP_MJ_SET_EA : 804F4544
10:24:35:968 2560 IRP_MJ_FLUSH_BUFFERS : B80E9366
10:24:35:968 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:35:968 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_DEVICE_CONTROL : B80E944D
10:24:35:984 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECFC3
10:24:35:984 2560 IRP_MJ_SHUTDOWN : B80E9366
10:24:35:984 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_CLEANUP : 804F4544
10:24:35:984 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_POWER : B80EAEF3
10:24:35:984 2560 IRP_MJ_SYSTEM_CONTROL : B80EFA24
10:24:35:984 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:35:984 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:35:984 2560 sion
10:24:35:984 2560 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:24:35:984 2560
10:24:35:984 2560 Driver Name: Disk
10:24:35:984 2560 IRP_MJ_CREATE : B80EEC30
10:24:35:984 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:35:984 2560 IRP_MJ_CLOSE : B80EEC30
10:24:35:984 2560 IRP_MJ_READ : B80E8D9B
10:24:35:984 2560 IRP_MJ_WRITE : B80E8D9B
10:24:35:984 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:35:984 2560 IRP_MJ_SET_EA : 804F4544
10:24:35:984 2560 IRP_MJ_FLUSH_BUFFERS : B80E9366
10:24:35:984 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_DEVICE_CONTROL : B80E944D
10:24:35:984 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECFC3
10:24:35:984 2560 IRP_MJ_SHUTDOWN : B80E9366
10:24:35:984 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_CLEANUP : 804F4544
10:24:35:984 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_POWER : B80EAEF3
10:24:35:984 2560 IRP_MJ_SYSTEM_CONTROL : B80EFA24
10:24:35:984 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:35:984 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:35:984 2560 sion
10:24:35:984 2560 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:24:35:984 2560
10:24:35:984 2560 Driver Name: Disk
10:24:35:984 2560 IRP_MJ_CREATE : B80EEC30
10:24:35:984 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:35:984 2560 IRP_MJ_CLOSE : B80EEC30
10:24:35:984 2560 IRP_MJ_READ : B80E8D9B
10:24:35:984 2560 IRP_MJ_WRITE : B80E8D9B
10:24:35:984 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:35:984 2560 IRP_MJ_SET_EA : 804F4544
10:24:35:984 2560 IRP_MJ_FLUSH_BUFFERS : B80E9366
10:24:35:984 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_DEVICE_CONTROL : B80E944D
10:24:35:984 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECFC3
10:24:35:984 2560 IRP_MJ_SHUTDOWN : B80E9366
10:24:35:984 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_CLEANUP : 804F4544
10:24:35:984 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_POWER : B80EAEF3
10:24:35:984 2560 IRP_MJ_SYSTEM_CONTROL : B80EFA24
10:24:35:984 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:35:984 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:35:984 2560 sion
10:24:35:984 2560 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:24:35:984 2560
10:24:35:984 2560 Driver Name: USBSTOR
10:24:35:984 2560 IRP_MJ_CREATE : B0523218
10:24:35:984 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:35:984 2560 IRP_MJ_CLOSE : B0523218
10:24:35:984 2560 IRP_MJ_READ : B052323C
10:24:35:984 2560 IRP_MJ_WRITE : B052323C
10:24:35:984 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:35:984 2560 IRP_MJ_SET_EA : 804F4544
10:24:35:984 2560 IRP_MJ_FLUSH_BUFFERS : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:35:984 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_DEVICE_CONTROL : B0523180
10:24:35:984 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B051E9E6
10:24:35:984 2560 IRP_MJ_SHUTDOWN : 804F4544
10:24:35:984 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:35:984 2560 IRP_MJ_CLEANUP : 804F4544
10:24:35:984 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:35:984 2560 IRP_MJ_POWER : B05225F0
10:24:35:984 2560 IRP_MJ_SYSTEM_CONTROL : B0520A6E
10:24:35:984 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:35:984 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:35:984 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:000 2560 siohd: 0
10:24:36:000 2560 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
10:24:36:000 2560
10:24:36:000 2560 Driver Name: USBSTOR
10:24:36:000 2560 IRP_MJ_CREATE : B0523218
10:24:36:000 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:36:000 2560 IRP_MJ_CLOSE : B0523218
10:24:36:000 2560 IRP_MJ_READ : B052323C
10:24:36:000 2560 IRP_MJ_WRITE : B052323C
10:24:36:000 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:36:000 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:36:000 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:36:000 2560 IRP_MJ_SET_EA : 804F4544
10:24:36:000 2560 IRP_MJ_FLUSH_BUFFERS : 804F4544
10:24:36:000 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:36:000 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:36:000 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:36:000 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:36:000 2560 IRP_MJ_DEVICE_CONTROL : B0523180
10:24:36:000 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B051E9E6
10:24:36:000 2560 IRP_MJ_SHUTDOWN : 804F4544
10:24:36:000 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:36:000 2560 IRP_MJ_CLEANUP : 804F4544
10:24:36:000 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:36:000 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:36:000 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:36:000 2560 IRP_MJ_POWER : B05225F0
10:24:36:000 2560 IRP_MJ_SYSTEM_CONTROL : B0520A6E
10:24:36:000 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:36:000 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:36:000 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:000 2560 siohd: 0
10:24:36:015 2560 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
10:24:36:015 2560
10:24:36:015 2560 Driver Name: USBSTOR
10:24:36:015 2560 IRP_MJ_CREATE : B0523218
10:24:36:015 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:36:015 2560 IRP_MJ_CLOSE : B0523218
10:24:36:015 2560 IRP_MJ_READ : B052323C
10:24:36:015 2560 IRP_MJ_WRITE : B052323C
10:24:36:015 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:36:015 2560 IRP_MJ_SET_EA : 804F4544
10:24:36:015 2560 IRP_MJ_FLUSH_BUFFERS : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_DEVICE_CONTROL : B0523180
10:24:36:015 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B051E9E6
10:24:36:015 2560 IRP_MJ_SHUTDOWN : 804F4544
10:24:36:015 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_CLEANUP : 804F4544
10:24:36:015 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:36:015 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:36:015 2560 IRP_MJ_POWER : B05225F0
10:24:36:015 2560 IRP_MJ_SYSTEM_CONTROL : B0520A6E
10:24:36:015 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:36:015 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:015 2560 siohd: 0
10:24:36:015 2560 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
10:24:36:015 2560
10:24:36:015 2560 Driver Name: USBSTOR
10:24:36:015 2560 IRP_MJ_CREATE : B0523218
10:24:36:015 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:36:015 2560 IRP_MJ_CLOSE : B0523218
10:24:36:015 2560 IRP_MJ_READ : B052323C
10:24:36:015 2560 IRP_MJ_WRITE : B052323C
10:24:36:015 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:36:015 2560 IRP_MJ_SET_EA : 804F4544
10:24:36:015 2560 IRP_MJ_FLUSH_BUFFERS : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_DEVICE_CONTROL : B0523180
10:24:36:015 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B051E9E6
10:24:36:015 2560 IRP_MJ_SHUTDOWN : 804F4544
10:24:36:015 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_CLEANUP : 804F4544
10:24:36:015 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:36:015 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:36:015 2560 IRP_MJ_POWER : B05225F0
10:24:36:015 2560 IRP_MJ_SYSTEM_CONTROL : B0520A6E
10:24:36:015 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:36:015 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:015 2560 siohd: 0
10:24:36:015 2560 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
10:24:36:015 2560
10:24:36:015 2560 Driver Name: Disk
10:24:36:015 2560 IRP_MJ_CREATE : B80EEC30
10:24:36:015 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:36:015 2560 IRP_MJ_CLOSE : B80EEC30
10:24:36:015 2560 IRP_MJ_READ : B80E8D9B
10:24:36:015 2560 IRP_MJ_WRITE : B80E8D9B
10:24:36:015 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:36:015 2560 IRP_MJ_SET_EA : 804F4544
10:24:36:015 2560 IRP_MJ_FLUSH_BUFFERS : B80E9366
10:24:36:015 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:36:015 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_DEVICE_CONTROL : B80E944D
10:24:36:015 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECFC3
10:24:36:015 2560 IRP_MJ_SHUTDOWN : B80E9366
10:24:36:015 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:36:015 2560 IRP_MJ_CLEANUP : 804F4544
10:24:36:015 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:36:015 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:36:015 2560 IRP_MJ_POWER : B80EAEF3
10:24:36:015 2560 IRP_MJ_SYSTEM_CONTROL : B80EFA24
10:24:36:015 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:36:015 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:36:015 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:015 2560 sion
10:24:36:031 2560 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:24:36:031 2560
10:24:36:031 2560 Driver Name: Disk
10:24:36:031 2560 IRP_MJ_CREATE : B80EEC30
10:24:36:031 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:36:031 2560 IRP_MJ_CLOSE : B80EEC30
10:24:36:031 2560 IRP_MJ_READ : B80E8D9B
10:24:36:031 2560 IRP_MJ_WRITE : B80E8D9B
10:24:36:031 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:36:031 2560 IRP_MJ_SET_EA : 804F4544
10:24:36:031 2560 IRP_MJ_FLUSH_BUFFERS : B80E9366
10:24:36:031 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_DEVICE_CONTROL : B80E944D
10:24:36:031 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECFC3
10:24:36:031 2560 IRP_MJ_SHUTDOWN : B80E9366
10:24:36:031 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_CLEANUP : 804F4544
10:24:36:031 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:36:031 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:36:031 2560 IRP_MJ_POWER : B80EAEF3
10:24:36:031 2560 IRP_MJ_SYSTEM_CONTROL : B80EFA24
10:24:36:031 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:36:031 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:031 2560 sion
10:24:36:031 2560 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:24:36:031 2560
10:24:36:031 2560 Driver Name: Disk
10:24:36:031 2560 IRP_MJ_CREATE : B80EEC30
10:24:36:031 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:36:031 2560 IRP_MJ_CLOSE : B80EEC30
10:24:36:031 2560 IRP_MJ_READ : B80E8D9B
10:24:36:031 2560 IRP_MJ_WRITE : B80E8D9B
10:24:36:031 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:36:031 2560 IRP_MJ_SET_EA : 804F4544
10:24:36:031 2560 IRP_MJ_FLUSH_BUFFERS : B80E9366
10:24:36:031 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_DEVICE_CONTROL : B80E944D
10:24:36:031 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECFC3
10:24:36:031 2560 IRP_MJ_SHUTDOWN : B80E9366
10:24:36:031 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_CLEANUP : 804F4544
10:24:36:031 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:36:031 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:36:031 2560 IRP_MJ_POWER : B80EAEF3
10:24:36:031 2560 IRP_MJ_SYSTEM_CONTROL : B80EFA24
10:24:36:031 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:36:031 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:031 2560 sion
10:24:36:031 2560 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:24:36:031 2560
10:24:36:031 2560 Driver Name: iastor
10:24:36:031 2560 IRP_MJ_CREATE : B7E45142
10:24:36:031 2560 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
10:24:36:031 2560 IRP_MJ_CLOSE : B7E45142
10:24:36:031 2560 IRP_MJ_READ : 804F4544
10:24:36:031 2560 IRP_MJ_WRITE : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_SET_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_EA : 804F4544
10:24:36:031 2560 IRP_MJ_SET_EA : 804F4544
10:24:36:031 2560 IRP_MJ_FLUSH_BUFFERS : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
10:24:36:031 2560 IRP_MJ_DIRECTORY_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_DEVICE_CONTROL : B7E4884E
10:24:36:031 2560 IRP_MJ_INTERNAL_DEVICE_CONTROL : B7E48B10
10:24:36:031 2560 IRP_MJ_SHUTDOWN : 804F4544
10:24:36:031 2560 IRP_MJ_LOCK_CONTROL : 804F4544
10:24:36:031 2560 IRP_MJ_CLEANUP : 804F4544
10:24:36:031 2560 IRP_MJ_CREATE_MAILSLOT : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_SECURITY : 804F4544
10:24:36:031 2560 IRP_MJ_SET_SECURITY : 804F4544
10:24:36:031 2560 IRP_MJ_POWER : B7E4D968
10:24:36:031 2560 IRP_MJ_SYSTEM_CONTROL : B7E4D9F4
10:24:36:031 2560 IRP_MJ_DEVICE_CHANGE : 804F4544
10:24:36:031 2560 IRP_MJ_QUERY_QUOTA : 804F4544
10:24:36:031 2560 IRP_MJ_SET_QUOTA : 804F4544
10:24:36:062 2560 sion
10:24:36:109 2560 C:\WINDOWS\system32\drivers\iastor.sys - Verdict: Clean
10:24:36:109 2560
10:24:36:109 2560 Completed
10:24:36:109 2560
10:24:36:109 2560 Results:
10:24:36:109 2560 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
10:24:36:109 2560 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:24:36:109 2560 File objects infected / cured / cured on reboot: 0 / 0 / 0
10:24:36:109 2560
10:24:36:109 2560 KLMD(ARK) unloaded successfully


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:42 PM

Posted 24 February 2010 - 12:02 PM

No luck there either... Lets try a blind shot on this.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    iastor.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 copotay

copotay
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 February 2010 - 12:11 PM

here we go:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:08 on 24/02/2010 by TED HEBERT (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\drivers\storage\sata\onboard\iastor.sys --a--- 872064 bytes [03:53 06/07/2006] [17:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963
C:\i386\iaStor.sys --a--- 872064 bytes [16:53 11/07/2006] [17:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963
C:\WINDOWS\system32\drivers\iaStor.sys --a--- 872064 bytes [03:53 06/07/2006] [03:48 07/02/2010] EF6DF1833E2A4057F1272E273604B874

-=End Of File=-

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:42 PM

Posted 24 February 2010 - 12:14 PM

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
FCopy::
C:\i386\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 copotay

copotay
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 February 2010 - 12:18 PM

Here it is and tks again for all the help as we go. Also under qoobox under C it quarantined under drivers folder, iaStor.sys.vir with a modified date of 02/06/10


ComboFix 10-02-23.04 - TED HEBERT 02/24/2010 11:55:06.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1552 [GMT -6:00]
Running from: c:\documents and settings\TED HEBERT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TED HEBERT\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\i386\iaStor.sys --> c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-24 16:30 . 2010-02-05 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\NAVENG.SYS
2010-02-24 16:30 . 2010-02-05 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\NAVEX15.SYS
2010-02-24 16:30 . 2009-12-10 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\CCERASER.DLL
2010-02-24 16:30 . 2009-09-24 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\ECMSVR32.DLL
2010-02-24 16:30 . 2009-08-27 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\EECTRL.SYS
2010-02-24 16:30 . 2009-08-27 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\NAVENG32.DLL
2010-02-24 16:30 . 2009-08-27 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\NAVEX32A.DLL
2010-02-24 16:30 . 2009-08-27 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.048\ERASER.SYS
2010-02-24 16:20 . 2010-02-12 23:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-24 16:20 . 2010-02-02 01:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-02-20 16:26 . 2010-02-20 16:26 -------- d-----w- c:\documents and settings\TED HEBERT\Local Settings\Application Data\Mozilla
2010-02-20 11:15 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 11:15 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 11:15 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-20 11:15 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 11:15 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-19 01:39 . 2010-02-19 01:39 -------- d-----w- c:\windows\system32\Adobe
2010-02-13 13:32 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSvix86.sys
2010-02-13 13:32 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSXpx86.sys
2010-02-13 13:32 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\Scxpx86.dll
2010-02-13 13:32 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSxpx86.dll
2010-02-13 13:32 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSviA64.sys
2010-02-07 00:40 . 2010-02-07 00:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-07 00:40 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-07 00:40 . 2010-02-07 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 00:40 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 17:22 . 2010-02-06 17:22 -------- d-----w- c:\program files\Shuangs Audio Joiner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 19:22 . 2009-12-06 15:42 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-19 01:36 . 2006-07-06 04:07 -------- d-----w- c:\program files\Common Files\Java
2010-02-19 01:36 . 2006-07-06 04:07 -------- d-----w- c:\program files\Java
2010-02-17 23:48 . 2006-10-01 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-06 15:45 . 2008-08-15 17:26 -------- d-----w- c:\program files\Xilisoft
2010-01-31 22:52 . 2007-07-03 22:30 -------- d-----w- c:\documents and settings\TED HEBERT\Application Data\U3
2010-01-31 13:21 . 2006-07-10 23:52 89040 ----a-w- c:\documents and settings\TED HEBERT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-30 15:17 . 2006-12-08 19:40 -------- d-----w- c:\program files\MP3Gain
2010-01-12 04:17 . 2010-01-12 04:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 04:17 . 2010-01-12 04:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 04:17 . 2010-01-12 04:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 04:17 . 2010-01-12 04:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 04:17 . 2010-01-12 04:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 04:17 . 2010-01-12 04:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-31 16:14 . 2006-07-06 03:52 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 12:51 . 2009-12-31 12:51 152576 ----a-w- c:\documents and settings\TED HEBERT\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-31 12:51 . 2009-12-31 12:51 79488 ----a-w- c:\documents and settings\TED HEBERT\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-21 19:14 . 2005-08-16 09:18 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 23:14 . 2009-10-10 11:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 12:58 . 2005-08-16 09:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2005-08-16 09:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:11 . 2005-08-16 09:18 2142720 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:35 . 2004-08-04 03:59 2020864 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-05 13:30 . 2009-12-05 13:30 2380538 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2009-12-04 14:41 . 2006-07-06 03:52 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:04 . 2005-08-16 09:18 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:04 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2005-08-16 09:18 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2005-08-16 09:18 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2005-08-16 09:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iconoid"="c:\program files\Iconoid\iconoid.exe" [2007-02-03 274432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-22 339968]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TED HEBERT^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-10-31 02:07 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-31 02:11 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]
2005-12-04 18:23 1668096 ----a-w- c:\program files\ASUS\WLAN Card Utilities\Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 07:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 08:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 15:50 205480 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 09:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LELA]
2008-09-04 16:31 159744 ----a-w- c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 --sha-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 11:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 14:21 253952 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-07-11 17:18 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2006-07-11 17:17 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-10-31 02:06 2595616 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AcrSch2Svc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/6/2010 10:21 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/6/2010 10:21 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/6/2010 10:20 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [2/20/2010 5:15 AM 329592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/6/2010 10:21 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 5:56 AM 102448]
S2 EFAINIT2;EFAINIT2;c:\windows\system32\drivers\efainit2.sys [7/10/2006 8:26 PM 12334]
S2 EFAW;EFAW;c:\windows\system32\drivers\EFAW.sys [7/10/2006 8:26 PM 16680]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
S3 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [6/26/2008 12:52 PM 204800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 2:22 PM 34064]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [7/21/2007 11:31 AM 104320]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd21
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 19:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/default
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\TED HEBERT\Application Data\Mozilla\Firefox\Profiles\cig8h06z.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\TED HEBERT\Application Data\Mozilla\plugins\npPxPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 12:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1560)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Iconoid\tr3dll.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-24 12:03:50
ComboFix-quarantined-files.txt 2010-02-24 18:03
ComboFix2.txt 2010-02-23 21:21

Pre-Run: 184,098,635,776 bytes free
Post-Run: 184,063,975,424 bytes free

- - End Of File - - 9CAC3B48AED6F265AE24B2E62858CE66

Edited by copotay, 24 February 2010 - 01:18 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:42 PM

Posted 24 February 2010 - 01:51 PM

How is the redirect problem now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 copotay

copotay
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 February 2010 - 03:05 PM

Still getting this:

/url?sa=t&source=web&ct=res&cd=1&ved=0CAsQFjAA&url=http%3A%2F%2Fwww.test.com%2F&rct=j&q=test&ei=roWFS4eaD4HANvrMuDM&usg=AFQjCNH21KLjC0CBkjon2DwD_CZ0HApLMw

instead of this:

http://www.test.com/

Just the same, only on the main google page and any other google page coming off that main page. If I use the www.google.com/default page it is fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users