Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Hiloti? -- HijackThis Log: Please help diagnose!


  • This topic is locked This topic is locked
22 replies to this topic

#1 ajrty33

ajrty33

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 24 February 2010 - 11:46 PM

Attached: DDS log and GMER log
I opened a file that Norton recognized as a trojan and that's when my troubles started. Every couple of minutes Norton blocks an intrusion attempt by "a57990057.cn" at 94.228.209.143. Malwarebytes recognized Trojan.Hiloti, but I haven't found any dll's normally associated with it. It also found Trojan.Hiloti in Win7codecs. Also, I'm occasionally having a "You win!" or other random redirect pop up in firefox. I've attached two pictures of what I'm getting that pops up in firefox. I'm usually the one fixing other people's computers, but I've given up on this one.

Here's my DDS log followed by my GMER log.



Here's my DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 22:51:18.52 on Wed 02/24/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3062.1898 [GMT -6:00]


============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k RPCSS
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32svchost.exe -k LocalServiceAndNoImpersonation
C:Program FilesLogMeInx86RaMaint.exe
C:Program FilesLogMeInx86LogMeIn.exe
C:Program FilesLogMeInx86LMIGuardian.exe
C:Program FilesNorton Internet SecurityEngine17.5.0.127ccSvcHst.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Program FilesIntelIntel Matrix Storage ManagerIAANTMon.exe
C:Windowssystem32Dwm.exe
C:Windowssystem32taskhost.exe
C:WindowsExplorer.EXE
C:Program FilesNorton Internet SecurityEngine17.5.0.127ccSvcHst.exe
C:Windowssystem32taskeng.exe
C:Program FilesGoogleUpdateGoogleUpdate.exe
C:WindowsSystem32rundll32.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:WindowsSystem32igfxtray.exe
C:Windowssystem32SearchIndexer.exe
C:Program FilesDellQuickSetquickset.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesSynapticsSynTPSynTPHelper.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WindowsSystem32svchost.exe -k LocalServicePeerNet
C:Windowssystem32igfxsrvc.exe
C:Program FilesAdobeReader 9.0ReaderEula.exe
C:UsersuserDesktopHijackThis.exe
C:Windowssystem32NOTEPAD.EXE
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:UsersuserDesktopdds.scr
C:Windowssystem32conhost.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080730
uStart Page =
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:program filesnorton internet securityengine17.5.0.127coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:program filesnorton internet securityengine17.5.0.127IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:program filesnorton internet securityengine17.5.0.127coIEPlg.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [IAAnotif] c:program filesintelintel matrix storage manageriaanotif.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [QuickSet] "c:program filesdellquicksetQuickSet.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [SpyHunter Security Suite] c:program filesenigma software groupspyhunterSpyHunter3.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~1office11REFIEBAR.DLL
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:usersuserappdataroamingmozillafirefoxprofiles6ygovsup.default
FF - prefs.js: browser.search.selectedEngine - Bible Gateway
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136coffplgncomponentscoFFPlgn.dll
FF - component: c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136ipsffplgncomponentsIPSFFPl.dll
FF - plugin: c:program filescommon filesresearch in motionbbwebsllauncherNPWebSLLauncher.dll
FF - plugin: c:program filesgooglegoogle earthpluginnpgeplugin.dll
FF - plugin: c:program filesgoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpOGAPlugin.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpRLCT4Player.dll
FF - plugin: c:usersuserappdataroamingmove networkspluginsnpqmp071705000014.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:windowssystem32driverspavboot.sys [2009-11-2 28552]
R0 SymDS;Symantec Data Store;c:windowssystem32driversnis1105000.07fsymds.sys [2010-1-21 328752]
R0 SymEFA;Symantec Extended File Attributes;c:windowssystem32driversnis1105000.07fsymefa.sys [2010-1-21 172592]
R1 BHDrvx86;BHDrvx86;c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136definitionsbashdefs20100211.001BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:windowssystem32driversnis1105000.07fcchpx86.sys [2010-1-21 501888]
R1 IDSVix86;IDSVix86;c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136definitionsipsdefs20100218.001IDSvix86.sys [2010-2-21 343088]
R1 SymIRON;Symantec Iron Driver;c:windowssystem32driversnis1105000.07fironx86.sys [2010-1-21 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:windowssystem32driversnis1105000.07fsymtdiv.sys [2010-1-21 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:windowssystem32driversvwififlt.sys [2009-7-13 48128]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:program fileslogmeinx86rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:windowssystem32driversLMIRfsDriver.sys [2009-10-25 47640]
R2 NIS;Norton Internet Security;c:program filesnorton internet securityengine17.5.0.127ccsvchst.exe [2010-1-21 126392]
R2 SBKUPNT;SBKUPNT;c:windowssystem32driversSBKUPNT.SYS [2010-1-31 14976]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:windowssystem32driversb57nd60x.sys [2009-7-13 229888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2009-10-25 102448]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:windowssystem32driversvwifimp.sys [2009-7-13 14336]
S3 pbfilter;pbfilter;c:program filespeerblockpbfilter.sys [2009-11-4 16472]
S3 StorSvc;Storage Service;c:windowssystem32svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S4 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2009-12-13 135664]

=============== Created Last 30 ================

2010-02-24 23:32:15 0 d-----w- c:program filesEnigma Software Group
2010-02-24 21:28:33 0 d-----w- c:usersuserappdataroamingMalwarebytes
2010-02-24 21:28:29 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-02-24 21:28:27 0 d-----w- c:programdataMalwarebytes
2010-02-24 21:28:26 19160 ----a-w- c:windowssystem32driversmbam.sys
2010-02-24 21:28:26 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-02-24 20:45:53 0 d-----w- c:usersuserappdataroamingJ River
2010-02-24 19:53:07 44080 ----a-r- c:windowssystem32driversSymIMV.sys
2010-02-24 09:28:04 641536 ----a-w- c:windowssystem32CPFilters.dll
2010-02-24 09:28:04 204288 ----a-w- c:windowssystem32MSNP.ax
2010-02-24 09:28:03 465408 ----a-w- c:windowssystem32psisdecd.dll
2010-02-24 09:28:03 417792 ----a-w- c:windowssystem32msdri.dll
2010-02-24 09:27:58 2048 ----a-w- c:windowssystem32tzres.dll
2010-02-24 06:32:15 0 d-----w- c:usersuserappdataroamingOpenworld Learning
2010-02-23 00:35:05 0 d-----w- c:programdataYahoo!
2010-02-23 00:33:04 0 d-----w- c:program filesYahoo!
2010-02-19 07:08:11 0 d-----w- c:usersuserappdataroamingGetRightToGo
2010-02-19 00:02:44 0 d-----w- c:program filesVideoLAN
2010-02-18 22:42:23 0 d-----w- c:programdataSun
2010-02-16 06:46:03 0 d-----w- c:usersuserappdataroamingRevolution
2010-02-16 06:45:30 0 d-----w- c:program filesRevolution Dreamcard Player
2010-02-12 05:08:43 76 ----a-w- c:windowssystem32mspstpl.vxd
2010-02-12 05:08:43 585728 ------w- c:windowssystem32AReadyLB.dll
2010-02-12 05:08:43 229376 ------w- c:windowssystem32AudDevicePlugin.dll
2010-02-12 05:08:43 183129 ------w- c:windowssystem32AM Install1.INF
2010-02-12 05:08:42 3851784 ----a-w- c:windowssystem32D3DX9_39.dll
2010-02-12 05:06:16 0 d-----w- c:program filesMedia Center 14
2010-02-11 07:52:41 0 d-----w- c:usersuserappdataroamingx3watch
2010-02-11 06:53:04 0 d-----w- c:program filesWindSolutions
2010-02-11 06:52:05 0 d-----w- c:program filesCopy Trans Suite
2010-02-11 06:51:11 0 d-----w- c:usersuserappdataroamingWindSolutions
2010-02-11 06:51:11 0 d-----w- c:programdataWindSolutions
2010-02-10 20:18:06 22146 ----a-w- c:windowssystem32llbeh3.dll
2010-02-10 20:18:05 3955288 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-10 20:18:05 3899464 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-10 20:18:05 292864 ----a-w- c:windowssystem32apphelp.dll
2010-02-10 20:18:02 310784 ----a-w- c:windowssystem32driverssrv.sys
2010-02-10 20:18:02 113664 ----a-w- c:windowssystem32driverssrvnet.sys
2010-02-09 19:07:27 0 d-----w- c:usersuserappdataroamingAcoustica
2010-02-09 19:05:52 57344 ----a-w- c:windowssystem32Wnaspint.dll
2010-02-09 19:05:50 0 d-----w- c:program filesAcoustica Shared Effects
2010-02-09 19:03:14 0 d-----w- c:programdataAcoustica
2010-02-09 19:02:45 0 d-----w- c:program filesAcoustica Mixcraft 4
2010-02-02 22:07:51 0 d-----w- c:usersuserappdataroamingLammerSoft
2010-02-02 22:07:05 0 d-----w- c:program filesLammer Context Menu
2010-02-01 02:08:01 0 d-----w- c:programdataTEMP
2010-01-31 20:56:14 37 ----a-w- c:windowsSWFConverter.INI
2010-01-31 20:55:50 413760 ----a-w- c:windowssystem32MPG4c32.dll
2010-01-31 20:55:50 262144 ----a-w- c:windowssystem32mpg4ds32.ax
2010-01-31 19:55:10 1066176 ----a-w- c:windowssystemmscomctl.ocx
2010-01-31 07:58:13 14976 ----a-w- c:windowssystem32driversSBKUPNT.SYS
2010-01-31 07:58:13 13312 ----a-w- c:windowssystem32DEVLOAD.EXE
2010-01-31 07:58:03 2799 ----a-w- c:windowsSKLANG.INI
2010-01-31 07:58:02 306688 ----a-w- c:windowsIsUninst.exe
2010-01-31 07:37:57 0 d-----w- c:program filesMPC HomeCinema
2010-01-27 17:06:31 285696 ----a-w- c:windowssystem32winlogon.exe
2010-01-27 17:06:31 2614272 ----a-w- c:windowsexplorer.exe

==================== Find3M ====================

2010-01-18 23:29:31 85504 ----a-w- c:windowssystem32secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:windowssystem32secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:windowssystem32secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:windowssystem32secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:windowssystem32RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:windowssystem32RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:windowssystem32RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:windowssystem32RMActivate_ssp.exe
2010-01-08 03:18:02 221184 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-01-08 03:17:36 123392 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-01-05 03:41:50 0 ---ha-w- c:windowssystem32driversMsft_User_WpdMtpDr_01_09_00.Wdf
2009-12-19 09:02:55 977920 ----a-w- c:windowssystem32wininet.dll
2009-12-19 09:02:52 12288 ----a-w- c:windowssystem32tsbyuv.dll
2009-12-19 09:02:48 1328640 ----a-w- c:windowssystem32quartz.dll
2009-12-19 09:02:46 22016 ----a-w- c:windowssystem32msyuv.dll
2009-12-19 09:02:45 31744 ----a-w- c:windowssystem32msvidc32.dll
2009-12-19 09:02:45 13312 ----a-w- c:windowssystem32msrle32.dll
2009-12-19 09:02:40 84480 ----a-w- c:windowssystem32mciavi32.dll
2009-12-19 09:02:39 50176 ----a-w- c:windowssystem32iyuv_32.dll
2009-12-19 09:02:01 91648 ----a-w- c:windowssystem32avifil32.dll
2009-12-17 23:14:00 411368 ----a-w- c:windowssystem32deploytk.dll
2009-07-14 04:56:42 31548 ----a-w- c:windowsinfperflib409perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:windowsinfperflib409perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:windowsinfperflib409perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:windowsinfperflib409perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:program filesdesktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:windowsinfperflib000perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:windowsinfperflib000perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:windowsinfperflib000perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:windowsinfperflib000perfc.dat
2009-10-26 07:26:41 76 --sh--r- c:windowsCT4CET.bin
2009-06-10 21:26:35 9633792 --sha-r- c:windowsfontsStaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:windowswinsxsx86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86cWinMail.exe

============= FINISH: 22:52:29.77 ===============






Here's my GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-24 23:32:09
Windows 6.1.7600
Running: gmer.exe; Driver: C:UsersuserAppDataLocalTempfxldypow.sys


---- System - GMER 1.0.15 ----

SSDT 876817E8 ZwAlertResumeThread
SSDT 87736B50 ZwAlertThread
SSDT 883ADC88 ZwAllocateVirtualMemory
SSDT 875CE1B8 ZwAlpcConnectPort
SSDT 87722048 ZwAssignProcessToJobObject
SSDT 883AFB38 ZwCreateMutant
SSDT 883AF388 ZwCreateSymbolicLinkObject
SSDT 883AD118 ZwCreateThread
SSDT 883AF458 ZwCreateThreadEx
SSDT 87721048 ZwDebugActiveProcess
SSDT 883ADDE0 ZwDuplicateObject
SSDT 883ADAE8 ZwFreeVirtualMemory
SSDT 87677130 ZwImpersonateAnonymousToken
SSDT 87672D50 ZwImpersonateThread
SSDT 87570EA8 ZwLoadDriver
SSDT 883ADA08 ZwMapViewOfSection
SSDT 8765FEB0 ZwOpenEvent
SSDT 883ADF80 ZwOpenProcess
SSDT 87711048 ZwOpenProcessToken
SSDT 8768BDC8 ZwOpenSection
SSDT 883ADEB0 ZwOpenThread
SSDT 883AF538 ZwProtectVirtualMemory
SSDT 8770C750 ZwResumeThread
SSDT 87711A90 ZwSetContextThread
SSDT 883AD8B0 ZwSetInformationProcess
SSDT 87727B50 ZwSetSystemInformation
SSDT 8767A068 ZwSuspendProcess
SSDT 8767B148 ZwSuspendThread
SSDT 87713950 ZwTerminateProcess
SSDT 8770FB80 ZwTerminateThread
SSDT 8770E048 ZwUnmapViewOfSection
SSDT 883ADBB8 ZwWriteVirtualMemory

INT 0x1F SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83041AF8
INT 0x37 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83041104
INT 0xC1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830413F4
INT 0xD1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A2D8
INT 0xD2 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83029898
INT 0xDF SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830411DC
INT 0xE1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83041958
INT 0xE3 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830416F8
INT 0xFD SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83041F2C
INT 0xFE SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830421A8

---- Devices - GMER 1.0.15 ----

AttachedDevice Driverkbdclass DeviceKeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice Driverkbdclass DeviceKeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice Drivertdx DeviceTcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivertdx DeviceUdp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice Drivertdx DeviceRawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device DriverACPI_HAL Device000005e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice FileSystemfastfat Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> DriveriaStor DeviceHarddisk0DR0 866A3A9A

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetservicesBTHPORTParametersKeys002720c9b4c
Reg HKLMSYSTEMCurrentControlSetservicesBTHPORTParametersKeys002720c9b4c@001ccc597b5b 0xFA 0x62 0x29 0xA7 ...
Reg HKLMSYSTEMCurrentControlSetservicesSharedAccessEpoch@Epoch 54110
Reg HKLMSYSTEMControlSet002servicesBTHPORTParametersKeys002720c9b4c (not active ControlSet)
Reg HKLMSYSTEMControlSet002servicesBTHPORTParametersKeys002720c9b4c@001ccc597b5b 0xFA 0x62 0x29 0xA7 ...
Reg HKLMSOFTWAREMicrosoftWindows SearchGatherWindowsSystemIndex@LazyCheckPointUpdateInterval 604800

---- Files - GMER 1.0.15 ----

File C:Windowssystem32driversiaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----



I downloaded a program to decompile swf files. "Flash Digger" is run by Openworld Learning... A google search of Openworld Learning brings up a virus. The program has been uninstalled and all that's left is an .ini file, so I don't know that that is the problem.

Attached Files


Edited by Pandy, 25 February 2010 - 12:26 PM.
Merged to make 0 replies.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 27 February 2010 - 07:40 AM

Hello, ajrry33.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Please give me a few minutes to find a fix that works for Windows 7.

Edited by etavares, 27 February 2010 - 07:41 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 27 February 2010 - 07:44 AM

Please don't miss my post above. Please start with this scan so we can find replacement files for an infected system file.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 ajrty33

ajrty33
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 27 February 2010 - 10:26 PM

Just FYI: After posting my original post, I ran combofix among many other things (I know it's frowned upon). Combofix found an issue with iastor.sys. The intrusion attempts and redirects have stopped, but I'm well aware that something could still be there. I won't run anything without your permission from this point on :D


Here is Extras.Txt:

OTL Extras logfile created on: 2/27/2010 7:39:48 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Users\User\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 129.36 Gb Total Space | 67.99 Gb Free Space | 52.55% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.63 Gb Free Space | 57.66% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 93.71 Gb Total Space | 84.79 Gb Free Space | 90.47% Space Free | Partition Type: NTFS

Computer Name: ME
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.pif [@ = piffile] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
"{15F4085A-BC98-4590-AFFD-03BBBE49524E}" = Garmin Communicator Plugin
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{205ACCD7-5342-4694-91F3-3A99E4FD5AA6}" = Mathcad 14 Help
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v. 1.3.1249.0
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 18
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{49DB0B0B-6021-468B-9D01-29C959CD70B2}" = PowerWorld Simulator 14 GSO Education Edition
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{71DFAA65-77FA-41F3-A748-013B5A8524A3}" = Garmin City Navigator North America NT 2010.30
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet32
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E666A69B-A76D-43D5-AF28-4B2150A6EDE2}" = Mathcad 14
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"7-Zip" = 7-Zip 4.65
"Acoustica Effects Pack" = Acoustica Effects Pack
"Acoustica Mixcraft 4.5" = Acoustica Mixcraft 4.5
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AIM_6" = AIM 6
"Audacity_is1" = Audacity 1.2.6
"bitRipper" = bitRipper
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"CamStudio" = CamStudio
"CCleaner" = CCleaner
"CopyTrans Suite" = CopyTrans Suite Remove Only
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"Easy Duplicate Finder_is1" = Easy Duplicate Finder v. 2.4.1
"ExamDiff_is1" = ExamDiff 1.8 (Build 1.8.0.3)
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"Handbrake" = Handbrake 0.9.4
"HDMI" = Intel® Graphics Media Accelerator Driver
"ImgBurn" = ImgBurn
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Lammer Context Menu" = Lammer Context Menu v1.0.0.25
"LogixPro PLC Simulator_is1" = the TLP LogixPro Simulator
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2007b" = MATLAB R2007b
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"Mp3tag" = Mp3tag v2.45a
"NIS" = Norton Internet Security
"qt7lite_is1" = QT Lite 3.1.0
"Rainmeter" = Rainmeter (remove only)
"Startup Delayer" = Startup Delayer v2.5 (build 138)
"SynTPDeinstKey" = Dell Touchpad
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"TVWiz" = Intel® TV Wizard
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"X3watch_is1" = X3watch 5.0.6
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager
"f031ef6ac137efc5" = Dell Driver Download Manager
"Move Media Player" = Move Media Player
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >



__________________________________________________________________________________________________________________________________
Here is OTL.Txt:

OTL logfile created on: 2/27/2010 7:39:48 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Users\User\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 129.36 Gb Total Space | 67.99 Gb Free Space | 52.55% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.63 Gb Free Space | 57.66% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 93.71 Gb Total Space | 84.79 Gb Free Space | 90.47% Space Free | Partition Type: NTFS

Computer Name: ME
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/27 19:35:49 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
PRC - [2010/02/18 04:05:41 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/09 03:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe
PRC - [2009/10/30 23:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/28 18:34:22 | 000,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/09/28 18:34:16 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/09/23 11:30:48 | 000,252,952 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2009/09/23 11:30:48 | 000,141,848 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxtray.exe
PRC - [2009/07/13 19:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/06/04 18:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/08/11 11:41:00 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/08/11 11:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2007/10/26 13:39:14 | 000,095,528 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2007/10/26 13:39:04 | 001,029,416 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


========== Modules (SafeList) ==========

MOD - [2010/02/27 19:35:49 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
MOD - [2009/07/13 19:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 19:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 19:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 19:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 19:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 19:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 19:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 19:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 19:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 19:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 19:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [On_Demand | Stopped] -- -- (MEIMRGXWWUDF)
SRV - File not found [On_Demand | Stopped] -- -- (DMJWTY)
SRV - [2009/12/13 01:55:07 | 000,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/12/09 03:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe -- (NIS)
SRV - [2009/10/26 00:04:25 | 000,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009/09/28 18:34:22 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/07/13 19:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 19:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 19:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 19:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 19:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 19:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 19:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 19:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 19:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 19:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 19:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 19:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 19:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 19:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 19:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 19:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 19:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 19:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 19:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 19:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 19:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/08/11 11:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2004/10/22 02:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 67 BA A7 04 7A 54 CA 01 [binary data]
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\S-1-5-21-215946107-2105060619-4208827591-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\S-1-5-21-215946107-2105060619-4208827591-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080

========== FireFox ==========

FF - prefs.js..browser.search.addSBtoToolbar: false
FF - prefs.js..browser.search.selectedEngine: "Bible Gateway"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.5
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.1
FF - prefs.js..extensions.enabledItems: {655397ca-4766-496b-b7a8-3a5b176ee4c2}:1.4.5
FF - prefs.js..extensions.enabledItems: texpertension@texperts.com:1.0.8
FF - prefs.js..extensions.enabledItems: tineye@ideeinc.com:0.7.1
FF - prefs.js..extensions.enabledItems: {37fa1426-b82d-11db-8314-0800200c9a66}:2.3.1
FF - prefs.js..network.proxy.ftp: "127.0.0.1"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "5.6.7.8"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 1080
FF - prefs.js..network.proxy.ssl_port: 8080

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2009/10/24 03:25:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/01/22 00:14:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/18 04:05:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 04:05:46 | 000,000,000 | ---D | M]

[2009/10/24 02:14:59 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Extensions
[2010/02/26 23:04:55 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions
[2009/12/08 16:28:09 | 000,000,000 | ---D | M] (PDF Download) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/02/22 23:49:34 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2010/02/01 14:31:02 | 000,000,000 | ---D | M] (Searchbar Autosizer) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{655397ca-4766-496b-b7a8-3a5b176ee4c2}
[2010/01/16 02:49:58 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/10 15:08:01 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/08 01:44:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/02/01 01:20:03 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\felix@fjeyar.com
[2010/01/16 02:49:58 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\personas@christopher.beard
[2009/11/19 01:21:09 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\texpertension@texperts.com
[2009/11/12 01:06:19 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\tineye@ideeinc.com
[2010/02/22 17:21:32 | 000,006,240 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\searchplugins\bible-gateway.xml
[2009/09/17 19:35:14 | 000,000,750 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\searchplugins\torrent-scan.xml
[2010/02/18 16:42:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/02 04:14:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}
[2009/08/03 14:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll

O1 HOSTS File: ([2010/02/26 01:12:05 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.177.176.38 24.197.160.18
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 20:37:08 | 000,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Libox.lnk - C:\PROGRA~1\Libox\Libox.exe - File not found
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Aim6 - hkey= - key= - C:\Program Files\AIM6\aim6.exe (AOL LLC)
MsConfig - StartUpReg: BlackBerryAutoUpdate - hkey= - key= - C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
MsConfig - StartUpReg: DELL Webcam Manager - hkey= - key= - C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
MsConfig - StartUpReg: Messenger (Yahoo!) - hkey= - key= - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
MsConfig - StartUpReg: PeerBlock - hkey= - key= - C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - State: "startup" - 2

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3F12FAF0-5F3E-CCC8-3B09-2A93B6CB9F07} - Microsoft Windows Media Player
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.ac3filter - C:\Windows\System32\ac3filter.acm ()
Drivers32: msacm.avis - C:\Windows\System32\ff_acm.acm ()
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()

========== Files/Folders - Created Within 14 Days ==========

[2010/02/27 19:35:49 | 000,549,888 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010/02/26 01:20:08 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/02/26 01:19:14 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/02/26 01:10:07 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\temp
[2010/02/26 00:53:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/02/26 00:53:14 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/02/26 00:53:14 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/02/26 00:53:03 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/02/26 00:52:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/26 00:52:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/02/25 12:49:28 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/02/25 07:38:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/02/25 02:53:13 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\SmitfraudFix
[2010/02/25 01:19:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/02/25 01:19:25 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/24 17:32:15 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/02/24 15:28:33 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Malwarebytes
[2010/02/24 15:28:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/24 15:28:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/02/24 15:28:26 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/02/24 15:28:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/24 14:45:53 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\J River
[2010/02/24 13:53:07 | 000,044,080 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SymIMV.sys
[2010/02/24 00:32:15 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Openworld Learning
[2010/02/23 23:29:58 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\viewer
[2010/02/22 18:36:17 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Yahoo!
[2010/02/22 18:36:17 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Yahoo
[2010/02/22 18:35:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
[2010/02/22 18:33:04 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/02/19 01:08:11 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\GetRightToGo
[2010/02/18 18:04:20 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\vlc
[2010/02/18 18:02:44 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/02/18 16:42:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/02/18 16:42:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/16 00:46:03 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Revolution
[2010/02/16 00:45:30 | 000,000,000 | ---D | C] -- C:\Program Files\Revolution Dreamcard Player
[2010/02/15 21:09:45 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\medialink

========== Files - Modified Within 14 Days ==========

[2010/02/27 19:42:20 | 006,291,456 | -HS- | M] () -- C:\Users\User\NTUSER.DAT
[2010/02/27 19:35:49 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010/02/27 19:26:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/27 17:27:45 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/02/27 17:27:45 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/02/27 17:20:41 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/27 17:20:25 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/02/27 17:20:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/02/27 17:19:51 | 2408,398,848 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/27 06:36:18 | 001,071,471 | -H-- | M] () -- C:\Users\User\AppData\Local\IconCache.db
[2010/02/26 01:12:26 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/02/26 01:12:05 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/02/25 21:04:24 | 146,159,467 | ---- | M] () -- C:\Windows\System32\FZEMGACTWU
[2010/02/25 14:35:51 | 000,544,943 | ---- | M] () -- C:\Users\User\Desktop\redirect.png
[2010/02/25 10:33:18 | 000,000,036 | ---- | M] () -- C:\Users\User\AppData\Local\housecall.guid.cache
[2010/02/25 02:54:15 | 000,000,035 | ---- | M] () -- C:\Users\User\AppData\Roaming\SetValue.bat
[2010/02/25 02:54:14 | 000,000,691 | ---- | M] () -- C:\Users\User\AppData\Roaming\GetValue.vbs
[2010/02/25 02:50:35 | 000,000,082 | ---- | M] () -- C:\Users\User\Desktop\cc_20100225_025024.reg
[2010/02/25 01:19:30 | 000,001,218 | ---- | M] () -- C:\Users\User\Desktop\Spybot - Search & Destroy.lnk
[2010/02/24 23:13:54 | 000,021,504 | ---- | M] () -- C:\Users\User\Desktop\popup warning.png
[2010/02/24 23:13:26 | 000,194,400 | ---- | M] () -- C:\Users\User\Desktop\popup.png
[2010/02/24 22:49:06 | 000,524,288 | ---- | M] () -- C:\Users\User\Desktop\dds.scr
[2010/02/24 15:28:31 | 000,000,981 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/23 22:48:24 | 000,004,735 | ---- | M] () -- C:\Users\User\Desktop\index.php
[2010/02/23 02:25:38 | 000,029,348 | ---- | M] () -- C:\Users\User\Desktop\Untitled.jpg
[2010/02/22 18:35:09 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/02/22 15:05:05 | 000,013,824 | ---- | M] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/18 18:02:57 | 000,001,026 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/02/17 14:21:05 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/02/17 14:21:05 | 000,615,360 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/02/17 14:21:05 | 000,103,702 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/02/15 23:11:45 | 000,227,442 | ---- | M] () -- C:\Users\User\Desktop\IMG000661.jpg
[2010/02/15 17:18:16 | 000,446,791 | ---- | M] () -- C:\Users\User\Desktop\IMG00066.jpg
[2010/02/15 17:17:54 | 000,535,637 | ---- | M] () -- C:\Users\User\Desktop\IMG00065.jpg

========== Files Created - No Company Name ==========

[2010/02/26 00:53:15 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/02/26 00:53:14 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/02/26 00:53:14 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/02/26 00:53:14 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/02/26 00:53:14 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/02/25 20:58:36 | 146,159,467 | ---- | C] () -- C:\Windows\System32\FZEMGACTWU
[2010/02/25 14:35:51 | 000,544,943 | ---- | C] () -- C:\Users\User\Desktop\redirect.png
[2010/02/25 10:33:18 | 000,000,036 | ---- | C] () -- C:\Users\User\AppData\Local\housecall.guid.cache
[2010/02/25 02:54:15 | 000,000,035 | ---- | C] () -- C:\Users\User\AppData\Roaming\SetValue.bat
[2010/02/25 02:54:14 | 000,000,691 | ---- | C] () -- C:\Users\User\AppData\Roaming\GetValue.vbs
[2010/02/25 02:50:35 | 000,000,082 | ---- | C] () -- C:\Users\User\Desktop\cc_20100225_025024.reg
[2010/02/25 01:19:30 | 000,001,218 | ---- | C] () -- C:\Users\User\Desktop\Spybot - Search & Destroy.lnk
[2010/02/24 23:13:40 | 000,021,504 | ---- | C] () -- C:\Users\User\Desktop\popup warning.png
[2010/02/24 23:13:26 | 000,194,400 | ---- | C] () -- C:\Users\User\Desktop\popup.png
[2010/02/24 22:49:06 | 000,524,288 | ---- | C] () -- C:\Users\User\Desktop\dds.scr
[2010/02/24 15:28:31 | 000,000,981 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/23 02:25:38 | 000,029,348 | ---- | C] () -- C:\Users\User\Desktop\Untitled.jpg
[2010/02/22 18:35:09 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/02/18 18:02:57 | 000,001,026 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/02/15 23:11:44 | 000,227,442 | ---- | C] () -- C:\Users\User\Desktop\IMG000661.jpg
[2010/02/15 22:56:49 | 000,535,637 | ---- | C] () -- C:\Users\User\Desktop\IMG00065.jpg
[2010/02/15 22:56:49 | 000,446,791 | ---- | C] () -- C:\Users\User\Desktop\IMG00066.jpg
[2010/02/10 14:18:06 | 000,022,146 | ---- | C] () -- C:\Windows\System32\llbeh3.dll
[2010/01/31 01:58:13 | 000,014,976 | ---- | C] () -- C:\Windows\System32\drivers\SBKUPNT.SYS
[2010/01/31 01:58:03 | 000,002,799 | ---- | C] () -- C:\Windows\SKLANG.INI
[2009/12/07 13:59:35 | 000,013,824 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/26 03:12:26 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/11/25 22:50:26 | 000,758,018 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/11/25 22:50:26 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/10/27 18:30:58 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/10/26 16:40:15 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2009/10/26 00:27:16 | 000,691,560 | ---- | C] () -- C:\Windows\System32\OGACHE~1.DLL
[2009/10/26 00:23:22 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/10/24 03:59:34 | 000,007,605 | ---- | C] () -- C:\Users\User\AppData\Local\resmon.resmoncfg
[2009/10/24 01:24:01 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2009/08/16 10:08:36 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/07/13 17:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2007/02/05 19:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI

========== LOP Check ==========

[2010/01/04 02:10:16 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Rainmeter
[2010/01/13 13:28:29 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\.purple
[2009/10/24 03:46:08 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\acccore
[2010/02/09 13:07:27 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Acoustica
[2009/10/27 17:38:00 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\avidemux
[2009/12/09 00:38:51 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Bitsoft
[2009/10/24 02:53:00 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Blackberry Desktop
[2009/11/25 00:16:32 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\DeviceDoctorSoftware
[2009/12/29 00:01:20 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Easy Duplicate Finder
[2009/12/14 00:14:20 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\GARMIN
[2009/12/09 00:36:10 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\GeoVid
[2010/02/19 01:12:26 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\GetRightToGo
[2009/12/03 13:52:34 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\gtk-2.0
[2009/11/26 00:19:30 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\HandBrake
[2010/01/25 20:04:29 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\ImgBurn
[2010/02/24 14:45:53 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\J River
[2010/02/02 16:07:51 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\LammerSoft
[2009/10/24 02:58:46 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mathsoft
[2009/12/11 11:08:50 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mp3tag
[2009/11/10 20:35:40 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\OneSwarm
[2010/02/24 00:32:15 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Openworld Learning
[2009/12/01 15:19:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\PowerWorld
[2009/12/18 23:36:02 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\r2 Studios
[2009/12/03 14:50:47 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Rainmeter
[2009/10/24 03:01:36 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Research In Motion
[2010/02/16 00:46:03 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Revolution
[2009/10/25 21:27:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\SSH
[2009/11/12 00:49:55 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\tmp
[2010/02/24 01:35:09 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\uTorrent
[2009/12/03 22:01:52 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Win7codecs
[2010/02/11 01:16:23 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\WindSolutions
[2010/02/11 01:52:41 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\x3watch
[2010/01/04 02:43:39 | 000,000,000 | ---D | M] -- C:\Users\Visitor\AppData\Roaming\Rainmeter
[2010/02/26 00:56:35 | 000,032,548 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/13 19:15:36 | 000,226,816 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\LocationApi.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/20 20:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows.old\Windows\System32\drivers\AGP440.sys
[2008/01/20 20:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/20 20:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2009/07/13 19:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\AGP440.sys
[2009/07/13 19:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/13 19:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 19:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys
[2006/11/02 03:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 00:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows.old\Windows\System32\drivers\atapi.sys
[2009/04/11 00:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2008/01/20 20:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2009/07/13 19:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys
[2009/07/13 19:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 19:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 19:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys
[2006/11/02 03:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 19:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll
[2009/07/13 19:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 19:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2006/11/02 03:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows.old\Windows\System32\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[1999/10/02 09:24:46 | 000,017,408 | ---- | M] () MD5=1363337A5301619F00F8033835EF30E9 -- C:\Program Files\MATLAB\R2007b\sys\perl\win32\site\lib\auto\Win32\EventLog\EventLog.dll

< MD5 for: IASTOR.SYS >
[2009/06/04 17:54:36 | 000,408,600 | ---- | M] (Intel Corporation) MD5=1D004CB1DA6323B1F55CAEF7F94B61D9 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2007/02/12 12:37:22 | 000,537,368 | ---- | M] (Intel Corporation) MD5=2EE127D5407DA3957EE54711C9AED6EC -- C:\Windows.old\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2009/06/04 17:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2009/06/04 17:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\Windows\System32\drivers\iaStor.sys
[2009/06/04 17:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_x86_neutral_4f144d6467fc7c22\iaStor.sys
[2008/03/24 00:29:16 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Drivers\storage\R154200\iastor.sys
[2007/02/12 12:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Windows.old\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
[2008/03/24 00:29:16 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Windows.old\Windows\System32\drivers\iaStor.sys
[2008/03/24 00:29:16 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys
[2008/03/24 00:29:16 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/20 20:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows.old\Windows\System32\drivers\iaStorV.sys
[2008/01/20 20:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2009/07/13 19:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 19:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 19:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys
[2006/11/02 03:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 00:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows.old\Windows\System32\netlogon.dll
[2009/07/13 19:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/07/13 19:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 19:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 03:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 20:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows.old\Windows\System32\drivers\nvstor.sys
[2008/01/20 20:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows.old\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2009/07/13 19:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 19:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 19:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 19:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/07/13 19:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 19:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll
[2009/04/11 00:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows.old\Windows\System32\scecli.dll

< %systemroot%\*. /mp /s >

< End of report >


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 28 February 2010 - 07:24 AM

QUOTE
Just FYI: After posting my original post, I ran combofix among many other things (I know it's frowned upon). Combofix found an issue with iastor.sys. The intrusion attempts and redirects have stopped, but I'm well aware that something could still be there. I won't run anything without your permission from this point on :D


That's ok, although CF is a very powerful tool and can render your machine unbootable without trained guidance. Can you please post the CF log? It should be in c:\combofix.txt.

The iaStor.sys virus is a backdoor trojan. It should be removed now, but please see below:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 ajrty33

ajrty33
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 February 2010 - 12:13 PM

ComboFix.txt:



ComboFix 10-02-25.02 - User 02/26/2010 1:00.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3062.2277 [GMT -6:00]
Running from: c:\users\User\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Ijl11.dll
c:\windows\system32\tmp.reg

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-26 07:10 . 2010-02-26 07:12 -------- d-----w- c:\users\User\AppData\Local\temp
2010-02-25 13:38 . 2010-02-25 20:02 -------- d-----w- c:\program files\Sophos
2010-02-25 07:19 . 2010-02-25 07:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-24 23:32 . 2010-02-25 20:02 -------- d-----w- c:\program files\Enigma Software Group
2010-02-24 21:28 . 2010-02-24 21:28 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2010-02-24 21:28 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 21:28 . 2010-02-24 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 21:28 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 20:45 . 2010-02-24 20:45 -------- d-----w- c:\users\User\AppData\Roaming\J River
2010-02-24 19:53 . 2009-12-03 06:09 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-02-24 09:28 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-02-24 09:28 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-02-24 09:28 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
2010-02-24 09:27 . 2010-02-02 07:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 06:32 . 2010-02-24 06:32 -------- d-----w- c:\users\User\AppData\Roaming\Openworld Learning
2010-02-23 00:36 . 2010-02-23 00:36 -------- d-----w- c:\users\User\AppData\Roaming\Yahoo!
2010-02-23 00:36 . 2010-02-23 00:36 -------- d-----w- c:\users\User\AppData\Local\Yahoo
2010-02-23 00:33 . 2010-02-23 00:35 -------- d-----w- c:\program files\Yahoo!
2010-02-19 07:08 . 2010-02-19 07:12 -------- d-----w- c:\users\User\AppData\Roaming\GetRightToGo
2010-02-19 00:04 . 2010-02-24 06:05 -------- d-----w- c:\users\User\AppData\Roaming\vlc
2010-02-19 00:02 . 2010-02-19 00:02 -------- d-----w- c:\program files\VideoLAN
2010-02-18 22:42 . 2010-02-18 22:42 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 06:46 . 2010-02-16 06:46 -------- d-----w- c:\users\User\AppData\Roaming\Revolution
2010-02-16 06:45 . 2010-02-16 06:50 -------- d-----w- c:\program files\Revolution Dreamcard Player
2010-02-12 05:08 . 2009-05-12 18:13 585728 ------w- c:\windows\system32\AReadyLB.dll
2010-02-12 05:08 . 2009-05-12 18:13 229376 ------w- c:\windows\system32\AudDevicePlugin.dll
2010-02-12 05:08 . 2008-07-12 14:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-02-12 05:06 . 2010-02-24 20:45 -------- d-----w- c:\program files\Media Center 14
2010-02-11 07:52 . 2010-02-11 07:52 -------- d-----w- c:\users\User\AppData\Roaming\x3watch
2010-02-11 06:53 . 2010-02-11 06:53 -------- d-----w- c:\program files\WindSolutions
2010-02-11 06:52 . 2010-02-11 06:52 -------- d-----w- c:\program files\Copy Trans Suite
2010-02-11 06:51 . 2010-02-11 07:16 -------- d-----w- c:\users\User\AppData\Roaming\WindSolutions
2010-02-10 20:18 . 2009-12-08 11:33 22146 ----a-w- c:\windows\system32\llbeh3.dll
2010-02-10 20:18 . 2009-12-08 11:40 3955288 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 20:18 . 2009-12-08 11:40 3899464 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 20:18 . 2009-12-08 11:32 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-02-10 20:18 . 2009-12-08 08:05 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 20:18 . 2009-12-08 08:05 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 19:07 . 2010-02-09 19:07 -------- d-----w- c:\users\User\AppData\Roaming\Acoustica
2010-02-09 19:05 . 2007-08-07 17:32 57344 ----a-w- c:\windows\system32\Wnaspint.dll
2010-02-09 19:05 . 2010-02-10 02:14 -------- d-----w- c:\program files\Acoustica Shared Effects
2010-02-09 19:02 . 2010-02-09 19:05 -------- d-----w- c:\program files\Acoustica Mixcraft 4
2010-02-02 22:07 . 2010-02-02 22:07 -------- d-----w- c:\users\User\AppData\Roaming\LammerSoft
2010-02-02 22:07 . 2010-02-02 22:07 -------- d-----w- c:\program files\Lammer Context Menu
2010-01-31 20:55 . 2007-02-05 18:00 413760 ----a-w- c:\windows\system32\MPG4c32.dll
2010-01-31 07:58 . 2001-07-13 19:56 14976 ----a-w- c:\windows\system32\drivers\SBKUPNT.SYS
2010-01-31 07:58 . 1997-02-08 23:11 13312 ----a-w- c:\windows\system32\DEVLOAD.EXE
2010-01-31 07:58 . 1998-10-29 22:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-01-31 07:38 . 2010-01-31 07:38 -------- d-----w- c:\users\User\AppData\Roaming\Media Player Classic
2010-01-31 07:37 . 2010-01-31 07:38 -------- d-----w- c:\program files\MPC HomeCinema
2010-01-27 17:06 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-01-27 17:06 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 06:51 . 2009-11-04 23:19 -------- d-----w- c:\program files\PeerBlock
2010-02-26 06:30 . 2009-10-26 02:28 -------- d-----w- c:\program files\LogMeIn
2010-02-25 20:10 . 2009-11-18 02:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-25 08:54 . 2010-02-25 08:54 35 ----a-w- c:\users\User\AppData\Roaming\SetValue.bat
2010-02-25 08:54 . 2010-02-25 08:54 691 ----a-w- c:\users\User\AppData\Roaming\GetValue.vbs
2010-02-24 07:35 . 2009-10-24 09:17 -------- d-----w- c:\users\User\AppData\Roaming\uTorrent
2010-02-19 01:44 . 2009-10-26 03:19 -------- d-----w- c:\program files\VLC
2010-02-18 22:41 . 2009-10-26 03:04 -------- d-----w- c:\program files\Java
2010-02-09 19:10 . 2010-01-11 05:47 -------- d-----w- c:\users\User\AppData\Roaming\dvdcss
2010-02-06 21:12 . 2009-12-13 07:55 -------- d-----w- c:\program files\Google
2010-01-26 02:31 . 2010-01-26 02:31 -------- d-----w- c:\program files\LogixPro
2010-01-26 02:04 . 2010-01-26 02:04 -------- d-----w- c:\users\User\AppData\Roaming\ImgBurn
2010-01-26 02:01 . 2010-01-26 02:01 -------- d-----w- c:\program files\ImgBurn
2010-01-26 01:10 . 2010-01-26 01:10 -------- d-----w- c:\program files\TheLearningPit
2010-01-26 00:37 . 2010-01-26 00:36 -------- d-----w- c:\program files\MagicDisc
2010-01-21 13:19 . 2009-12-13 06:38 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 23:29 . 2010-02-10 20:17 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 20:17 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 20:17 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 20:17 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 20:17 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 20:17 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 20:17 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 20:17 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-13 19:28 . 2009-12-03 19:28 -------- d-----w- c:\users\User\AppData\Roaming\.purple
2010-01-11 06:27 . 2010-01-11 06:27 -------- d-----w- c:\program files\bitRipper
2010-01-10 21:07 . 2010-01-10 06:06 -------- d-----w- c:\users\User\AppData\Roaming\Move Networks
2010-01-08 03:18 . 2010-02-10 20:17 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-10 20:17 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-05 03:41 . 2010-01-05 03:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-01-04 20:14 . 2010-01-04 20:14 -------- d-----w- c:\users\User\AppData\Roaming\Creative
2010-01-04 08:43 . 2010-01-04 08:43 68696 ----a-w- c:\users\Visitor\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-04 08:43 . 2010-01-04 08:43 -------- d-----w- c:\users\Visitor\AppData\Roaming\Rainmeter
2010-01-04 08:10 . 2010-01-04 08:10 68696 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-04 08:10 . 2010-01-04 08:09 -------- d-----w- c:\users\Guest\AppData\Roaming\Rainmeter
2009-12-29 06:01 . 2009-12-29 06:01 -------- d-----w- c:\users\User\AppData\Roaming\Easy Duplicate Finder
2009-12-29 06:01 . 2009-12-29 06:01 -------- d-----w- c:\program files\Easy Duplicate Finder
2009-12-29 05:48 . 2009-10-24 07:32 68696 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-29 04:57 . 2009-12-29 04:57 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-29 04:56 . 2009-12-29 04:56 -------- d-----w- c:\program files\Microsoft.NET
2009-12-19 09:02 . 2010-01-22 17:08 977920 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 09:02 . 2010-02-10 20:17 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-19 09:02 . 2010-02-10 20:17 1328640 ----a-w- c:\windows\system32\quartz.dll
2009-12-19 09:02 . 2010-02-10 20:17 22016 ----a-w- c:\windows\system32\msyuv.dll
2009-12-19 09:02 . 2010-02-10 20:17 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-19 09:02 . 2010-02-10 20:17 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-19 09:02 . 2010-02-10 20:17 84480 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-19 09:02 . 2010-02-10 20:17 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-19 09:02 . 2010-02-10 20:17 91648 ----a-w- c:\windows\system32\avifil32.dll
2009-12-17 23:14 . 2009-10-26 03:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2006-06-16 01:33 . 2009-10-26 07:26 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 23:43 . 2009-10-26 07:26 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 . 2009-10-26 07:26 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 18:10 . 2009-10-26 07:26 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 . 2009-10-26 07:23 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 . 2009-10-26 07:26 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 . 2009-10-26 07:23 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 . 2009-10-26 07:23 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 . 2009-10-26 07:24 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 . 2009-10-26 07:24 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2009-10-26 07:26 . 2009-10-26 07:26 76 --sh--r- c:\windows\CT4CET.bin
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Libox.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Libox.lnk
backup=c:\windows\pss\Libox.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-07-09 20:07 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 04:29 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 21:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2009-09-28 08:02 1529432 ----a-w- c:\program files\PeerBlock\peerblock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/2/2009 9:15 PM 28552]
R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NIS\1105000.07F\symds.sys [1/21/2010 2:45 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1105000.07F\symefa.sys [1/21/2010 2:45 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2/11/2010 12:44 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1105000.07F\cchpx86.sys [1/21/2010 2:45 PM 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100224.002\IDSvix86.sys [2/25/2010 2:36 PM 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NIS\1105000.07F\ironx86.sys [1/21/2010 2:45 PM 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NIS\1105000.07F\symtdiv.sys [1/21/2010 2:45 PM 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/13/2009 5:52 PM 48128]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [10/25/2009 8:29 PM 47640]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [1/21/2010 2:45 PM 126392]
R2 SBKUPNT;SBKUPNT;c:\windows\System32\drivers\SBKUPNT.SYS [1/31/2010 1:58 AM 14976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/25/2009 10:11 PM 102448]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\System32\drivers\vwifimp.sys [7/13/2009 5:52 PM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/13/2009 1:55 AM 135664]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\System32\drivers\dc3d.sys [10/16/2009 11:26 PM 16896]
S3 DMJWTY;DMJWTY;c:\users\User\AppData\Local\Temp\DMJWTY.exe --> c:\users\User\AppData\Local\Temp\DMJWTY.exe [?]
S3 MEIMRGXWWUDF;MEIMRGXWWUDF;c:\users\User\AppData\Local\Temp\MEIMRGXWWUDF.exe --> c:\users\User\AppData\Local\Temp\MEIMRGXWWUDF.exe [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/4/2009 5:19 PM 16472]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 07:55]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 07:55]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\
FF - prefs.js: browser.search.selectedEngine - Bible Gateway
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
MSConfigStartUp-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F9D9.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-02-26 01:20:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 07:20

Pre-Run: 73,050,148,864 bytes free
Post-Run: 73,086,615,552 bytes free

- - End Of File - - B13B07F439352A5281F3EFDB6579D93E

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 28 February 2010 - 12:29 PM

Hello, ajrty33.
OK, there's some minor things we need to do. How is it running after you ran Combofix?

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Driver::
MEIMRGXWWUDF
DMJWTY
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DE9C389F-3316-41A7-809B-AA305ED9D922}]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 ajrty33

ajrty33
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 01 March 2010 - 12:43 AM

After I ran ComboFix the first time, the redirects and pop-ups stopped as well as Norton notifying me of any blocked intrusion attempts.
I searched for anything related to Viewpoint and could not find anything.


Here is ComboFix.txt:

ComboFix 10-02-25.02 - User 02/28/2010 22:39:30.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3062.2088 [GMT -6:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_DMJWTY
-------\Service_MEIMRGXWWUDF


((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-03-01 04:47 . 2010-03-01 04:47 -------- d-----w- c:\users\Visitor\AppData\Local\temp
2010-03-01 04:47 . 2010-03-01 04:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-01 04:47 . 2010-03-01 04:47 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-03-01 04:47 . 2010-03-01 04:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-26 07:10 . 2010-03-01 04:50 -------- d-----w- c:\users\User\AppData\Local\temp
2010-02-25 13:38 . 2010-02-25 20:02 -------- d-----w- c:\program files\Sophos
2010-02-25 07:19 . 2010-02-25 07:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-24 23:32 . 2010-02-25 20:02 -------- d-----w- c:\program files\Enigma Software Group
2010-02-24 21:28 . 2010-02-24 21:28 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2010-02-24 21:28 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 21:28 . 2010-02-24 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 21:28 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 20:45 . 2010-02-24 20:45 -------- d-----w- c:\users\User\AppData\Roaming\J River
2010-02-24 19:53 . 2009-12-03 06:09 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-02-24 09:28 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-02-24 09:28 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-02-24 09:28 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
2010-02-24 09:27 . 2010-02-02 07:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 06:32 . 2010-02-24 06:32 -------- d-----w- c:\users\User\AppData\Roaming\Openworld Learning
2010-02-23 00:36 . 2010-02-23 00:36 -------- d-----w- c:\users\User\AppData\Roaming\Yahoo!
2010-02-23 00:36 . 2010-02-23 00:36 -------- d-----w- c:\users\User\AppData\Local\Yahoo
2010-02-23 00:33 . 2010-02-23 00:35 -------- d-----w- c:\program files\Yahoo!
2010-02-19 07:08 . 2010-02-19 07:12 -------- d-----w- c:\users\User\AppData\Roaming\GetRightToGo
2010-02-19 00:04 . 2010-02-24 06:05 -------- d-----w- c:\users\User\AppData\Roaming\vlc
2010-02-19 00:02 . 2010-02-19 00:02 -------- d-----w- c:\program files\VideoLAN
2010-02-18 22:42 . 2010-02-18 22:42 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 06:46 . 2010-02-16 06:46 -------- d-----w- c:\users\User\AppData\Roaming\Revolution
2010-02-16 06:45 . 2010-02-16 06:50 -------- d-----w- c:\program files\Revolution Dreamcard Player
2010-02-12 05:08 . 2009-05-12 18:13 585728 ------w- c:\windows\system32\AReadyLB.dll
2010-02-12 05:08 . 2009-05-12 18:13 229376 ------w- c:\windows\system32\AudDevicePlugin.dll
2010-02-12 05:08 . 2008-07-12 14:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-02-12 05:06 . 2010-02-24 20:45 -------- d-----w- c:\program files\Media Center 14
2010-02-11 07:52 . 2010-02-11 07:52 -------- d-----w- c:\users\User\AppData\Roaming\x3watch
2010-02-11 06:53 . 2010-02-11 06:53 -------- d-----w- c:\program files\WindSolutions
2010-02-11 06:52 . 2010-02-11 06:52 -------- d-----w- c:\program files\Copy Trans Suite
2010-02-11 06:51 . 2010-02-11 07:16 -------- d-----w- c:\users\User\AppData\Roaming\WindSolutions
2010-02-10 20:18 . 2009-12-08 11:33 22146 ----a-w- c:\windows\system32\llbeh3.dll
2010-02-10 20:18 . 2009-12-08 11:40 3955288 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 20:18 . 2009-12-08 11:40 3899464 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 20:18 . 2009-12-08 11:32 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-02-10 20:18 . 2009-12-08 08:05 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 20:18 . 2009-12-08 08:05 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 19:07 . 2010-02-09 19:07 -------- d-----w- c:\users\User\AppData\Roaming\Acoustica
2010-02-09 19:05 . 2007-08-07 17:32 57344 ----a-w- c:\windows\system32\Wnaspint.dll
2010-02-09 19:05 . 2010-02-10 02:14 -------- d-----w- c:\program files\Acoustica Shared Effects
2010-02-09 19:02 . 2010-02-09 19:05 -------- d-----w- c:\program files\Acoustica Mixcraft 4
2010-02-02 22:07 . 2010-02-02 22:07 -------- d-----w- c:\users\User\AppData\Roaming\LammerSoft
2010-02-02 22:07 . 2010-02-02 22:07 -------- d-----w- c:\program files\Lammer Context Menu
2010-01-31 20:55 . 2007-02-05 18:00 413760 ----a-w- c:\windows\system32\MPG4c32.dll
2010-01-31 07:58 . 2001-07-13 19:56 14976 ----a-w- c:\windows\system32\drivers\SBKUPNT.SYS
2010-01-31 07:58 . 1997-02-08 23:11 13312 ----a-w- c:\windows\system32\DEVLOAD.EXE
2010-01-31 07:58 . 1998-10-29 22:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-01-31 07:38 . 2010-01-31 07:38 -------- d-----w- c:\users\User\AppData\Roaming\Media Player Classic
2010-01-31 07:37 . 2010-01-31 07:38 -------- d-----w- c:\program files\MPC HomeCinema

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 07:11 . 2009-10-26 02:28 -------- d-----w- c:\program files\LogMeIn
2010-02-26 06:51 . 2009-11-04 23:19 -------- d-----w- c:\program files\PeerBlock
2010-02-25 20:10 . 2009-11-18 02:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-25 08:54 . 2010-02-25 08:54 35 ----a-w- c:\users\User\AppData\Roaming\SetValue.bat
2010-02-25 08:54 . 2010-02-25 08:54 691 ----a-w- c:\users\User\AppData\Roaming\GetValue.vbs
2010-02-24 07:35 . 2009-10-24 09:17 -------- d-----w- c:\users\User\AppData\Roaming\uTorrent
2010-02-19 01:44 . 2009-10-26 03:19 -------- d-----w- c:\program files\VLC
2010-02-18 22:41 . 2009-10-26 03:04 -------- d-----w- c:\program files\Java
2010-02-09 19:10 . 2010-01-11 05:47 -------- d-----w- c:\users\User\AppData\Roaming\dvdcss
2010-02-06 21:12 . 2009-12-13 07:55 -------- d-----w- c:\program files\Google
2010-01-26 02:31 . 2010-01-26 02:31 -------- d-----w- c:\program files\LogixPro
2010-01-26 02:04 . 2010-01-26 02:04 -------- d-----w- c:\users\User\AppData\Roaming\ImgBurn
2010-01-26 02:01 . 2010-01-26 02:01 -------- d-----w- c:\program files\ImgBurn
2010-01-26 01:10 . 2010-01-26 01:10 -------- d-----w- c:\program files\TheLearningPit
2010-01-26 00:37 . 2010-01-26 00:36 -------- d-----w- c:\program files\MagicDisc
2010-01-21 13:19 . 2009-12-13 06:38 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 23:29 . 2010-02-10 20:17 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 20:17 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 20:17 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 20:17 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 20:17 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 20:17 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 20:17 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 20:17 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-13 19:28 . 2009-12-03 19:28 -------- d-----w- c:\users\User\AppData\Roaming\.purple
2010-01-11 06:27 . 2010-01-11 06:27 -------- d-----w- c:\program files\bitRipper
2010-01-10 21:07 . 2010-01-10 06:06 -------- d-----w- c:\users\User\AppData\Roaming\Move Networks
2010-01-08 03:18 . 2010-02-10 20:17 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-10 20:17 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-05 03:41 . 2010-01-05 03:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-01-04 20:14 . 2010-01-04 20:14 -------- d-----w- c:\users\User\AppData\Roaming\Creative
2010-01-04 08:43 . 2010-01-04 08:43 68696 ----a-w- c:\users\Visitor\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-04 08:43 . 2010-01-04 08:43 -------- d-----w- c:\users\Visitor\AppData\Roaming\Rainmeter
2010-01-04 08:10 . 2010-01-04 08:10 68696 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-04 08:10 . 2010-01-04 08:09 -------- d-----w- c:\users\Guest\AppData\Roaming\Rainmeter
2009-12-29 05:48 . 2009-10-24 07:32 68696 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-19 09:02 . 2010-01-22 17:08 977920 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 09:02 . 2010-02-10 20:17 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-19 09:02 . 2010-02-10 20:17 1328640 ----a-w- c:\windows\system32\quartz.dll
2009-12-19 09:02 . 2010-02-10 20:17 22016 ----a-w- c:\windows\system32\msyuv.dll
2009-12-19 09:02 . 2010-02-10 20:17 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-19 09:02 . 2010-02-10 20:17 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-19 09:02 . 2010-02-10 20:17 84480 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-19 09:02 . 2010-02-10 20:17 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-19 09:02 . 2010-02-10 20:17 91648 ----a-w- c:\windows\system32\avifil32.dll
2009-12-17 23:14 . 2009-10-26 03:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2006-06-16 01:33 . 2009-10-26 07:26 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 23:43 . 2009-10-26 07:26 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 . 2009-10-26 07:26 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 18:10 . 2009-10-26 07:26 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 . 2009-10-26 07:23 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 . 2009-10-26 07:26 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 . 2009-10-26 07:23 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 . 2009-10-26 07:23 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 . 2009-10-26 07:24 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 . 2009-10-26 07:24 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2009-10-26 07:26 . 2009-10-26 07:26 76 --sh--r- c:\windows\CT4CET.bin
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Libox.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Libox.lnk
backup=c:\windows\pss\Libox.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-07-09 20:07 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 04:29 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 21:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2009-09-28 08:02 1529432 ----a-w- c:\program files\PeerBlock\peerblock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/2/2009 9:15 PM 28552]
R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NIS\1105000.07F\symds.sys [1/21/2010 2:45 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1105000.07F\symefa.sys [1/21/2010 2:45 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2/11/2010 12:44 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1105000.07F\cchpx86.sys [1/21/2010 2:45 PM 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100224.002\IDSvix86.sys [2/25/2010 2:36 PM 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NIS\1105000.07F\ironx86.sys [1/21/2010 2:45 PM 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NIS\1105000.07F\symtdiv.sys [1/21/2010 2:45 PM 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/13/2009 5:52 PM 48128]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [10/25/2009 8:29 PM 47640]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [1/21/2010 2:45 PM 126392]
R2 SBKUPNT;SBKUPNT;c:\windows\System32\drivers\SBKUPNT.SYS [1/31/2010 1:58 AM 14976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/25/2009 10:11 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/13/2009 1:55 AM 135664]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\System32\drivers\dc3d.sys [10/16/2009 11:26 PM 16896]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/4/2009 5:19 PM 16472]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\System32\drivers\vwifimp.sys [7/13/2009 5:52 PM 14336]
.
Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 07:55]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 07:55]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\
FF - prefs.js: browser.search.selectedEngine - Bible Gateway
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F9D9.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-02-28 22:58:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 04:57
ComboFix2.txt 2010-02-26 07:20

Pre-Run: 72,891,518,976 bytes free
Post-Run: 72,839,548,928 bytes free

- - End Of File - - BA24ED5E70CBF62F82C57BEE1CFC35B8


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 01 March 2010 - 06:35 PM

Hello, ajrty33.

Ok, it's looking better. Let's get a second opinion.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 ajrty33

ajrty33
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 01 March 2010 - 09:46 PM

Here are the results of the ESET Scan:

C:\ProgramData\Win7codecs\{6B010B4A-EBD4-491C-A6A9-BC1063E2A432}\Win7codecs.msi Win32/Packed.Autoit.Gen application
C:\Qoobox\Quarantine\C\Windows\System32\drivers\iaStor.sys.vir Win32/Olmarik.UI trojan
C:\Users\All Users\Win7codecs\{6B010B4A-EBD4-491C-A6A9-BC1063E2A432}\Win7codecs.msi Win32/Packed.Autoit.Gen application
C:\Windows\Installer\2cd7688.msi Win32/Packed.Autoit.Gen application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FQPVOQX0\q00a106201317r0409Re4b86184Xb480a47dYff07eb77Z0100f080[1].pdf JS/Exploit.Pdfka.BQP trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNLTG1T6\q00a106201317r0409Rcc3b13d0Xb480a47dYff07eb77Z0100f080[1].pdf JS/Exploit.Pdfka.BQP trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N8SPIBU2\q00a106201317r0409Rcc3b13d0X96cbb071Ydd4edd1aZ0100f080[1].pdf JS/Exploit.Pdfka.BQP trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S84VEIS6\q00a106201317r0409Ra17c589cX96cbb312Ydd4edd1aZ0100f080[1].pdf JS/Exploit.Pdfka.BQP trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\895bc32-73c86fb9 multiple threats

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 02 March 2010 - 10:31 PM

OK, let's clean this up. If there's anything in your recycle bin you want to save, please pull it out. We need to empty your temp folders.

Step 1

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :files
    C:\ProgramData\Win7codecs\{6B010B4A-EBD4-491C-A6A9-BC1063E2A432}\Win7codecs.msi
    C:\Users\All Users\Win7codecs\{6B010B4A-EBD4-491C-A6A9-BC1063E2A432}\Win7codecs.ms
    C:\Windows\Installer\2cd7688.msi
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\895bc32-73c86fb9
    :commands
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 ajrty33

ajrty33
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 02 March 2010 - 11:01 PM

Here is the Custom Scan/Fix OTL log file:

All processes killed
========== FILES ==========
C:\ProgramData\Win7codecs\{6B010B4A-EBD4-491C-A6A9-BC1063E2A432}\Win7codecs.msi moved successfully.
File\Folder C:\Users\All Users\Win7codecs\{6B010B4A-EBD4-491C-A6A9-BC1063E2A432}\Win7codecs.ms not found.
File\Folder C:\Windows\Installer\2cd7688.msi not found.
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\895bc32-73c86fb9 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: User
->Temp folder emptied: 26435 bytes
->Temporary Internet Files folder emptied: 7172634 bytes
->Java cache emptied: 35801663 bytes
->FireFox cache emptied: 72803342 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Visitor
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 506145 bytes
->FireFox cache emptied: 69823355 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 330720 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 178.00 mb


OTL by OldTimer - Version 3.1.30.3 log created on 03022010_213614

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#13 ajrty33

ajrty33
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 02 March 2010 - 11:03 PM

Here is the OTL.Txt output:

OTL logfile created on: 3/2/2010 10:04:31 PM - Run 2
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Users\User\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 129.36 Gb Total Space | 65.14 Gb Free Space | 50.35% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.63 Gb Free Space | 57.66% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 93.71 Gb Total Space | 84.79 Gb Free Space | 90.47% Space Free | Partition Type: NTFS

Computer Name: ME
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/27 19:35:49 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
PRC - [2010/02/18 04:05:41 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/09 03:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe
PRC - [2009/10/30 23:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/28 18:34:22 | 000,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/09/28 18:34:16 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/09/23 11:30:48 | 000,141,848 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxtray.exe
PRC - [2009/08/05 10:37:58 | 012,313,432 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2009/07/13 19:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 19:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/06/04 18:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/08/11 11:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2007/10/26 13:39:14 | 000,095,528 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2007/10/26 13:39:04 | 001,029,416 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


========== Modules (SafeList) ==========

MOD - [2010/02/27 19:35:49 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
MOD - [2009/07/13 19:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 19:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 19:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 19:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 19:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 19:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 19:15:21 | 000,093,696 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\Windows\System32\fms.dll
MOD - [2009/07/13 19:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 19:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 19:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 19:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 19:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - [2010/03/01 01:15:21 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/12/13 01:55:07 | 000,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/12/09 03:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe -- (NIS)
SRV - [2009/10/26 00:04:25 | 000,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009/09/28 18:34:22 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/07/13 19:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 19:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 19:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 19:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 19:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 19:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 19:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 19:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 19:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 19:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 19:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 19:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 19:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 19:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 19:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 19:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 19:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 19:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 19:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 19:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 19:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/08/11 11:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2004/10/22 02:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/02/11 12:44:06 | 000,536,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/02/03 18:23:50 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100302.025\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/03 18:23:50 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100302.025\NAVENG.SYS -- (NAVENG)
DRV - [2010/01/13 07:36:50 | 002,707,448 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2009/12/09 03:06:51 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NIS\1105000.07F\ccHPx86.sys -- (ccHP)
DRV - [2009/12/03 00:09:48 | 000,044,080 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\SymIMV.sys -- (SymIM)
DRV - [2009/12/03 00:08:32 | 000,325,168 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\Drivers\NIS\1105000.07F\SRTSP.SYS -- (SRTSP)
DRV - [2009/12/03 00:08:32 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NIS\1105000.07F\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/11/26 00:41:48 | 000,172,592 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\NIS\1105000.07F\SYMEFA.SYS -- (SymEFA)
DRV - [2009/11/26 00:41:22 | 000,116,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NIS\1105000.07F\Ironx86.SYS -- (SymIRON)
DRV - [2009/11/21 18:43:47 | 000,340,016 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\NIS\1105000.07F\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2009/11/05 16:06:13 | 000,328,752 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\NIS\1105000.07F\SYMDS.SYS -- (SymDS)
DRV - [2009/10/28 16:37:22 | 000,343,088 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100224.002\IDSvix86.sys -- (IDSVix86)
DRV - [2009/10/24 03:24:53 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/16 23:26:02 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV - [2009/10/16 19:12:02 | 000,025,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
DRV - [2009/09/28 18:34:48 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/09/28 02:02:42 | 000,016,472 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009/09/23 11:18:14 | 004,808,192 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/08/29 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/29 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/07/13 19:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 19:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 19:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 19:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 19:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 19:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 19:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 19:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 19:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 19:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 19:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 19:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 19:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 19:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 19:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 19:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 19:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/13 19:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 19:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 19:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 19:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 19:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 19:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 19:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 19:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 19:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 19:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 19:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 19:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 19:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 19:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 19:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 19:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 19:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 19:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 19:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 19:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 19:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 19:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 19:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 19:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 19:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 19:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 18:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 18:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 18:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 17:55:21 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2009/07/13 17:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 17:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 17:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 17:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 17:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/13 17:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 17:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 17:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 17:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 17:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 17:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 17:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 17:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 17:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 17:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 17:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 17:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 17:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 17:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 17:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 16:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 16:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 16:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 16:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 16:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 16:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 16:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 16:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 16:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/07/13 14:50:20 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/04 17:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009/01/09 15:18:02 | 000,027,136 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2008/08/11 11:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 11:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/08/11 11:40:34 | 000,010,144 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lmimirr.sys -- (lmimirr)
DRV - [2008/05/20 19:33:50 | 000,022,784 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RimUsb.sys -- (RimUsb)
DRV - [2007/10/26 13:39:08 | 000,193,456 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/10/10 16:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/08/08 20:42:08 | 000,045,568 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/07/30 11:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/30 10:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/03/05 09:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2004/02/04 10:27:56 | 000,049,536 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tiehdusb.sys -- (TIEHDUSB)
DRV - [2001/08/17 21:06:02 | 000,154,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Icam4USB.sys -- (Icam4USB)
DRV - [2001/07/13 13:56:14 | 000,014,976 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\SBKUPNT.SYS -- (SBKUPNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 67 BA A7 04 7A 54 CA 01 [binary data]
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\S-1-5-21-215946107-2105060619-4208827591-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\S-1-5-21-215946107-2105060619-4208827591-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080

========== FireFox ==========

FF - prefs.js..browser.search.addSBtoToolbar: false
FF - prefs.js..browser.search.selectedEngine: "Bible Gateway"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.5
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.1
FF - prefs.js..extensions.enabledItems: {655397ca-4766-496b-b7a8-3a5b176ee4c2}:1.4.5
FF - prefs.js..extensions.enabledItems: texpertension@texperts.com:1.0.8
FF - prefs.js..extensions.enabledItems: tineye@ideeinc.com:0.7.1
FF - prefs.js..extensions.enabledItems: {37fa1426-b82d-11db-8314-0800200c9a66}:2.3.1
FF - prefs.js..network.proxy.ftp: "127.0.0.1"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "5.6.7.8"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 1080
FF - prefs.js..network.proxy.ssl_port: 8080

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2009/10/24 03:25:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/01/22 00:14:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/18 04:05:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 04:05:46 | 000,000,000 | ---D | M]

[2009/10/24 02:14:59 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Extensions
[2010/03/01 23:51:11 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions
[2009/12/08 16:28:09 | 000,000,000 | ---D | M] (PDF Download) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/02/22 23:49:34 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2010/02/01 14:31:02 | 000,000,000 | ---D | M] (Searchbar Autosizer) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{655397ca-4766-496b-b7a8-3a5b176ee4c2}
[2010/01/16 02:49:58 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/10 15:08:01 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/08 01:44:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/02/01 01:20:03 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\felix@fjeyar.com
[2010/01/16 02:49:58 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\personas@christopher.beard
[2009/11/19 01:21:09 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\texpertension@texperts.com
[2009/11/12 01:06:19 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\extensions\tineye@ideeinc.com
[2010/03/01 22:31:11 | 000,006,240 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\searchplugins\bible-gateway.xml
[2009/09/17 19:35:14 | 000,000,750 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\6ygovsup.default\searchplugins\torrent-scan.xml
[2010/02/18 16:42:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/02 04:14:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}
[2009/08/03 14:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll

O1 HOSTS File: ([2010/03/02 21:23:45 | 000,379,546 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13102 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [] File not found
O4 - HKU\S-1-5-18..\RunOnce: [] File not found
O4 - HKU\S-1-5-19..\RunOnce: [] File not found
O4 - HKU\S-1-5-20..\RunOnce: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O7 - HKU\S-1-5-21-215946107-2105060619-4208827591-1001_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/02 21:36:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/02 20:48:39 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2010/03/01 17:43:54 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/03/01 01:15:23 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/02/28 22:58:03 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/02/28 22:57:11 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/02/28 22:34:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/02/27 19:35:49 | 000,549,888 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010/02/26 01:10:07 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\temp
[2010/02/26 00:53:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/02/26 00:53:14 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/02/26 00:53:14 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/02/26 00:53:03 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/02/26 00:52:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/25 12:49:28 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/02/25 07:38:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/02/25 02:53:13 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\SmitfraudFix
[2010/02/25 01:19:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/02/25 01:19:25 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/24 17:32:15 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/02/24 15:28:33 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Malwarebytes
[2010/02/24 15:28:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/24 15:28:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/02/24 15:28:26 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/02/24 15:28:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/24 14:45:53 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\J River
[2010/02/24 13:53:07 | 000,044,080 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SymIMV.sys
[2010/02/24 03:28:06 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/02/24 03:28:04 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll
[2010/02/24 03:28:04 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2010/02/24 03:28:03 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2010/02/24 03:28:03 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll
[2010/02/24 03:27:58 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/24 00:32:15 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Openworld Learning
[2010/02/23 23:29:58 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\viewer
[2010/02/22 18:36:17 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Yahoo!
[2010/02/22 18:36:17 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Yahoo
[2010/02/22 18:35:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
[2010/02/22 18:33:04 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/02/19 01:08:11 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\GetRightToGo
[2010/02/18 18:04:20 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\vlc
[2010/02/18 18:02:44 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/02/18 16:42:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/02/18 16:42:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/18 16:42:09 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/02/18 16:42:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/02/18 16:42:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/02/16 00:46:03 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Revolution
[2010/02/16 00:45:30 | 000,000,000 | ---D | C] -- C:\Program Files\Revolution Dreamcard Player
[2010/02/15 21:09:45 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\medialink
[2010/02/11 23:08:43 | 000,585,728 | ---- | C] (Audible Inc.) -- C:\Windows\System32\AReadyLB.dll
[2010/02/11 23:08:43 | 000,229,376 | ---- | C] (Audible Inc.) -- C:\Windows\System32\AudDevicePlugin.dll
[2010/02/11 23:08:42 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_39.dll
[2010/02/11 23:06:16 | 000,000,000 | ---D | C] -- C:\Program Files\Media Center 14
[2010/02/11 01:52:41 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\x3watch
[2010/02/11 01:52:41 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\x3watch
[2010/02/11 00:53:04 | 000,000,000 | ---D | C] -- C:\Program Files\WindSolutions
[2010/02/11 00:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Copy Trans Suite
[2010/02/11 00:51:11 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\WindSolutions
[2010/02/11 00:51:11 | 000,000,000 | ---D | C] -- C:\ProgramData\WindSolutions
[2010/02/10 14:18:05 | 003,955,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/02/10 14:18:05 | 003,899,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/02/10 14:17:57 | 001,328,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2010/02/10 14:17:57 | 000,091,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2010/02/10 14:17:57 | 000,084,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll
[2010/02/10 14:17:54 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/02/10 14:17:53 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/02/10 14:17:53 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/02/10 14:17:53 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/02/10 14:17:53 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/02/10 14:17:53 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/02/10 14:17:53 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/02/10 14:17:53 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[2010/02/09 13:07:27 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Acoustica
[2010/02/09 13:05:52 | 000,057,344 | ---- | C] (NexiTech, Inc.) -- C:\Windows\System32\Wnaspint.dll
[2010/02/09 13:05:50 | 000,000,000 | ---D | C] -- C:\Program Files\Acoustica Shared Effects
[2010/02/09 13:03:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Acoustica
[2010/02/09 13:02:45 | 000,000,000 | ---D | C] -- C:\Program Files\Acoustica Mixcraft 4
[2010/02/02 16:07:51 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\LammerSoft
[2010/02/02 16:07:05 | 000,000,000 | ---D | C] -- C:\Program Files\Lammer Context Menu

========== Files - Modified Within 30 Days ==========

[2010/03/02 22:02:11 | 007,077,888 | -HS- | M] () -- C:\Users\User\NTUSER.DAT
[2010/03/02 21:45:11 | 000,013,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 21:45:11 | 000,013,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 21:41:40 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/02 21:37:51 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/02 21:37:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/02 21:37:14 | 2408,398,848 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/02 21:26:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/02 21:23:45 | 000,379,546 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/03/02 20:56:24 | 001,764,959 | -H-- | M] () -- C:\Users\User\AppData\Local\IconCache.db
[2010/03/02 20:50:54 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/02 20:50:54 | 000,615,360 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/02 20:50:54 | 000,103,702 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/01 17:41:53 | 002,672,312 | ---- | M] () -- C:\Users\User\Desktop\esetsmartinstaller_enu.exe
[2010/03/01 03:06:06 | 000,001,833 | ---- | M] () -- C:\Users\User\Desktop\CCleaner.lnk
[2010/03/01 01:16:05 | 000,919,754 | ---- | M] () -- C:\Windows\System32\oem36.inf
[2010/02/28 22:50:47 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/02/28 22:50:32 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100302-212345.backup
[2010/02/27 23:01:58 | 000,013,433 | ---- | M] () -- C:\Users\User\Desktop\n27416449_36006119_5595.jpg
[2010/02/27 19:35:49 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010/02/26 00:51:50 | 003,873,109 | R--- | M] () -- C:\Users\User\Desktop\ComboFix.exe
[2010/02/25 21:04:24 | 146,159,467 | ---- | M] () -- C:\Windows\System32\FZEMGACTWU
[2010/02/25 14:35:51 | 000,544,943 | ---- | M] () -- C:\Users\User\Desktop\redirect.png
[2010/02/25 10:33:18 | 000,000,036 | ---- | M] () -- C:\Users\User\AppData\Local\housecall.guid.cache
[2010/02/25 02:54:15 | 000,000,035 | ---- | M] () -- C:\Users\User\AppData\Roaming\SetValue.bat
[2010/02/25 02:54:14 | 000,000,691 | ---- | M] () -- C:\Users\User\AppData\Roaming\GetValue.vbs
[2010/02/25 02:50:35 | 000,000,082 | ---- | M] () -- C:\Users\User\Desktop\cc_20100225_025024.reg
[2010/02/25 01:19:30 | 000,001,218 | ---- | M] () -- C:\Users\User\Desktop\Spybot - Search & Destroy.lnk
[2010/02/24 23:13:54 | 000,021,504 | ---- | M] () -- C:\Users\User\Desktop\popup warning.png
[2010/02/24 23:13:26 | 000,194,400 | ---- | M] () -- C:\Users\User\Desktop\popup.png
[2010/02/24 22:49:06 | 000,524,288 | ---- | M] () -- C:\Users\User\Desktop\dds.scr
[2010/02/24 15:28:31 | 000,000,981 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/23 22:48:24 | 000,004,735 | ---- | M] () -- C:\Users\User\Desktop\index.php
[2010/02/23 02:25:38 | 000,029,348 | ---- | M] () -- C:\Users\User\Desktop\Untitled.jpg
[2010/02/22 18:35:09 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/02/22 15:05:05 | 000,013,824 | ---- | M] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/18 18:02:57 | 000,001,026 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/02/15 23:11:45 | 000,227,442 | ---- | M] () -- C:\Users\User\Desktop\IMG000661.jpg
[2010/02/15 17:18:16 | 000,446,791 | ---- | M] () -- C:\Users\User\Desktop\IMG00066.jpg
[2010/02/15 17:17:54 | 000,535,637 | ---- | M] () -- C:\Users\User\Desktop\IMG00065.jpg
[2010/02/11 23:08:43 | 000,000,076 | ---- | M] () -- C:\Windows\System32\mspstpl.vxd
[2010/02/11 00:53:07 | 000,001,268 | ---- | M] () -- C:\Users\User\Desktop\CopyTrans Control Center.lnk
[2010/02/10 19:09:24 | 000,043,854 | ---- | M] () -- C:\Users\User\Desktop\bill.PNG
[2010/02/09 13:05:53 | 000,000,980 | ---- | M] () -- C:\Users\Public\Desktop\Mixcraft 4.lnk
[2010/02/02 01:45:54 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll

========== Files Created - No Company Name ==========

[2010/03/01 17:41:44 | 002,672,312 | ---- | C] () -- C:\Users\User\Desktop\esetsmartinstaller_enu.exe
[2010/03/01 01:16:12 | 000,919,754 | ---- | C] () -- C:\Windows\System32\oem36.inf
[2010/02/27 23:01:56 | 000,013,433 | ---- | C] () -- C:\Users\User\Desktop\n27416449_36006119_5595.jpg
[2010/02/26 00:53:15 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/02/26 00:53:14 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/02/26 00:53:14 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/02/26 00:53:14 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/02/26 00:53:14 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/02/26 00:51:45 | 003,873,109 | R--- | C] () -- C:\Users\User\Desktop\ComboFix.exe
[2010/02/25 20:58:36 | 146,159,467 | ---- | C] () -- C:\Windows\System32\FZEMGACTWU
[2010/02/25 14:35:51 | 000,544,943 | ---- | C] () -- C:\Users\User\Desktop\redirect.png
[2010/02/25 10:33:18 | 000,000,036 | ---- | C] () -- C:\Users\User\AppData\Local\housecall.guid.cache
[2010/02/25 02:54:15 | 000,000,035 | ---- | C] () -- C:\Users\User\AppData\Roaming\SetValue.bat
[2010/02/25 02:54:14 | 000,000,691 | ---- | C] () -- C:\Users\User\AppData\Roaming\GetValue.vbs
[2010/02/25 02:50:35 | 000,000,082 | ---- | C] () -- C:\Users\User\Desktop\cc_20100225_025024.reg
[2010/02/25 01:19:30 | 000,001,218 | ---- | C] () -- C:\Users\User\Desktop\Spybot - Search & Destroy.lnk
[2010/02/24 23:13:40 | 000,021,504 | ---- | C] () -- C:\Users\User\Desktop\popup warning.png
[2010/02/24 23:13:26 | 000,194,400 | ---- | C] () -- C:\Users\User\Desktop\popup.png
[2010/02/24 22:49:06 | 000,524,288 | ---- | C] () -- C:\Users\User\Desktop\dds.scr
[2010/02/24 15:28:31 | 000,000,981 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/23 02:25:38 | 000,029,348 | ---- | C] () -- C:\Users\User\Desktop\Untitled.jpg
[2010/02/22 18:35:09 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/02/18 18:02:57 | 000,001,026 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/02/15 23:11:44 | 000,227,442 | ---- | C] () -- C:\Users\User\Desktop\IMG000661.jpg
[2010/02/15 22:56:49 | 000,535,637 | ---- | C] () -- C:\Users\User\Desktop\IMG00065.jpg
[2010/02/15 22:56:49 | 000,446,791 | ---- | C] () -- C:\Users\User\Desktop\IMG00066.jpg
[2010/02/11 23:08:43 | 000,183,129 | ---- | C] () -- C:\Windows\System32\AM Install1.INF
[2010/02/11 23:08:43 | 000,000,076 | ---- | C] () -- C:\Windows\System32\mspstpl.vxd
[2010/02/11 00:53:06 | 000,001,268 | ---- | C] () -- C:\Users\User\Desktop\CopyTrans Control Center.lnk
[2010/02/10 19:09:24 | 000,043,854 | ---- | C] () -- C:\Users\User\Desktop\bill.PNG
[2010/02/10 14:18:06 | 000,022,146 | ---- | C] () -- C:\Windows\System32\llbeh3.dll
[2010/02/09 13:05:53 | 000,000,980 | ---- | C] () -- C:\Users\Public\Desktop\Mixcraft 4.lnk
[2010/02/03 05:44:00 | 000,004,735 | ---- | C] () -- C:\Users\User\Desktop\index.php
[2010/01/31 01:58:13 | 000,014,976 | ---- | C] () -- C:\Windows\System32\drivers\SBKUPNT.SYS
[2010/01/31 01:58:03 | 000,002,799 | ---- | C] () -- C:\Windows\SKLANG.INI
[2009/12/07 13:59:35 | 000,013,824 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/27 18:30:58 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/10/26 16:40:15 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2009/10/26 00:27:16 | 000,691,560 | ---- | C] () -- C:\Windows\System32\OGACHE~1.DLL
[2009/10/26 00:23:22 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/10/24 03:59:34 | 000,007,605 | ---- | C] () -- C:\Users\User\AppData\Local\resmon.resmoncfg
[2009/10/24 01:24:01 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2009/07/13 17:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
< End of report >










Here is Extras.Txt:


OTL Extras logfile created on: 3/2/2010 9:58:02 PM - Run 2
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Users\User\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 129.36 Gb Total Space | 65.14 Gb Free Space | 50.36% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.63 Gb Free Space | 57.66% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 93.71 Gb Total Space | 84.79 Gb Free Space | 90.47% Space Free | Partition Type: NTFS

Computer Name: ME
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.pif [@ = piffile] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
"{15F4085A-BC98-4590-AFFD-03BBBE49524E}" = Garmin Communicator Plugin
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{205ACCD7-5342-4694-91F3-3A99E4FD5AA6}" = Mathcad 14 Help
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v. 1.3.1249.0
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 18
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{49DB0B0B-6021-468B-9D01-29C959CD70B2}" = PowerWorld Simulator 14 GSO Education Edition
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{71DFAA65-77FA-41F3-A748-013B5A8524A3}" = Garmin City Navigator North America NT 2010.30
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet32
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E666A69B-A76D-43D5-AF28-4B2150A6EDE2}" = Mathcad 14
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"7-Zip" = 7-Zip 4.65
"Acoustica Effects Pack" = Acoustica Effects Pack
"Acoustica Mixcraft 4.5" = Acoustica Mixcraft 4.5
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AIM_6" = AIM 6
"Audacity_is1" = Audacity 1.2.6
"bitRipper" = bitRipper
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"CamStudio" = CamStudio
"CCleaner" = CCleaner
"CopyTrans Suite" = CopyTrans Suite Remove Only
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"Easy Duplicate Finder_is1" = Easy Duplicate Finder v. 2.4.1
"ESET Online Scanner" = ESET Online Scanner v3
"ExamDiff_is1" = ExamDiff 1.8 (Build 1.8.0.3)
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"Handbrake" = Handbrake 0.9.4
"HDMI" = Intel® Graphics Media Accelerator Driver
"ImgBurn" = ImgBurn
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Lammer Context Menu" = Lammer Context Menu v1.0.0.25
"LogixPro PLC Simulator_is1" = the TLP LogixPro Simulator
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2007b" = MATLAB R2007b
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"Mp3tag" = Mp3tag v2.45a
"NIS" = Norton Internet Security
"qt7lite_is1" = QT Lite 3.1.0
"Rainmeter" = Rainmeter (remove only)
"Startup Delayer" = Startup Delayer v2.5 (build 138)
"SynTPDeinstKey" = Dell Touchpad
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"TVWiz" = Intel® TV Wizard
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"X3watch_is1" = X3watch 5.0.6
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-215946107-2105060619-4208827591-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager
"f031ef6ac137efc5" = Dell Driver Download Manager
"Move Media Player" = Move Media Player
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Edited by ajrty33, 02 March 2010 - 11:07 PM.


#14 ajrty33

ajrty33
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 03 March 2010 - 04:11 AM

There's a few things I've taken note of just searching on my own...
C:\Windows\MBR.exe
C:\Windows\PEV.exe
C:\Windows\sed.exe
C:\Windows\WMSysPr9.prx

C:\Windows\write.exe is 9.55GB... that's just not 'write' (pun intended).
C:\Windows\ERDNT


A folder C:\Windows\CSC\v2.0.6 that I couldn't access. I had to go in and add myself to gain access.

Under my Device Manager I have MEMSWEEP2... the process was stopped, but I went ahead and disabled it.


Am I screwed.

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 03 March 2010 - 07:10 PM

Hello, ajrty33.

You're looking fairly clean; definitely not screwed. How is everything running for you? Any more trojan popups? Redirects? Intrusions blocked?


Thanks for asking about those files. The good news is that there is not too much to worry about the files you pointed out.


C:\Windows\MBR.exe
C:\Windows\PEV.exe
C:\Windows\sed.exe
These are files related to our fix. We'll remove them when they're done.

C:\Windows\WMSysPr9.prx
This is related to Windows Media Player.

C:\Windows\write.exe is 9.55GB... that's just not 'write' (pun intended).
Interesting...that's a legit file, but the filesize is odd. 9.55KB would be accurate. Let's take a look at it.

C:\Windows\ERDNT
This is related to ERUNT...it makes a backup of your registry.

A folder C:\Windows\CSC\v2.0.6 that I couldn't access. I had to go in and add myself to gain access.
This is files that are stored for offline viewing by Windows.

Under my Device Manager I have MEMSWEEP2... the process was stopped, but I went ahead and disabled it.
Ok, thanks for letting me know. This is related to Sophos Anti-rootkit.

How is everything running now?



Step 1
  1. Please open Notepad.
  2. Copy and paste the text in the box below into Notepad, excluding the word code.
    CODE
    @ECHO OFF
    cd\
    dir c:\windows\write.exe > c:\write.txt
    start c:\write.txt
    del %0

    This fix is custom made for this user's computer.
  3. Select File-->Save As
  4. Select File as Type: All Types (*.*)
  5. Save it to your desktop as fixme.bat
  6. Double-click fixme.bat on your desktop to run the fix.
  7. A window will briefly pop up then close.
  8. A log will open, please copy and paste it into your response.



Step 2

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    O4 - HKU\.DEFAULT..\RunOnce: [] File not found
    O4 - HKU\S-1-5-18..\RunOnce: [] File not found
    O4 - HKU\S-1-5-19..\RunOnce: [] File not found
    O4 - HKU\S-1-5-20..\RunOnce: [] File not found
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized




Step 3

In your reply, please post the logfile from step 1, and the OTL files from step 2. How is everything running for you?

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users