Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to Remove Numerous Trojans


  • This topic is locked This topic is locked
13 replies to this topic

#1 LindaG-Van

LindaG-Van

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 07 March 2010 - 06:06 PM

Hello,
I am a reasonable literate computer user who stupidly tried to grab a free program and wound up with a trojan instead. The trojan hijacked my browser, redirecting it on every access attempt to numerous sites, mainly security software and porn.

I used Microsoft Security Essentials as well as AdAware to scan and remove as much as possible. MS Essentials can't remove Trojan:JS/Dursg.B it has Quarantined the files. I have attached trojans_list.PNG file showing the screen capture of MS Essentials history log.

I don't have any symptoms other than when I start my browser, it always shows a "Connection Reset" error message with one button to click, "Try Again". I suspect this is the trojan trying to trick me into reloading more junk. If I go to the URL and press Enter, whatever site I want connects and displays correctly. I haven't "noticed" any other symptoms but my computer seems to be working hard when I'm not doing any thing - very suspicious to me. Plus, I am paranoid that now I have a backdoor open, or that some monitoring software is actively on.

I have followed your instructions and created the DDS log and am also attaching the Attach.log as well as the GMER.log files.

Can you please tell me (1) if I am still infected, (2) how to remove the infection, (3) if there is any way that I can repay your group for your tremendous help and support? I am SO appreciative of your time and efforts.

Linda Gross in Vancouver, Canada


DDS (Ver_09-12-01.01) - NTFSx86
Run by LindaG at 14:10:12.94 on 07/03/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3071.1554 [GMT -8:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conime.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\shaw\bin\shawsupport.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Shaw Secure\Common\FSLAUNCH.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\LindaG\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://en.ca.acer.yahoo.com
mDefault_Page_URL = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 8\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: CDelHotkeys Object: {78875f5c-a685-4405-8dc5-d48dc65452b0} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\shaw secure\nrs\iescript\baselitmus.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
TB: Kiwee Toolbar: {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\progra~1\snagit~1\SNAGIT~4.DLL
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\shaw secure\nrs\iescript\baselitmus.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [Skytel] Skytel.exe
mRun: [eRecoveryService]
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [shawnotify] c:\progra~1\shaw\update\siuloader.exe /notify
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\shawsu~1.lnk - c:\program files\shaw\bin\shawsupport.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZSYYYYYYYYCA
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
AppInit_DLLs: c:\windows\system32\FMAPO32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\lindag\appdata\roaming\mozilla\firefox\profiles\iyg1da3r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\shaw secure\nrs\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Firefox security: No Registry Reference - c:\program files\mozilla firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2010-2-28 33920]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-9 64288]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\shaw secure\hips\drivers\fshs.sys [2010-2-28 68064]
R1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-2-28 35680]
R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-2-28 71040]
R1 fsvista;F-Secure Vista Support Driver;c:\program files\shaw secure\anti-virus\minifilter\fsvista.sys [2010-2-28 12384]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-16 214664]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2009-9-26 819600]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2010-2-28 215648]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-9-23 447832]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2010-2-28 107104]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-12-17 724992]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
R3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSlh.sys [2009-9-23 543064]
R3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplaylh.sys [2009-9-23 190312]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2009-9-23 21848]
R3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVollh.sys [2009-9-23 14680]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-9-23 203608]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\mcsacore.exe" --> c:\program files\mcafee\siteadvisor\McSACore.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2010-2-28 55992]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-16 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-16 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-16 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-16 40552]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-16 30752]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2010-2-28 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2010-2-28 25184]

=============== Created Last 30 ================

2010-03-07 22:05:39 0 ----a-w- c:\users\lindag\defogger_reenable
2010-03-07 20:11:56 0 d-----w- c:\windows\pss
2010-03-07 07:41:32 0 d-----w- c:\program files\CCleaner
2010-03-04 22:13:41 0 d-----w- c:\programdata\WindowsSearch
2010-03-03 17:53:31 0 d-----w- c:\program files\Microsoft Security Essentials
2010-02-28 19:26:24 0 d-----w- c:\users\lindag\appdata\roaming\F-Secure
2010-02-28 09:49:23 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-28 08:43:38 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-02-28 08:43:04 35680 ----a-w- c:\windows\system32\drivers\fses.sys
2010-02-28 08:43:02 71040 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-02-28 08:43:01 572512 ----a-w- c:\windows\system32\msvcp50.dll
2010-02-28 08:42:18 0 d-----w- c:\program files\Shaw Secure
2010-02-28 08:40:41 0 d-----w- c:\programdata\fssg
2010-02-28 08:40:04 0 d-----w- c:\programdata\f-secure
2010-02-27 16:15:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-27 16:14:07 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-27 16:14:07 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-27 16:14:06 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-27 16:14:06 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-27 16:14:06 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-27 16:14:05 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-27 16:14:05 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-27 16:14:05 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-27 16:14:05 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-27 16:13:56 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-27 16:13:55 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-27 16:13:55 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-18 19:28:19 0 d-----w- c:\programdata\WinZip
2010-02-10 03:00:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-10 02:08:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-10 02:06:34 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-10 02:06:27 0 d-----w- c:\programdata\Lavasoft
2010-02-10 02:06:27 0 d-----w- c:\program files\Lavasoft
2010-02-10 01:39:50 0 d---a-w- c:\programdata\TEMP
2010-02-09 00:54:49 0 d-sh--w- c:\users\lindag\appdata\roaming\SystemProc
2010-02-08 06:56:25 0 d-----w- c:\users\lindag\appdata\roaming\BitTorrent
2010-02-08 06:56:22 0 d-----w- c:\program files\Ask.com
2010-02-08 06:56:16 0 d-----w- c:\program files\BitTorrent
2010-02-08 06:49:07 0 d-----w- c:\users\lindag\appdata\roaming\Participatory Culture Foundation

==================== Find3M ====================

2010-01-18 18:23:33 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-18 18:23:33 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-18 18:23:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-12 23:42:37 72080 ----a-w- c:\users\lindag\g2mdlhlpx.exe
2010-01-02 12:45:37 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-02 01:48:51 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-01 20:37:37 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-29 21:12:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-28 07:14:08 672 ----a-w- c:\program files\RejoinCommandLine.txt
2009-12-23 00:08:03 28672 ----a-w- c:\windows\system32\f3PSSavr.scr
2009-12-18 08:09:55 34990 ----a-w- c:\programdata\nvModes.dat
2009-12-18 06:20:53 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-12-18 01:46:53 1908 ----a-w- c:\windows\CLEANUP.CMD
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2007-04-25 08:49:51 328 ------w- c:\program files\GuideMenuSetup.iss
2007-04-06 03:28:08 1237 ------w- c:\program files\WinDVDSetup.iss
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:10:49.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 09 March 2010 - 11:26 AM

Hello LindaG-Van my name is Sempai and welcome to Bleeping Computer.
*We apologize for the delay. Forum have been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



+++++++++++++++++++++++++


1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




3. We need to create a New FULL OTL Report
  1. Please download OTL from here if you have not done so already:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Change the "Extra Registry" option to "SafeList"
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 LindaG-Van

LindaG-Van
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 09 March 2010 - 03:52 PM

Hello Sempai,

Thank you so much for your generous help and also for the extremely clear instructions you have provided. I hope that I've followed them correctly, here are the results:

1. Log from SecurityCheck.exe, checkup.txt

Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 2 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
CCleaner
Java™ 6 Update 17
Adobe Flash Player 10
Adobe Reader 8.1.4
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


2. Log from Anti-Malware, mbam-log
Malwarebytes' Anti-Malware 1.44
Database version: 3842
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

09/03/2010 11:26:13 AM
mbam-log-2010-03-09 (11-26-05).txt

Scan type: Quick Scan
Objects scanned: 107763
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\LindaG\AppData\Roaming\SystemProc (Trojan.Agent) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> No action taken.

Files Infected:
C:\Users\LindaG\AppData\Roaming\3B86.tmp (Trojan.Tracur) -> No action taken.
C:\Windows\System32\f3PSSavr.scr (Adware.MyWebSearch) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> No action taken.


Note to Sempai - after creating the log, the program prompted me to restart my computer. I got a Runtime error msg at that point saying that the program was requested to terminate in "an unusual way" and that I should contact support staff. I restarted my computer manually and received a notification about "Blocked Startup Programs". I took a screen shot of that message and will attach it to this reply. My computer "appears" to be working normally at this point.

3. OTL Reports:
OTL.txt
OTL logfile created on: 09/03/2010 11:38:18 AM - Run 1
OTL by OldTimer - Version 3.1.35.0 Folder = C:\Users\LindaG\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 52.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 216.09 Gb Total Space | 158.39 Gb Free Space | 73.30% Space Free | Partition Type: NTFS
Drive D: | 69.50 Gb Total Space | 69.06 Gb Free Space | 99.38% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LINDAG-PC
Current User Name: LindaG
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/09 11:05:37 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\LindaG\Downloads\OTL.exe
PRC - [2010/03/01 06:36:16 | 000,055,992 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
PRC - [2010/02/28 00:54:36 | 000,522,848 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
PRC - [2010/02/28 00:47:32 | 000,356,960 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
PRC - [2010/02/28 00:46:43 | 000,619,616 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
PRC - [2010/02/28 00:46:43 | 000,480,352 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/02/09 18:07:16 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/02/09 18:07:15 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/01/06 11:17:00 | 001,275,240 | ---- | M] (Shaw Communications) -- C:\Program Files\shaw\bin\shawsupport.exe
PRC - [2009/12/28 14:18:20 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/11/18 14:00:00 | 000,495,432 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2009/09/26 07:35:12 | 003,195,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
PRC - [2009/09/26 07:35:02 | 000,819,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
PRC - [2009/09/26 07:35:02 | 000,045,392 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE
PRC - [2009/09/23 15:04:56 | 000,203,608 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2009/09/23 15:04:52 | 000,447,832 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2009/08/05 07:58:52 | 000,186,976 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FSMA32.EXE
PRC - [2009/08/05 07:58:50 | 000,199,264 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FSM32.EXE
PRC - [2009/08/05 07:58:50 | 000,088,672 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Common\FSHDLL32.EXE
PRC - [2009/08/05 07:56:10 | 000,215,648 | ---- | M] (F-Secure Corporation) -- C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
PRC - [2009/05/11 15:46:04 | 001,348,144 | R--- | M] (Linksys, LLC) -- C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
PRC - [2009/04/10 22:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/10 22:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/03/26 05:21:30 | 005,369,856 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/09/11 15:19:46 | 000,187,936 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvraidservice.exe
PRC - [2007/09/10 15:28:18 | 000,057,344 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
PRC - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/11/02 05:40:12 | 000,174,656 | R--- | M] () -- C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
PRC - [2006/06/14 11:58:00 | 000,061,440 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2010/03/09 11:05:37 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\LindaG\Downloads\OTL.exe
MOD - [2009/08/05 07:58:30 | 000,330,336 | ---- | M] () -- \\?\c:\program files\shaw secure\hips\fshook32.dll
MOD - [2009/04/10 22:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (McAfee SiteAdvisor Service)
SRV - [2010/03/01 06:36:16 | 000,055,992 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe -- (FSORSPClient)
SRV - [2010/02/28 00:54:36 | 000,522,848 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe -- (FSDFWD)
SRV - [2010/02/09 18:07:15 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/09/26 07:35:02 | 000,819,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE -- (cvhsvc)
SRV - [2009/09/26 04:28:22 | 004,639,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2009/09/24 17:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/09/23 15:04:56 | 000,203,608 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2009/09/23 15:04:52 | 000,447,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2009/08/05 07:58:52 | 000,186,976 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\Shaw Secure\Common\FSMA32.EXE -- (FSMA)
SRV - [2009/08/05 07:56:10 | 000,215,648 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter)
SRV - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/01/20 18:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/21 07:51:26 | 000,086,016 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Windows\System32\nvsvc.dll -- (nvsvc)
SRV - [2007/09/10 15:28:18 | 000,057,344 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/02 05:40:12 | 000,174,656 | R--- | M] () [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/06/14 11:58:00 | 000,061,440 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2010/02/28 00:47:53 | 000,033,920 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\Drivers\fsbts.sys -- (fsbts)
DRV - [2010/02/28 00:47:26 | 000,107,104 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper)
DRV - [2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/01/01 15:39:44 | 000,010,368 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/12/02 15:23:40 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/12/02 05:19:06 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/11/04 16:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/09/27 23:12:22 | 009,509,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/09/23 15:04:56 | 000,021,848 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2009/09/23 15:04:56 | 000,014,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\SftVollh.sys -- (sftvol)
DRV - [2009/09/23 15:04:54 | 000,190,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys -- (sftplay)
DRV - [2009/09/23 15:04:50 | 000,543,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\SftFSlh.sys -- (sftfs)
DRV - [2009/08/05 07:58:30 | 000,068,064 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys -- (F-Secure HIPS)
DRV - [2009/08/05 07:57:20 | 000,071,040 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\fsdfw.sys -- (FSFW)
DRV - [2009/08/05 07:57:12 | 000,035,680 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\fses.sys -- (FSES)
DRV - [2009/08/05 07:56:14 | 000,039,776 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys -- (F-Secure Filter)
DRV - [2009/08/05 07:56:14 | 000,025,184 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\Shaw Secure\Anti-Virus\win2k\fsrec.sys -- (F-Secure Recognizer)
DRV - [2009/08/05 07:56:12 | 000,012,384 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys -- (fsvista)
DRV - [2009/05/11 05:52:18 | 000,724,992 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2009/04/10 20:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/12/12 18:05:18 | 000,026,416 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 18:05:18 | 000,024,880 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/03/26 10:35:54 | 002,103,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/03/16 11:34:15 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2008/01/20 18:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 18:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 18:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 18:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 18:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 18:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 18:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 18:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 18:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 18:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 18:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 18:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 18:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 18:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 18:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 18:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 18:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 18:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 18:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 18:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 18:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 18:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 18:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 18:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 18:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/09/10 23:19:20 | 000,123,424 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2007/09/10 23:19:18 | 000,114,208 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/09/10 10:17:40 | 001,035,168 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/07/16 01:38:06 | 000,030,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2007/07/07 05:13:10 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007/07/02 18:05:20 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [2006/11/02 01:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 01:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 01:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 01:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 01:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 01:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 01:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 01:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 01:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 01:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 01:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 00:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 00:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 00:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 00:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 00:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 00:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/01 23:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/06/13 12:56:40 | 000,247,808 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ca.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: {9CE11043-9A15-4207-A565-0C94C42D590D}:2.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\firefox\
FF - HKLM\software\mozilla\Firefox\Extensions\\litmus-ff@f-secure.com: C:\Program Files\Shaw Secure\NRS\litmus-ff@f-secure.com [2010/02/28 00:47:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/09 16:42:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/28 01:37:46 | 000,000,000 | ---D | M]

[2010/02/09 16:42:17 | 000,000,000 | ---D | M] -- C:\Users\LindaG\AppData\Roaming\Mozilla\Extensions
[2010/01/16 21:17:30 | 000,000,000 | ---D | M] -- C:\Users\LindaG\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/03/08 21:55:08 | 000,000,000 | ---D | M] -- C:\Users\LindaG\AppData\Roaming\Mozilla\Firefox\Profiles\iyg1da3r.default\extensions
[2010/02/09 16:47:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\LindaG\AppData\Roaming\Mozilla\Firefox\Profiles\iyg1da3r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/09 11:26:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2006/09/18 13:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 8\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (CDelHotkeys Object) - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll (Yahoo!)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No CLSID value found.
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (Delicious Toolbar) - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll (Yahoo!)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
O3 - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\..\Toolbar\WebBrowser: (Delicious Toolbar) - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll (Yahoo!)
O3 - HKU\S-1-5-21-2615852987-2430271942-2810356380-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\Shaw Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [Linksys Wireless Manager] C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe (Linksys, LLC)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [NVRaidService] C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [shawnotify] c:\Program Files\shaw\Update\siuloader.exe (Shaw Cablesystems)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll (Yahoo!)
O9 - Extra Button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll (Yahoo!)
O9 - Extra Button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll (Yahoo!)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: CabBuilder http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - AppInit_DLLs: (C:\Windows\System32\FMAPO32.dll) - C:\Windows\System32\FMAPO32.dll File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Acer02.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Acer02.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{00d98849-ec23-11de-9377-00242104c1b9}\Shell\AutoRun\command - "" = J:\setup.exe -- File not found
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/09 11:11:36 | 000,000,000 | ---D | C] -- C:\Users\LindaG\AppData\Roaming\Malwarebytes
[2010/03/09 11:11:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/09 11:11:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/09 11:11:28 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/09 11:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/07 12:11:56 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/03/06 23:41:32 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/03/04 14:13:41 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2010/03/03 09:53:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/02/28 11:26:24 | 000,000,000 | ---D | C] -- C:\Users\LindaG\AppData\Roaming\F-Secure
[2010/02/28 01:49:23 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/02/28 00:43:04 | 000,035,680 | ---- | C] (F-Secure Corporation) -- C:\Windows\System32\drivers\fses.sys
[2010/02/28 00:43:02 | 000,071,040 | ---- | C] (F-Secure Corporation) -- C:\Windows\System32\drivers\fsdfw.sys
[2010/02/28 00:43:01 | 000,572,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcp50.dll
[2010/02/28 00:42:18 | 000,000,000 | ---D | C] -- C:\Program Files\Shaw Secure
[2010/02/28 00:40:41 | 000,000,000 | ---D | C] -- C:\ProgramData\fssg
[2010/02/28 00:40:04 | 000,000,000 | ---D | C] -- C:\ProgramData\f-secure
[2010/02/27 08:16:02 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/02/27 08:15:55 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/27 08:14:07 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/02/27 08:14:07 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/02/27 08:14:06 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/02/27 08:14:06 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/02/27 08:14:06 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/02/27 08:14:05 | 000,518,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/02/27 08:14:05 | 000,332,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll
[2010/02/27 08:14:05 | 000,152,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/02/27 08:14:05 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[2010/02/27 08:13:56 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gameux.dll
[2010/02/27 08:13:55 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010/02/27 08:13:55 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/02/18 11:28:19 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip
[2010/02/18 11:28:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/02/10 16:21:39 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2010/02/10 16:21:39 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvfw32.dll
[2010/02/10 16:21:39 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2010/02/10 16:21:39 | 000,082,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll
[2010/02/09 18:08:15 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2010/02/09 18:06:34 | 000,000,000 | -H-D | C] -- C:\ProgramData\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/02/09 18:06:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/02/09 18:06:27 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/02/09 17:39:50 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/02/09 16:42:05 | 000,000,000 | ---D | C] -- C:\Users\LindaG\AppData\Local\Mozilla
[2010/02/08 16:54:48 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/07 22:56:25 | 000,000,000 | ---D | C] -- C:\Users\LindaG\AppData\Roaming\BitTorrent
[2010/02/07 22:56:22 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2010/02/07 22:56:16 | 000,000,000 | ---D | C] -- C:\Program Files\BitTorrent
[2010/02/07 22:49:07 | 000,000,000 | ---D | C] -- C:\Users\LindaG\AppData\Roaming\Participatory Culture Foundation

========== Files - Modified Within 30 Days ==========

[2010/03/09 11:37:34 | 004,194,304 | -HS- | M] () -- C:\Users\LindaG\ntuser.dat
[2010/03/09 11:35:20 | 001,471,780 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/09 11:35:20 | 000,544,002 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/09 11:35:20 | 000,005,692 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/09 11:31:48 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/03/09 11:31:48 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Daily 4).job
[2010/03/09 11:31:48 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Daily 3).job
[2010/03/09 11:31:48 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Daily 2).job
[2010/03/09 11:31:48 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Daily 1).job
[2010/03/09 11:31:25 | 000,128,728 | ---- | M] () -- C:\Users\LindaG\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/09 11:30:30 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/09 11:30:30 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/09 11:30:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/09 11:30:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/09 11:29:26 | 000,524,288 | -HS- | M] () -- C:\Users\LindaG\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/03/09 11:29:26 | 000,065,536 | -HS- | M] () -- C:\Users\LindaG\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/03/09 11:29:18 | 002,616,361 | -H-- | M] () -- C:\Users\LindaG\AppData\Local\IconCache.db
[2010/03/09 11:11:34 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/08 13:20:15 | 000,017,908 | ---- | M] () -- C:\Users\LindaG\Documents\Services.docx
[2010/03/08 02:10:49 | 003,006,145 | ---- | M] () -- C:\Users\LindaG\Documents\Polymer clay samples.pptx
[2010/03/07 14:49:06 | 000,032,356 | ---- | M] () -- C:\Users\LindaG\Documents\trojans_list.png
[2010/03/07 14:05:39 | 000,000,000 | ---- | M] () -- C:\Users\LindaG\defogger_reenable
[2010/03/07 14:04:57 | 000,000,080 | ---- | M] () -- C:\Users\LindaG\Desktop\Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.URL
[2010/03/07 12:25:13 | 000,030,208 | ---- | M] () -- C:\Users\LindaG\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/07 11:27:30 | 000,052,668 | ---- | M] () -- C:\Users\LindaG\Documents\cc_20100307_112711.reg
[2010/03/06 23:41:37 | 000,001,674 | ---- | M] () -- C:\Users\LindaG\Desktop\CCleaner.lnk
[2010/03/06 19:05:00 | 002,321,970 | ---- | M] () -- C:\Users\LindaG\Documents\dl.tif
[2010/03/04 14:49:35 | 000,015,067 | ---- | M] () -- C:\Users\LindaG\Documents\Spanish Lyrics.docx
[2010/03/03 16:52:27 | 000,045,717 | ---- | M] () -- C:\Users\LindaG\Documents\Dec 003-s.jpg
[2010/03/03 09:53:31 | 000,000,946 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/03/03 09:30:41 | 000,002,524 | -HS- | M] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772P.manifest
[2010/03/03 09:30:41 | 000,000,344 | -HS- | M] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772C.manifest
[2010/03/03 09:30:25 | 000,000,784 | -HS- | M] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772O.manifest
[2010/03/03 09:30:25 | 000,000,011 | -HS- | M] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772S.manifest
[2010/02/28 16:00:44 | 000,000,071 | ---- | M] () -- C:\Users\LindaG\AppData\Roaming\876682d
[2010/02/28 05:04:17 | 000,440,592 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/28 00:47:53 | 000,033,920 | ---- | M] () -- C:\Windows\System32\drivers\fsbts.sys
[2010/02/28 00:45:27 | 000,002,021 | ---- | M] () -- C:\Users\Public\Desktop\Shaw Secure.lnk
[2010/02/28 00:38:26 | 000,000,680 | ---- | M] () -- C:\Users\LindaG\AppData\Local\d3d9caps.dat
[2010/02/24 09:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/02/18 11:28:36 | 000,001,858 | ---- | M] () -- C:\Users\Public\Desktop\WinZip.lnk
[2010/02/18 11:28:36 | 000,001,792 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2010/02/17 09:57:07 | 000,422,283 | ---- | M] () -- C:\Users\LindaG\Documents\Proposal for Best Buy Canada.docx
[2010/02/14 12:27:41 | 000,001,170 | ---- | M] () -- C:\Users\LindaG\Desktop\GoToMeeting.lnk
[2010/02/10 19:58:27 | 000,015,613 | ---- | M] () -- C:\Users\LindaG\Documents\TLG Creations - Labels.docx
[2010/02/09 18:08:10 | 000,015,880 | ---- | M] () -- C:\Windows\System32\lsdelete.exe
[2010/02/09 18:06:33 | 000,001,011 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/02/09 16:42:00 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/02/09 13:42:05 | 000,000,180 | ---- | M] () -- C:\Users\LindaG\Desktop\Vancouver Sun.url
[2010/02/09 13:33:28 | 000,000,162 | ---- | M] () -- C:\Users\LindaG\Desktop\CNN.com.url
[2010/02/07 22:56:27 | 000,000,854 | ---- | M] () -- C:\Users\Public\Desktop\BitTorrent.lnk

========== Files Created - No Company Name ==========

[2010/03/09 11:31:48 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/03/09 11:31:48 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Daily 4).job
[2010/03/09 11:31:48 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Daily 3).job
[2010/03/09 11:31:48 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Daily 2).job
[2010/03/09 11:31:44 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Daily 1).job
[2010/03/09 11:11:34 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/08 13:12:40 | 000,017,908 | ---- | C] () -- C:\Users\LindaG\Documents\Services.docx
[2010/03/08 00:49:26 | 003,006,145 | ---- | C] () -- C:\Users\LindaG\Documents\Polymer clay samples.pptx
[2010/03/07 14:49:05 | 000,032,356 | ---- | C] () -- C:\Users\LindaG\Documents\trojans_list.png
[2010/03/07 14:05:39 | 000,000,000 | ---- | C] () -- C:\Users\LindaG\defogger_reenable
[2010/03/07 14:04:57 | 000,000,080 | ---- | C] () -- C:\Users\LindaG\Desktop\Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.URL
[2010/03/07 11:30:17 | 000,113,384 | ---- | C] () -- C:\Users\LindaG\AppData\Local\edsinstaller.txt-20100307.log
[2010/03/07 11:27:22 | 000,052,668 | ---- | C] () -- C:\Users\LindaG\Documents\cc_20100307_112711.reg
[2010/03/06 23:41:37 | 000,001,674 | ---- | C] () -- C:\Users\LindaG\Desktop\CCleaner.lnk
[2010/03/06 19:05:00 | 002,321,970 | ---- | C] () -- C:\Users\LindaG\Documents\dl.tif
[2010/03/04 14:49:34 | 000,015,067 | ---- | C] () -- C:\Users\LindaG\Documents\Spanish Lyrics.docx
[2010/03/03 16:52:27 | 000,045,717 | ---- | C] () -- C:\Users\LindaG\Documents\Dec 003-s.jpg
[2010/03/03 09:53:31 | 000,000,946 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/02/28 00:45:27 | 000,002,021 | ---- | C] () -- C:\Users\Public\Desktop\Shaw Secure.lnk
[2010/02/28 00:43:38 | 000,033,920 | ---- | C] () -- C:\Windows\System32\drivers\fsbts.sys
[2010/02/18 11:28:36 | 000,001,858 | ---- | C] () -- C:\Users\Public\Desktop\WinZip.lnk
[2010/02/18 11:28:36 | 000,001,792 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2010/02/17 09:57:06 | 000,422,283 | ---- | C] () -- C:\Users\LindaG\Documents\Proposal for Best Buy Canada.docx
[2010/02/10 19:58:26 | 000,015,613 | ---- | C] () -- C:\Users\LindaG\Documents\TLG Creations - Labels.docx
[2010/02/09 19:00:52 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2010/02/09 18:06:33 | 000,001,011 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/02/09 16:42:00 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/02/08 18:51:36 | 000,000,071 | ---- | C] () -- C:\Users\LindaG\AppData\Roaming\876682d
[2010/02/08 16:54:41 | 000,002,524 | -HS- | C] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772P.manifest
[2010/02/08 16:54:41 | 000,000,784 | -HS- | C] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772O.manifest
[2010/02/08 16:54:41 | 000,000,344 | -HS- | C] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772C.manifest
[2010/02/08 16:54:41 | 000,000,011 | -HS- | C] () -- C:\Users\LindaG\AppData\Roaming\02000000a5b2498b772S.manifest
[2010/02/07 22:56:27 | 000,000,854 | ---- | C] () -- C:\Users\Public\Desktop\BitTorrent.lnk
[2010/01/01 17:30:38 | 000,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2010/01/01 17:30:38 | 000,000,008 | RHS- | C] () -- C:\Windows\System32\036A521117.sys
[2010/01/01 15:44:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2010/01/01 15:44:10 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2010/01/01 15:44:10 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2010/01/01 15:44:10 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2010/01/01 15:44:10 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2010/01/01 15:44:10 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2010/01/01 15:42:04 | 000,001,237 | ---- | C] () -- C:\Program Files\WinDVDSetup.iss
[2010/01/01 15:39:28 | 000,000,328 | ---- | C] () -- C:\Program Files\GuideMenuSetup.iss
[2009/12/27 23:14:08 | 000,000,672 | ---- | C] () -- C:\Program Files\RejoinCommandLine.txt
[2009/12/27 13:54:26 | 000,025,819 | ---- | C] () -- C:\Windows\maxlink.ini
[2009/12/22 02:52:35 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/12/22 02:52:35 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/12/22 02:17:59 | 000,030,208 | ---- | C] () -- C:\Users\LindaG\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/19 12:52:30 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/12/18 02:03:01 | 000,072,192 | ---- | C] () -- C:\Windows\System32\zlib.dll
[2009/12/18 00:09:22 | 000,034,990 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/12/18 00:09:22 | 000,000,008 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/12/17 22:26:04 | 000,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini
[2009/12/17 22:26:04 | 000,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini
[2009/12/17 22:18:54 | 000,000,680 | ---- | C] () -- C:\Users\LindaG\AppData\Local\d3d9caps.dat
[2008/03/16 12:42:41 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/03/16 12:10:10 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2008/03/16 11:03:42 | 000,001,108 | ---- | C] () -- C:\Windows\generic.ini
[2008/03/16 11:03:42 | 000,000,134 | ---- | C] () -- C:\Windows\Alaunch.ini
[2006/11/02 04:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/01 23:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2002/08/12 09:19:42 | 000,101,376 | ---- | C] () -- C:\Windows\System32\Welsof32.dll
[2002/01/08 16:57:34 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Jpeg32.dll
[2001/12/26 14:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/03 21:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 14:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/23 20:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >

Extra.txt
OTL Extras logfile created on: 09/03/2010 11:38:19 AM - Run 1
OTL by OldTimer - Version 3.1.35.0 Folder = C:\Users\LindaG\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 52.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 216.09 Gb Total Space | 158.39 Gb Free Space | 73.30% Space Free | Partition Type: NTFS
Drive D: | 69.50 Gb Total Space | 69.06 Gb Free Space | 99.38% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LINDAG-PC
Current User Name: LindaG
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2615852987-2430271942-2810356380-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{849E4BA9-5902-49B8-AC9F-002DC0CE1840}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B9E62CDA-C518-44A0-8951-C5B58BDDEA8B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{23989A92-EE88-458C-BD91-13353ECC5221}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{35E30491-59B2-42B8-A466-209521D08FE2}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{559BE541-34E1-4BD0-91C8-BE9555D45A9E}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{9E8D7EDE-2C96-4FC6-B006-BD87BAF2A090}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{A0160B7C-FD2F-4A7A-9C7A-8EC8475B34A2}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{B03EFF91-2428-4D04-8109-72E39DD3B0D5}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{BB7ABF8A-9F17-48AC-B01F-FAD3C2DEFE45}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E1A9EC43-49F7-4BF8-BAC4-1DE2292B26DE}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{F2486135-95C5-4520-9C16-2ED48A37FA00}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01358C56-44F4-B8B3-8757-06F2A864A863}" = ATI Catalyst Install Manager
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{20140000-006D-0409-0000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010 (Beta)
"{20140062-0062-0409-0000-0000000FF1CE}" = Microsoft Office Home and Business 2010 (Beta) - English
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{54F6C98F-94A0-421C-B90E-0B6A2A96A9CF}" = Pure Networks Platform
"{5A447CFB-B64E-4D3C-9744-2EA44EFB8F97}" = BlackBerry Device Software Updater
"{5C47C8B6-77FF-4FC7-A388-66FCF9CFC24C}" = Snagit 9.1.3
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D299DC3-31E2-45C6-8E36-263A2AB1CE8C}" = InterVideo WinDVD SE
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72E3FF67-450F-4ADD-99A7-4147780F6C7B}_is1" = Shaw Support 3.1.30
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110113233}" = Bookworm Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110322783}" = Big Kahuna Reef
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110411970}" = Chuzzle
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111118433}" = Mystery Case Files - Huntsville
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111199750}" = Cake Mania
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}" = Mahjong Escape Ancient China
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111543617}" = Backspin Billiards
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111692950}" = Mahjongg Artifacts
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111872660}" = Diner Dash Flo on the Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{83104339-BF03-4ECA-910F-7B5344717EB5}" = GuideMenu
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1C4EE2B-DF14-4488-BC8A-F9336D588E97}" = SnagIt 8
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{AEF2D1F3-0696-11D5-8E6A-00C04F7FA234}" = PaperPort 8.0 SE
"{B28759B8-5FC6-4F56-9C6C-6EDAD36455A9}" = Roxio Media Manager
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}" = WinZip 14.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DFF56DFF-F703-467C-AF1D-B8FAA99C7416}" = Ulead DVD MovieFactory SE
"{E2E7A0E8-77C4-495F-8FA3-63DAEDAA2DB3}" = F-Secure PSC Prerequisites
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Acer Assist" = Acer Assist
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BitTorrent" = BitTorrent
"BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"Delicious Add-on for Internet Explorer" = Delicious Add-on for Internet Explorer
"FileZilla Client" = FileZilla Client 3.3.1
"F-Secure Product 444" = Shaw Secure
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"InstallShield_{6D299DC3-31E2-45C6-8E36-263A2AB1CE8C}" = InterVideo WinDVD SE
"InstallShield_{83104339-BF03-4ECA-910F-7B5344717EB5}" = Corel GuideMenu
"LimeWire" = LimeWire 5.4.6
"Linksys Wireless Manager" = Linksys Wireless Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010 (Beta)
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 12.0" = RealPlayer
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Shaw Internet Update_is1" = Shaw Internet Update 3.3.1
"WinLiveSuite_Wave3" = Windows Live Essentials
"Xvid_is1" = Xvid 1.2.2 final uninstall
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2615852987-2430271942-2810356380-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.5.0.452

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 07/03/2010 9:43:01 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x7ffa0000, process id 0x1764, application start time
0x01cabe60b0469f2a.

Error - 07/03/2010 9:43:03 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application POWERPNT.EXE, version 0.0.0.0, time stamp 0x4ae9d40b,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x7ffa0000, process id 0x132c, application start time 0x01cabe60b17c11ea.

Error - 07/03/2010 9:43:06 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x7ffa0000, process id 0x5dc, application start time
0x01cabe60b2e3818a.

Error - 07/03/2010 9:43:16 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application POWERPNT.EXE, version 0.0.0.0, time stamp 0x4ae9d40b,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x7ffa0000, process id 0x1200, application start time 0x01cabe60b8ba610a.

Error - 07/03/2010 9:44:33 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x7ffa0000, process id 0x910, application start time
0x01cabe60e736962a.

Error - 07/03/2010 9:44:46 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x7ffa0000, process id 0x131c, application start time
0x01cabe60eede74ba.

Error - 07/03/2010 9:44:49 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x7ffa0000, process id 0x16f8, application start time
0x01cabe60f07f055a.

Error - 07/03/2010 9:44:52 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application Defogger.exe, version 0.0.0.0, time stamp 0x4b83f390,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x7ffa0000, process id 0x1054, application start time 0x01cabe60f21d349a.

Error - 07/03/2010 9:45:09 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x7ffa0000, process id 0xa7c, application start time
0x01cabe60fc5f55aa.

Error - 07/03/2010 9:45:12 PM | Computer Name = LindaG-PC | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x7ffa0000, process id 0xa90, application start time
0x01cabe60fdfd84ea.

[ System Events ]
Error - 18/02/2010 2:00:27 PM | Computer Name = LindaG-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 18/02/2010 2:00:55 PM | Computer Name = LindaG-PC | Source = DCOM | ID = 10005
Description =

Error - 18/02/2010 2:01:03 PM | Computer Name = LindaG-PC | Source = DCOM | ID = 10005
Description =

Error - 18/02/2010 2:01:04 PM | Computer Name = LindaG-PC | Source = DCOM | ID = 10005
Description =

Error - 18/02/2010 2:01:04 PM | Computer Name = LindaG-PC | Source = DCOM | ID = 10005
Description =

Error - 18/02/2010 2:01:04 PM | Computer Name = LindaG-PC | Source = DCOM | ID = 10005
Description =

Error - 18/02/2010 2:01:04 PM | Computer Name = LindaG-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 18/02/2010 2:01:04 PM | Computer Name = LindaG-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 18/02/2010 2:01:38 PM | Computer Name = LindaG-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 18/02/2010 2:03:16 PM | Computer Name = LindaG-PC | Source = Service Control Manager | ID = 7009
Description =


< End of report >


I am fine to wait patiently for whenever you have time to help. Again, many thanks for your generous help.
Linda in Vancouver, Canada

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 10 March 2010 - 09:31 AM

Hi Linda,

before we continue, please read some of the issues I found on your logs.

First:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitTorrent and LimeWire).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




Second:
I strongly suggest that you uninstall Ask Toolbar. Some of the bad practices of this toolbar are:
  1. Promoting its toolbars on sites targeted to kids. Details.
  2. Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  3. Promoting its toolbars through other companies' spyware. Details.
  4. Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  5. Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  6. Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.



Third:
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
*Registry tools can cause irreparable damage to your Operating System
*Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.
IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.

Registry Cleaners and System Tweaking Tools



+++++++++++++++++++++++


Now, let's continue.....




1. Please run your Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



2. Download Combofix (by Subs) from any of the links below, and save it to your desktop.
Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    • It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**
*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
**Please note**
*Leave your computer alone while ComboFix is running.
*ComboFix will restart your computer if malware is found; allow it to do so.
*Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



~Semp





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 LindaG-Van

LindaG-Van
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 10 March 2010 - 04:30 PM

Hello Sempai,

Thank you for your considered thoughts and suggestions regarding software that you see on my system. I understand your position on the use of BitTorrents and Limewire, however I use these predominantly to download TV programs and series that I have missed. In 5 years of doing so, I have never had a problem. I know exactly how I got infected with the Trojan and it had to do with me crossing my ethical boundary and downloading a free version of a utility that is normally charged for. I sure won't make that mistake again!
I uninstalled the AskToolbar, (after running ComboFix, I forgot to do so prior). It was only a minor annoyance for me however combined with your suggestions, not worth keeping. The Registry Cleaner . . . . again, I understand your position. However, I have very little faith in Microsoft and do not agree that they would incorporate such a tool if it were necessary. Given the size of the organization, the constant updates and the basic design of their software engine (built on top of a DOS operating system) I do not believe they are committed to keeping their Registry clean and compact. IMHO their primary objective is Sales, not clean and well functioning software. I appreciate your suggestions however will continue to use my registry programs and have done so for several years with very satisfactory results.

I have performed the steps you suggested, (1) update and run a full Malware scan and then (2) disable all protection and monitoring and run ComboFix. I am copying the contents of both logs to here.

Malwarebytes' Anti-Malware 1.44
Database version: 3849
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

10/03/2010 12:42:16 PM
mbam-log-2010-03-10 (12-42-16).txt

Scan type: Full Scan (C:\|D:\|Q:\|)
Objects scanned: 188379
Time elapsed: 37 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix 10-03-10.02 - LindaG 10/03/2010 12:46:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3071.1268 [GMT -8:00]
Running from: c:\users\LindaG\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\LindaG\AppData\Roaming\.#
c:\users\LindaG\AppData\Roaming\02000000a5b2498b772C.manifest
c:\users\LindaG\AppData\Roaming\02000000a5b2498b772O.manifest
c:\users\LindaG\AppData\Roaming\02000000a5b2498b772P.manifest
c:\users\LindaG\AppData\Roaming\02000000a5b2498b772S.manifest

.
((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))
.

2010-03-10 20:51 . 2010-03-10 20:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-10 20:45 . 2010-03-10 20:45 -------- d-----w- C:\32788R22FWJFW
2010-03-10 18:47 . 2010-03-10 18:47 439816 ----a-w- c:\users\LindaG\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-09 22:11 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-09 22:11 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-09 19:11 . 2010-03-09 19:11 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-09 19:11 . 2010-03-09 19:11 -------- d-----w- c:\users\LindaG\AppData\Roaming\Malwarebytes
2010-03-09 19:11 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-09 19:11 . 2010-03-09 19:11 -------- d-----w- c:\programdata\Malwarebytes
2010-03-09 19:11 . 2010-03-09 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 19:11 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 07:41 . 2010-03-07 07:41 -------- d-----w- c:\program files\CCleaner
2010-03-04 22:13 . 2010-03-04 22:13 -------- d-----w- c:\programdata\WindowsSearch
2010-03-03 17:53 . 2010-03-03 17:53 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-28 19:26 . 2010-02-28 19:26 -------- d-----w- c:\users\LindaG\AppData\Roaming\F-Secure
2010-02-28 09:49 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-28 08:43 . 2010-02-28 08:47 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-02-28 08:43 . 2009-08-05 15:57 35680 ----a-w- c:\windows\system32\drivers\fses.sys
2010-02-28 08:43 . 2009-08-05 15:57 71040 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-02-28 08:43 . 2009-08-05 15:59 572512 ----a-w- c:\windows\system32\msvcp50.dll
2010-02-28 08:42 . 2010-02-28 08:55 -------- d-----w- c:\program files\Shaw Secure
2010-02-28 08:40 . 2010-02-28 08:41 -------- d-----w- c:\programdata\fssg
2010-02-28 08:40 . 2010-02-28 08:42 -------- d-----w- c:\programdata\f-secure
2010-02-27 16:15 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-27 16:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-27 16:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-27 16:14 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-27 16:14 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-27 16:14 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-27 16:14 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-27 16:14 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-27 16:14 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-27 16:14 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-27 16:13 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-27 16:13 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-27 16:13 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-18 19:28 . 2010-02-18 19:28 -------- d-----w- c:\programdata\WinZip
2010-02-10 03:00 . 2010-02-10 02:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-10 02:08 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-10 02:08 . 2010-02-10 02:08 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-10 02:08 . 2010-02-10 02:08 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-10 02:08 . 2010-02-10 02:08 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-10 02:08 . 2010-02-10 02:08 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-10 02:08 . 2010-02-10 02:08 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-10 02:08 . 2010-02-10 02:08 389784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-10 02:08 . 2010-02-10 02:08 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-10 02:07 . 2010-02-10 02:07 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-10 02:07 . 2010-02-10 02:07 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-10 02:07 . 2010-02-10 02:07 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-10 02:07 . 2010-02-10 02:07 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-10 02:07 . 2010-03-01 08:08 3803208 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-10 02:07 . 2010-02-10 02:07 816784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-10 02:07 . 2010-02-10 02:07 823928 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-10 02:07 . 2010-02-10 02:07 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-10 02:07 . 2010-02-10 02:07 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-10 02:07 . 2010-02-10 02:07 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-10 02:06 . 2010-02-10 02:06 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-10 02:06 . 2009-12-07 14:10 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-02-10 02:06 . 2010-02-10 02:08 -------- d-----w- c:\programdata\Lavasoft
2010-02-10 02:06 . 2010-02-10 02:06 -------- d-----w- c:\program files\Lavasoft
2010-02-10 00:42 . 2010-02-10 00:42 -------- d-----w- c:\users\LindaG\AppData\Local\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 18:48 . 2009-12-18 06:19 128728 ----a-w- c:\users\LindaG\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-10 11:16 . 2010-01-16 03:47 -------- d-----w- c:\users\LindaG\AppData\Roaming\SoftGrid Client
2010-03-07 19:37 . 2009-12-18 08:28 -------- d-----w- c:\users\LindaG\AppData\Roaming\Delicious IE Extension
2010-03-07 19:31 . 2008-03-16 19:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-07 19:31 . 2008-03-16 19:45 -------- d-----w- c:\program files\Acer Arcade Live
2010-03-07 19:31 . 2008-03-16 19:47 -------- d-----w- c:\programdata\CyberLink
2010-03-03 07:35 . 2010-01-17 05:17 -------- d-----w- c:\users\LindaG\AppData\Roaming\LimeWire
2010-02-28 08:45 . 2008-03-16 20:04 -------- d-----w- c:\programdata\McAfee
2010-02-28 08:45 . 2008-03-16 20:04 -------- d-----w- c:\program files\McAfee
2010-02-28 08:38 . 2009-12-18 06:18 680 ----a-w- c:\users\LindaG\AppData\Local\d3d9caps.dat
2010-02-28 00:00 . 2010-01-18 18:22 -------- d-----w- c:\programdata\Apple
2010-02-27 16:15 . 2010-01-16 05:58 -------- d-----w- c:\programdata\VirtualizedApplications
2010-02-11 12:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-08 16:03 . 2010-02-08 06:56 -------- d-----w- c:\users\LindaG\AppData\Roaming\BitTorrent
2010-02-08 06:56 . 2010-02-08 06:56 -------- d-----w- c:\program files\Ask.com
2010-02-08 06:56 . 2010-02-08 06:56 -------- d-----w- c:\program files\BitTorrent
2010-02-08 06:49 . 2010-02-08 06:49 -------- d-----w- c:\users\LindaG\AppData\Roaming\Participatory Culture Foundation
2010-02-02 16:21 . 2010-02-02 16:20 -------- d-----w- c:\program files\iTunes
2010-02-02 16:20 . 2010-02-02 16:20 -------- d-----w- c:\program files\iPod
2010-02-02 16:20 . 2010-01-18 18:22 -------- d-----w- c:\program files\Common Files\Apple
2010-02-02 16:17 . 2010-02-02 16:17 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-28 21:01 . 2010-01-27 21:45 -------- d-----w- c:\program files\SnagIt 8
2010-01-27 21:45 . 2010-01-27 21:45 -------- d-----w- c:\programdata\TechSmith
2010-01-18 18:40 . 2010-01-18 18:25 -------- d-----w- c:\users\LindaG\AppData\Roaming\Apple Computer
2010-01-18 18:25 . 2010-01-18 18:25 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-18 18:25 . 2010-01-18 18:23 -------- d-----w- c:\programdata\Apple Computer
2010-01-18 18:24 . 2010-01-18 18:24 -------- d-----w- c:\program files\Bonjour
2010-01-18 18:24 . 2010-01-18 18:23 -------- d-----w- c:\program files\QuickTime
2010-01-18 18:23 . 2010-01-18 18:23 -------- d-----w- c:\program files\Apple Software Update
2010-01-17 12:03 . 2010-01-17 05:16 -------- d-----w- c:\program files\LimeWire
2010-01-16 23:19 . 2010-01-16 23:19 -------- d-----w- c:\programdata\shaw
2010-01-16 23:19 . 2009-12-18 10:03 -------- d-----w- c:\program files\shaw
2010-01-16 03:47 . 2010-01-16 03:47 -------- d-----w- c:\users\LindaG\AppData\Roaming\NVD
2010-01-16 03:47 . 2010-01-16 03:45 -------- d-----w- c:\users\LindaG\AppData\Roaming\TP
2010-01-16 03:46 . 2010-01-16 03:46 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2010-01-16 02:51 . 2008-03-16 19:28 -------- d-----w- c:\programdata\Microsoft Help
2010-01-16 00:41 . 2010-01-16 00:41 -------- d-----w- c:\users\LindaG\AppData\Roaming\Blackberry Desktop
2010-01-15 19:11 . 2010-01-15 18:54 -------- d-----w- c:\users\LindaG\AppData\Roaming\FileZilla
2010-01-15 18:54 . 2010-01-15 18:54 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-12 23:42 . 2010-01-12 23:42 -------- d-----w- c:\program files\Citrix
2010-01-12 23:42 . 2010-01-12 23:42 72080 ----a-w- c:\users\LindaG\g2mdlhlpx.exe
2010-01-06 15:38 . 2010-02-27 16:13 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-27 16:13 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-27 16:13 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-27 16:13 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-04 23:28 . 2010-01-04 23:28 53248 ----a-r- c:\users\LindaG\AppData\Roaming\Microsoft\Installer\{5A447CFB-B64E-4D3C-9744-2EA44EFB8F97}\ARPPRODUCTICON.exe
2010-01-02 12:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-02 06:38 . 2010-01-21 19:44 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 19:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 19:44 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 19:44 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-02 01:48 . 2010-01-02 01:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-02 01:30 . 2010-01-02 01:30 8 --sha-r- c:\windows\system32\036A521117.sys
2010-01-01 23:39 . 2010-01-01 23:41 10368 ----a-w- c:\windows\system32\drivers\iviaspi.sys
2009-12-29 21:12 . 2009-12-29 21:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-28 07:14 . 2009-12-28 07:14 672 ----a-w- c:\program files\RejoinCommandLine.txt
2009-12-28 07:09 . 2009-12-28 07:08 70920 ----a-w- c:\programdata\CA-SupportBridge\Customer_rc.dll
2009-12-28 07:08 . 2009-12-28 07:08 626440 ----a-w- c:\programdata\CA-SupportBridge\Customer.exe
2009-12-28 07:08 . 2009-12-28 07:08 599304 ----a-w- c:\programdata\CA-SupportBridge\Controller.exe
2009-12-28 07:08 . 2009-12-28 07:08 353544 ----a-w- c:\programdata\CA-SupportBridge\SoftwareUpdater.exe
2009-12-28 07:08 . 2009-12-28 07:08 632072 ----a-w- c:\programdata\CA-SupportBridge\msvcr80.dll
2009-12-18 08:09 . 2009-12-18 08:09 34990 ----a-w- c:\programdata\nvModes.dat
2009-12-18 06:20 . 2008-03-16 19:25 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-12-18 01:46 . 2008-03-16 19:03 1908 ----a-w- c:\windows\CLEANUP.CMD
2009-12-11 11:43 . 2010-02-11 00:21 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-11 00:21 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2007-04-25 08:49 . 2010-01-01 23:39 328 ------w- c:\program files\GuideMenuSetup.iss
2007-04-06 03:28 . 2010-01-01 23:42 1237 ------w- c:\program files\WinDVDSetup.iss
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 18:34 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}"= "mscoree.dll" [2009-03-30 278848]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-09-11 187936]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]
"shawnotify"="c:\progra~1\shaw\update\siuloader.exe" [2009-08-26 378152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-29 149280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-07 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Shaw Support.lnk - c:\program files\shaw\bin\shawsupport.exe [2010-1-16 1275240]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ASETRES.EXE]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ASETRES.EXE
backup=c:\windows\pss\ASETRES.EXE.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:2e,00,bf,9e,23,8b,ca,01

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-10 1181328]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [x]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [2010-03-01 55992]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2007-07-16 30752]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2009-08-05 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2009-08-05 25184]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-02-28 33920]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2009-08-05 68064]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2009-08-05 35680]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-08-05 71040]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2009-08-05 12384]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2009-09-26 819600]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2009-09-23 447832]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2010-02-28 107104]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-05-11 724992]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
S3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\sftfslh.sys [2009-09-23 543064]
S3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys [2009-09-23 190312]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-09-23 21848]
S3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\sftvollh.sys [2009-09-23 14680]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2009-09-23 203608]


--- Other Services/Drivers In Memory ---

*Deregistered* - MBAMSwissArmy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\LindaG\AppData\Roaming\Mozilla\Firefox\Profiles\iyg1da3r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\Shaw Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-eRecoveryService - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110113233} - c:\program files\Acer GameZone\Bookworm Deluxe\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110322783} - c:\program files\Acer GameZone\Big Kahuna Reef\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110411970} - c:\program files\Acer GameZone\Chuzzle\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111118433} - c:\program files\Acer GameZone\Mystery Case Files - Huntsville\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111199750} - c:\program files\Acer GameZone\Cake Mania\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743} - c:\program files\Acer GameZone\Mahjong Escape Ancient China\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111543617} - c:\program files\Acer GameZone\Backspin Billiards\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111692950} - c:\program files\Acer GameZone\Mahjongg Artifacts\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111872660} - c:\program files\Acer GameZone\Diner Dash Flo on the Go\Uninstall.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767} - c:\program files\Acer GameZone\Alice Greenfingers\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-10 12:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\shaw secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(724)
c:\program files\shaw secure\hips\fshook32.dll
.
Completion time: 2010-03-10 12:53:31
ComboFix-quarantined-files.txt 2010-03-10 20:53

Pre-Run: 173,215,817,728 bytes free
Post-Run: 173,210,411,008 bytes free

- - End Of File - - 28E9AC8A198017AD659B5C2B1915B0C0


I hope that by the limited understanding of what I can see with these logs, that I am actually clear of infections. Is that possible? Looking forward to your reply.

Best regards,
Linda

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 11 March 2010 - 08:52 AM

Hi Linda,

Your log looks good... thumbup2.gif How's your computer running now?

Do you recognize this folder? -> C:\32788R22FWJFW


++++++++++++++++++++++++


1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of  Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.



2. Download the latest version of Adobe Reader. --> HERE
  • Unchecked Free McAfee® Security Scan Plus.
  • Click download and install it by following the prompts.



3. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .



4. Open OTL again then click the Quick Scan button. Post the log it produces in your next reply.


~Semp


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 LindaG-Van

LindaG-Van
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 11 March 2010 - 02:41 PM

Hi Sempai,

How wonderful - I am cautiously excited. <grin> My computer seems to be running just fine now. I switched my browser back to IE and I don't get the "connection reset" message anymore, must be something with my browser/modem settings. No biggie, I prefer to use IE (same as my clients).

No, I don't recognize the folder you indicated below. If you think I should delete it, let me know.

I will perform the instructions you've mentioned - just can't do it til tomorrow. I'm out for the rest of today and classes tonight.

Will do tomorrow and post results back to you. Thank you SO MUCH!!!

Linda

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 11 March 2010 - 05:23 PM

Hi, please include this instructions so we can take a look on that folder.


Please copy the contents of the code box below, open notepad and paste it there.
  • On the top toolbar in notepad select file, then save as. In the box that opens type in look.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the look.bat icon on your desktop and double click it.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.

CODE
@echo off
dir /x "C:\32788R22FWJFW" >> "%userprofile%\desktop\look.txt"
dir /x "C:\32788R22FWJFW" >> "%userprofile%\desktop\look.txt"
notepad "%userprofile%\desktop\look.txt"
del "%userprofile%\desktop\look.txt"
del %0


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 16 March 2010 - 07:28 AM

Hi, are you still with us?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 LindaG-Van

LindaG-Van
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 17 March 2010 - 01:53 AM

Hi Sempai,

I sure am still here - I'm sorry for not getting back to you sooner. I was in a 3 day conference (Fri, Sat and Sun) and since then catching up on all the backlog of work with a ton of new stuff.

Sorry - I will try your suggestions from Thursday and post the results - thank you for touching base.

Linda (who is a bit swamped in Vancouver) :-)

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 17 March 2010 - 04:15 AM

No problem.... take your time. thumbup2.gif

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 LindaG-Van

LindaG-Van
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 19 March 2010 - 05:18 AM

Hi Sempai,

Thank you so much for checking back. I'm sorry but I will be much longer in replying to you - my younger brother has had a massive heart attack and we are all flying to be by his side in ICU. I might be a week or longer before I can get back to you with my logs. Thank you for checking back and I will post when I return. Thank you, L

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 19 March 2010 - 05:45 AM

Hi Linda,

Sorry about your brothers heart attack, hope he will get better soon.

Take all the time you need, we can continue working on your logs when everything is OK. Take care.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:53 AM

Posted 04 May 2010 - 08:41 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users