Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser/computer hijack? Banners and crashes.


  • This topic is locked This topic is locked
16 replies to this topic

#1 EuanR

EuanR

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 19 March 2010 - 05:49 PM

Thank you in advance for any help with this problem... I'm running Vista Home premium SP2.
In Firefox, something is inserting banner ads at the top of all web pages - most I'm certain shouldn't have them. The banner ads seem to load or refresh at ~30 second intervals, sometimes after the web page has been open for some time. I have performed full scans with Ad-Aware, Spybot S&D, Malwarebytes' and Symantec Antivirus, all up-to-date as of last night. Symantec found "Bloodhound.PDF!gen" and that's it; supposedly it "cleaned" it. The problem persists, and Firefox has become quite unstable, crashing about once every 20 mins of use.

Unfortunately, I am not able to generate the Ark.txt file from GMER. About 10 seconds after I initiate the GMER scan my computer goes to blue screen and restarts. I have tried four times, and I have no idea if this is related to the infection. Let me know if you have thoughts about an alternate way to run GMER.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:12:13.95 on Fri 03/19/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1328 [GMT -5:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\search toolbar\tbhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\search toolbar\tbcore3.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\search toolbar\tbcore3.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [googletalk] c:\users\owner\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\9zn3j6y5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://home.comcast.net/~reavie/
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: c:\program files\mozilla firefox\extensions\{107c7634-6fd7-fb68-a42d-b2c66499dc2d}\components\BK_gdejX-_.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\owner\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\program files\mozilla firefox\extensions\{107c7634-6fd7-fb68-a42d-b2c66499dc2d}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-14 64288]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-11-28 1962136]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-13 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-18 1153368]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-26 21504]
S3 lwldr1a7;Lumenera USB Loader Driver (lwldr1a7.sys);c:\windows\system32\drivers\lwldr1a7.sys [2008-5-22 26752]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 USBLucam1a7;Lumenera Scientific Camera (1a7);c:\windows\system32\drivers\lwcam1a7.sys [2008-5-22 464896]

=============== Created Last 30 ================

2010-03-19 03:19:52 0 d-----w- c:\program files\common files\DivX Shared
2010-03-19 03:15:22 0 d-----w- c:\programdata\DivX
2010-03-19 00:46:34 0 d-----w- c:\programdata\NOS
2010-03-18 23:07:12 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-18 23:07:12 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-18 03:46:07 0 d-----w- c:\program files\Trend Micro
2010-03-18 00:12:19 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-03-14 18:02:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-14 17:16:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-14 17:16:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-14 17:14:46 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-14 17:14:14 0 d-----w- c:\program files\Lavasoft
2010-03-14 04:00:14 0 d-----w- c:\program files\Search Toolbar
2010-03-13 06:28:54 0 d-----w- c:\windows\pss
2010-03-12 21:56:27 0 d-----w- c:\windows\system32\no-NO
2010-03-12 21:56:24 6656 ----a-w- c:\windows\system32\bcmwlrc.dll
2010-03-12 21:50:50 0 d-----w- c:\windows\Downloaded Installations
2010-03-12 02:25:45 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 02:25:44 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-12 02:25:43 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-06 04:23:54 0 d-----w- c:\programdata\Ableton
2010-03-06 04:23:52 0 d-----w- c:\users\owner\appdata\roaming\Ableton
2010-03-06 04:20:56 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-06 04:20:56 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-03-06 04:17:25 0 d-----w- c:\program files\Ableton
2010-03-02 18:16:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll

==================== Find3M ====================

2010-03-18 03:04:51 2140 ----a-w- c:\windows\bthservsdp.dat
2010-03-18 03:04:06 88947 ----a-w- c:\programdata\nvModes.dat
2010-03-12 21:57:29 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-12 21:57:29 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-12 21:57:22 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 23:21:01 87608 ----a-w- c:\users\owner\appdata\roaming\inst.exe
2010-02-18 23:21:01 47360 ----a-w- c:\users\owner\appdata\roaming\pcouffin.sys
2010-02-17 04:08:32 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 04:55:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-05-26 18:50:03 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-15 19:37:59 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-11-28 00:36:27 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 17:13:49.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 PM

Posted 21 March 2010 - 09:27 PM

Hello, EuanR.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 EuanR

EuanR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 22 March 2010 - 09:09 AM

Hello aommaster. Thank you for your help! I have attached the three requested files. As suggested I had to run gmer with "devices" unchecked. Otherwise it would cause my computer to crash (blue screen and automatic restart).

Best - Euan.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-03-22 08:18:55
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 90 GB (38%) free of 238 GB
Total RAM: 3070 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:03 AM, on 3/22/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\Search Toolbar\tbhelper.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Search Toolbar\tbcore3.dll (file missing)
O3 - Toolbar: Search Toolbar - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files\Search Toolbar\tbcore3.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [googletalk] C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10798 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3986340745-2730311142-871471110-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3986340745-2730311142-871471110-1000UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-12-21 349640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-25 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-12-21 349640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}]
TBSB05974 Class - C:\Program Files\Search Toolbar\tbcore3.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0C8413C1-FAD1-446C-8584-BE50576F863E} - Search Toolbar - C:\Program Files\Search Toolbar\tbcore3.dll []
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-12-21 349640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-03-28 1045800]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-12-06 202032]
"OnScreenDisplay"=C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [2007-09-04 554320]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-22 107112]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-11-28 134808]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-09-08 305440]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-12-04 13556256]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-12-04 92704]
"Carbonite Backup"=C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [2009-09-18 670864]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"Adobe Acrobat Speed Launcher"=C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [2009-12-22 38840]
""= []
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [2009-12-21 640440]
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-03-05 1135912]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"googletalk"=C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
"Google Update"=C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-13 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [2009-12-21 640440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [2009-12-22 38840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-13 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe [2009-04-10 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^hpzrcv01.LNK]
C:\Program Files\HP\Temp\{B94428F6-E93C-4d1d-8580-46D70FA07A9D}\setup\hpzstub.exe -run C:\Program Files\HP\Temp\{B94428F6-E93C-4d1d-8580-46D70FA07A9D}\setup\hpzrcv01.exe -f ..\autorun.inf -recover MSIOnly -logs []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bc88282-6436-11de-920c-001e379d2d7e}]
shell\AutoRun\command - H:\LaunchU3.exe -a


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - "C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2010-03-22 08:18:55 ----D---- C:\rsit
2010-03-20 18:18:36 ----RA---- C:\Windows\system32\AdobePDFUI.dll
2010-03-20 18:18:36 ----RA---- C:\Windows\system32\AdobePDF.dll
2010-03-19 18:25:53 ----D---- C:\Program Files\Mozilla Firefox
2010-03-18 22:19:52 ----D---- C:\Program Files\Common Files\DivX Shared
2010-03-18 22:15:22 ----D---- C:\ProgramData\DivX
2010-03-18 18:07:12 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-03-18 18:07:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-03-17 22:46:07 ----D---- C:\Program Files\Trend Micro
2010-03-14 13:02:07 ----A---- C:\Windows\system32\lsdelete.exe
2010-03-14 12:14:46 ----HDC---- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-14 12:14:14 ----D---- C:\Program Files\Lavasoft
2010-03-13 01:28:54 ----D---- C:\Windows\pss
2010-03-12 16:56:27 ----D---- C:\Windows\system32\no-NO
2010-03-12 16:56:24 ----A---- C:\Windows\system32\bcmwlrc.dll
2010-03-12 16:50:50 ----D---- C:\Windows\Downloaded Installations
2010-03-11 21:25:45 ----A---- C:\Windows\system32\nshhttp.dll
2010-03-11 21:25:43 ----A---- C:\Windows\system32\httpapi.dll
2010-03-08 12:59:18 ----A---- C:\Windows\system32\dpl100.dll
2010-03-05 23:23:54 ----D---- C:\ProgramData\Ableton
2010-03-05 23:23:52 ----D---- C:\Users\Owner\AppData\Roaming\Ableton
2010-03-05 23:20:56 ----A---- C:\Windows\system32\REX Shared Library.dll
2010-03-05 23:20:56 ----A---- C:\Windows\system32\ReWire.dll
2010-03-05 23:17:25 ----D---- C:\Program Files\Ableton
2010-02-23 15:28:24 ----A---- C:\Windows\system32\jscript.dll
2010-02-23 15:27:43 ----A---- C:\Windows\system32\tzres.dll
2010-02-23 15:27:26 ----A---- C:\Windows\system32\secproc_isv.dll
2010-02-23 15:27:25 ----A---- C:\Windows\system32\secproc.dll
2010-02-23 15:27:25 ----A---- C:\Windows\system32\RMActivate_ssp_isv.exe
2010-02-23 15:27:25 ----A---- C:\Windows\system32\RMActivate_ssp.exe
2010-02-23 15:27:25 ----A---- C:\Windows\system32\RMActivate_isv.exe
2010-02-23 15:27:24 ----A---- C:\Windows\system32\secproc_ssp_isv.dll
2010-02-23 15:27:24 ----A---- C:\Windows\system32\secproc_ssp.dll
2010-02-23 15:27:24 ----A---- C:\Windows\system32\RMActivate.exe
2010-02-23 15:27:24 ----A---- C:\Windows\system32\msdrm.dll
2010-02-23 15:27:19 ----A---- C:\Windows\system32\gameux.dll
2010-02-23 15:27:18 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-02-23 15:27:18 ----A---- C:\Windows\system32\Apphlpdm.dll

======List of files/folders modified in the last 1 months======

2010-03-22 08:19:03 ----D---- C:\Windows\Prefetch
2010-03-22 08:18:57 ----D---- C:\Windows\Temp
2010-03-22 00:00:55 ----SHD---- C:\System Volume Information
2010-03-21 21:22:51 ----D---- C:\Users\Owner\AppData\Roaming\BitTorrent
2010-03-21 20:44:20 ----D---- C:\Windows\Tasks
2010-03-21 20:44:12 ----D---- C:\ProgramData\Google Updater
2010-03-21 15:45:18 ----D---- C:\Windows\System32
2010-03-21 15:45:18 ----D---- C:\Windows\inf
2010-03-21 15:45:18 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-03-21 12:20:22 ----D---- C:\Windows\system32\Tasks
2010-03-20 20:53:08 ----RD---- C:\Users
2010-03-20 20:52:37 ----HD---- C:\ProgramData
2010-03-20 18:19:57 ----SHD---- C:\Windows\Installer
2010-03-20 18:11:01 ----D---- C:\Program Files\Common Files\Adobe
2010-03-20 10:24:09 ----RD---- C:\Program Files
2010-03-19 19:12:32 ----D---- C:\Windows\system32\catroot2
2010-03-19 18:26:13 ----D---- C:\Users\Owner\AppData\Roaming\Mozilla
2010-03-19 17:27:19 ----D---- C:\Windows\Minidump
2010-03-19 17:27:15 ----D---- C:\Windows
2010-03-18 22:20:45 ----D---- C:\Program Files\DivX
2010-03-18 22:20:20 ----D---- C:\Windows\winsxs
2010-03-18 22:19:52 ----D---- C:\Program Files\Common Files
2010-03-18 19:01:09 ----SD---- C:\ProgramData\Microsoft
2010-03-17 21:54:42 ----D---- C:\Windows\system32\drivers
2010-03-17 21:54:42 ----D---- C:\Windows\Microsoft.NET
2010-03-17 19:04:21 ----RSD---- C:\Windows\Fonts
2010-03-17 19:01:37 ----D---- C:\Program Files\Adobe
2010-03-14 12:16:47 ----DC---- C:\Windows\system32\DRVSTORE
2010-03-14 12:16:47 ----D---- C:\Windows\system32\catroot
2010-03-14 12:14:14 ----D---- C:\ProgramData\Lavasoft
2010-03-14 10:36:49 ----D---- C:\Windows\PLA
2010-03-13 23:11:13 ----D---- C:\Windows\Web
2010-03-13 01:27:27 ----D---- C:\Program Files\Google
2010-03-12 17:00:27 ----D---- C:\swsetup_delete
2010-03-12 16:56:27 ----D---- C:\Windows\system32\tr-TR
2010-03-12 16:56:27 ----D---- C:\Windows\system32\th-TH
2010-03-12 16:56:27 ----D---- C:\Windows\system32\sv-SE
2010-03-12 16:56:27 ----D---- C:\Windows\system32\sl-SI
2010-03-12 16:56:27 ----D---- C:\Windows\system32\sk-SK
2010-03-12 16:56:27 ----D---- C:\Windows\system32\ru-RU
2010-03-12 16:56:27 ----D---- C:\Windows\system32\ro-RO
2010-03-12 16:56:27 ----D---- C:\Windows\system32\pl-PL
2010-03-12 16:56:27 ----D---- C:\Windows\system32\nl-NL
2010-03-12 16:56:27 ----D---- C:\Windows\system32\lv-LV
2010-03-12 16:56:26 ----D---- C:\Windows\system32\lt-LT
2010-03-12 16:56:26 ----D---- C:\Windows\system32\ko-KR
2010-03-12 16:56:26 ----D---- C:\Windows\system32\ja-JP
2010-03-12 16:56:26 ----D---- C:\Windows\system32\it-IT
2010-03-12 16:56:26 ----D---- C:\Windows\system32\hu-HU
2010-03-12 16:56:26 ----D---- C:\Windows\system32\hr-HR
2010-03-12 16:56:26 ----D---- C:\Windows\system32\fr-FR
2010-03-12 16:56:26 ----D---- C:\Windows\system32\fi-FI
2010-03-12 16:56:26 ----D---- C:\Windows\system32\et-EE
2010-03-12 16:56:26 ----D---- C:\Windows\system32\en-US
2010-03-12 16:56:26 ----D---- C:\Windows\system32\el-GR
2010-03-12 16:56:25 ----D---- C:\Windows\system32\de-DE
2010-03-12 16:56:25 ----D---- C:\Windows\system32\da-DK
2010-03-12 16:56:25 ----D---- C:\Windows\system32\cs-CZ
2010-03-12 16:56:25 ----D---- C:\Windows\system32\bg-BG
2010-03-12 16:51:00 ----SD---- C:\Windows\Downloaded Program Files
2010-03-12 16:50:57 ----SD---- C:\Users\Owner\AppData\Roaming\Microsoft
2010-03-12 16:50:56 ----D---- C:\Program Files\HP
2010-03-11 21:31:46 ----D---- C:\Program Files\Windows Mail
2010-03-11 21:31:46 ----D---- C:\Program Files\Movie Maker
2010-03-11 21:30:04 ----D---- C:\ProgramData\Microsoft Help
2010-03-08 23:26:34 ----D---- C:\Euan
2010-03-02 00:30:12 ----A---- C:\Windows\system32\mrt.exe
2010-02-24 10:16:06 ----N---- C:\Windows\system32\MpSigStub.exe
2010-02-23 16:20:38 ----D---- C:\Windows\rescache
2010-02-23 16:00:55 ----D---- C:\Windows\AppPatch

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2009-08-27 371248]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2006-10-06 406672]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2006-11-22 25448]
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [2008-06-19 306299]
R2 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2005-01-01 9728]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-14 37376]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-05-30 735232]
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (SwipeSensor); C:\Windows\system32\DRIVERS\ATSwpDrv.sys [2007-08-28 146560]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-10 22528]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-10 29696]
R3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2007-12-12 80424]
R3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2007-12-12 80936]
R3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2007-12-12 16168]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 188416]
R3 DNE;Deterministic Network Enhancer Miniport; C:\Windows\system32\DRIVERS\dne2000.sys [2008-03-29 125328]
R3 ElbyDelay;ElbyDelay; C:\Windows\System32\Drivers\ElbyDelay.sys [2005-01-01 3968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768]
R3 HpqRemHid;HP Remote Control HID Device; C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-11-01 985600]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-11-01 208896]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100321.004\NAVENG.SYS [2010-02-04 84912]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100321.004\NAVEX15.SYS [2010-02-04 1324720]
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-08-01 1052704]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-12-04 7606688]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 12032]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-10 148992]
R3 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2005-11-16 28928]
R3 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2005-12-22 51840]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2006-11-22 247144]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2008-09-30 109744]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-03-28 199472]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-11-01 661504]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S3 AR5211;Atheros Wireless Network Adapter Service; C:\Windows\system32\DRIVERS\ar5211.sys [2006-01-13 470048]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-10 507904]
S3 CVirtA;Cisco Systems VPN Adapter; C:\Windows\system32\DRIVERS\CVirtA.sys [2007-01-18 5275]
S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Scan.sys [2008-01-19 10752]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HPFXBULK;HPFXBULK; C:\Windows\system32\drivers\hpfxbulk.sys [2006-04-04 9344]
S3 lwldr1a7;Lumenera USB Loader Driver (lwldr1a7.sys); C:\Windows\System32\Drivers\lwldr1a7.sys [2008-04-10 26752]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2010-02-16 47360]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2006-11-22 274328]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 USBLucam1a7;Lumenera Scientific Camera (1a7); C:\Windows\System32\Drivers\lwcam1a7.sys [2008-04-10 464896]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 CarboniteService;CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [2009-09-18 1980560]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2008-06-19 1528608]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-11-28 30872]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-09-29 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-21 1263728]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-12-04 203296]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-11-28 1962136]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-10-18 386560]
R3 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2007-12-05 144688]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-08 545568]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 183280]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 Com4Qlb;Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [2007-03-05 110592]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-01-17 651720]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-10-31 2541248]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
S4 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-10-18 79136]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2010-03-22 08:19:11

======Uninstall list======

-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
-->C:\ProgramData\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe /CONVERTER
Ad-Aware Email Scanner for Outlook-->MsiExec.exe /I{338F08AB-C262-42C7-B000-34DE1A475273}
Ad-Aware-->"C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
Adobe Acrobat 9 Pro - English, Français, Deutsch-->msiexec /I {AC76BA86-1033-F400-7760-000000000004}
Adobe Acrobat 9 Pro - English, Français, Deutsch-->msiexec /I {AC76BA86-1033-F400-7760-000000000004}
Adobe Acrobat 9.3.1 - CPSID_50570-->msiexec /I {AC76BA86-1033-F400-7760-000000000004}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Akram Audio Converter 2.5-->"C:\Program Files\Akram Audio Converter\uninstall.exe"
Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Atheros Driver Installation Program-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9 -removeonly
AuthenTec Fingerprint Sensor Minimum Install-->MsiExec.exe /X{7F362F06-A9A3-440F-8B19-6A01A72723C4}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom 802.11 Wireless LAN Adapter-->"C:\Program Files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Broadcom\Broadcom 802.11\Driver"
C2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{20C07D8C-B482-420C-BC1E-2493678C7E14}\Setup.exe" -l0x9 -L0x9
Canoco for Windows 4.5-->C:\PROGRA~1\CANOCO\UNWISE.EXE C:\PROGRA~1\CANOCO\INSTALL.LOG
Carbonite-->C:\Program Files\Carbonite\Carbonite Backup\CarboniteSetup.exe /remove
Cisco Systems VPN Client 5.0.03.0560-->MsiExec.exe /X{A7091E1D-36A4-47F1-A739-173CC341414F}
CloneDVD2-->"C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -IQh30CFza.INF
CorelDRAW Graphics Suite X4 - Capture-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF012}
CorelDRAW Graphics Suite X4 - Content-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF016}
CorelDRAW Graphics Suite X4 - Draw-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF013}
CorelDRAW Graphics Suite X4 - Filters-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF017}
CorelDRAW Graphics Suite X4 - FontNav-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF019}
CorelDRAW Graphics SUite X4 - ICA-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF010}
CorelDRAW Graphics Suite X4 - IPM-->MsiExec.exe /I{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}
CorelDRAW Graphics Suite X4 - Lang BR-->MsiExec.exe /I{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}
CorelDRAW Graphics Suite X4 - Lang EN-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF100}
CorelDRAW Graphics Suite X4 - Lang ES-->MsiExec.exe /I{D2827848-7D2A-4547-9AD1-C965FB3E6344}
CorelDRAW Graphics Suite X4 - Lang FR-->MsiExec.exe /I{9D306690-3173-42CD-94C6-9EF9318AF24B}
CorelDRAW Graphics Suite X4 - PP-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF014}
CorelDRAW Graphics Suite X4 - VBA-->MsiExec.exe /I{BF439B41-0252-48DE-8B8B-0430CB26A181}
CorelDRAW Graphics Suite X4-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF000}
CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->c:\Program Files\Common Files\Corel\Shared\Shell Extension\Uninst.exe
CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->MsiExec.exe /X{CE2DA11A-917F-4CF5-AB55-755EC115DD10}
CorelDRAW® Graphics Suite X4-->C:\Program Files\Corel\CorelDRAW Graphics Suite X4\Setup\SetupARP.exe /arp
Debugging Tools for Windows (x86)-->MsiExec.exe /I{1CD0C3C5-809D-4CFC-904A-1B67C6243637}
DirPrint 4.0-->rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\dirprt40.inf,DefaultUninstall
DivX Converter-->C:\ProgramData\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\ProgramData\DivX\DivX7\DivX Player\DivXPlayerUninstall.exe /PLAYER
DivX Setup-->C:\ProgramData\DivX\Setup\DivXSetup.exe /uninstall /bundleGroupId divx.com
DivX Web Player-->C:\ProgramData\DivX\DivX7\DivX Web Player\DivXWebPlayerUninstall.exe /PLUGIN
DVD Ripper Platinum 4-->C:\Program Files\Xilisoft\DVD Ripper Platinum 4\Uninstall.exe
EndItAll 2.0-->"C:\Program Files\EndItAll\unins000.exe"
GGobi Interactive Graphics Platform-->"C:\Program Files\ggobi\uninstall.exe"
Google Earth-->MsiExec.exe /X{2EAF7E61-068E-11DF-953C-005056806466}
Google Photos Screensaver-->MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Talk Plugin-->MsiExec.exe /I{BBF6D0CD-A081-369F-B0B8-F168594CBB6B}
Google Toolbar for Firefox-->C:\ProgramData\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Gtk+ Runtime Environment 2.12.9-2-->C:\GTK\uninst.exe
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_HERMOSA_HSF\UIU32m.exe -U -IHPQHERzm.inf
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Integrated Module with Bluetooth wireless technology 6.0.1.6000-->MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
HP Product Detection-->MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Quick Launch Buttons 6.40 B2-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0009 -removeonly uninst
HP QuickTouch 1.00 C4-->MsiExec.exe /I{7DC4A410-9986-4329-9E5D-687B2C42CA39}
INFINITY Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{483AD544-F7DC-11D7-8B5E-00104BCAE605}\setup.exe" -l0x9 -removeonly
iTunes-->MsiExec.exe /I{EC2A8F27-4FBF-4E41-B27B-FE822511B761}
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Last.fm 1.5.4.24567-->"C:\Program Files\Last.fm\unins000.exe"
LightScribe System Software 1.10.19.1-->MsiExec.exe /X{59046D29-2E6B-4224-BF0D-64F3E7A93F7B}
Live 8.0.4-->C:\PROGRA~1\Ableton\LIVE80~1.4\Install\UNWISE.EXE C:\PROGRA~1\Ableton\LIVE80~1.4\Install\INSTALL.LOG
LiveUpdate 3.2 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Dreamweaver 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\Setup.exe" mmUninstall
Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0122-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Splitter & Joiner-->"C:\Program Files\MP3 Splitter & Joiner\unins000.exe"
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NCSS 2000-->C:\PROGRA~1\NCSS97\UNWISE.EXE C:\PROGRA~1\NCSS97\INSTALL.LOG
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
R for Windows 2.10.0-->"C:\Program Files\R\R-2.10.0\unins000.exe"
Real Alternative 1.7.5-->"C:\Program Files\Real Alternative\unins000.exe"
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {667A88D1-0369-4070-A62A-70672D68A9BF}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6DE3DABF-0203-426B-B330-7287D1003E86}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Seraline Screensaver v5-->"C:\Program Files\Seraline\Seraline Screensaver v5\unins000.exe"
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Sony Noise Reduction Plug-In 2.0h-->MsiExec.exe /X{06A1BE8A-4CA4-4A39-B9E4-E815AA8FE05C}
Sony Sound Forge 9.0-->MsiExec.exe /X{4AEA9A23-D627-4699-8A0F-FC474308C2E6}
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Streamripper (Remove only)-->C:\Program Files\Streamripper\Uninstall.exe
Symantec AntiVirus-->MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tag&Rename 3.4-->"C:\Program Files\TagRename\unins000.exe"
TBS WMP Plug-in-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{13515135-48BB-4184-8C1F-2FAE0138E200}
TextPad 5-->MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
TurboTax 2008-->C:\Program Files\TurboTax\Premier 2008\Installer\TurboTax 2008 Installer.exe /u /t /a
TurboTax 2009 WinPerFedFormset-->MsiExec.exe /I{3881DB80-EAA2-012B-ADAE-000000000000}
TurboTax 2009 WinPerReleaseEngine-->MsiExec.exe /I{38975F50-EAA2-012B-ADB4-000000000000}
TurboTax 2009 WinPerTaxSupport-->MsiExec.exe /I{38A34630-EAA2-012B-ADB6-000000000000}
TurboTax 2009 wmniper-->MsiExec.exe /I{39E2A400-EAA2-012B-AE04-000000000000}
TurboTax 2009 wrapper-->MsiExec.exe /I{3C5A81D0-EAA2-012B-AE9F-000000000000}
TurboTax 2009-->C:\Program Files\TurboTax\Premier 2009\Installer\TurboTax 2009 Installer.exe /u /t /a
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Microsoft Office Infopath 2007 Help (KB963662)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {716B81B8-B13C-41DF-8EAC-7A2F656CAB63}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Update for Outlook 2007 Junk Email Filter (kb979895)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {D45674C6-9127-4C84-8826-93FBC552DF53}
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 0.9.9-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.1.6-->"C:\Program Files\WinSCP\unins000.exe"
Yawcam BETA (2007-06-11)-->"C:\Program Files\Yawcam\unins000.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: Symantec AntiVirus
AS: Spybot - Search and Destroy (disabled)
AS: Symantec AntiVirus
AS: Windows Defender

======System event log======

Computer Name: HPLAPTOP
Event Code: 6008
Message: The previous system shutdown at 8:35:13 AM on 6/17/2009 was unexpected.
Record Number: 58913
Source Name: EventLog
Time Written: 20090617133715.000000-000
Event Type: Error
User:

Computer Name: HPLAPTOP
Event Code: 3
Message: A command sent to the adapter has timed out. The adapter did not respond.
Record Number: 58864
Source Name: BTHUSB
Time Written: 20090616133806.080000-000
Event Type: Warning
User:

Computer Name: HPLAPTOP
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 58851
Source Name: Tcpip
Time Written: 20090616022023.025000-000
Event Type: Warning
User:

Computer Name: HPLAPTOP
Event Code: 8032
Message: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{ABB596FC-0A53-49F4-BDB6-EE338B33BA72}. The backup browser is stopping.
Record Number: 58808
Source Name: BROWSER
Time Written: 20090614225524.000000-000
Event Type: Error
User:

Computer Name: HPLAPTOP
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 58799
Source Name: Tcpip
Time Written: 20090614185114.786292-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Owner-PC
Event Code: 6005
Message: The winlogon notification subscriber <TrustedInstaller> is taking long time to handle the notification event (CreateSession).
Record Number: 140
Source Name: Microsoft-Windows-Winlogon
Time Written: 20080522081002.000000-000
Event Type: Warning
User:

Computer Name: Owner-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3986340745-2730311142-871471110-1000_Classes:
Process 864 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3986340745-2730311142-871471110-1000_CLASSES

Record Number: 119
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080522080513.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Owner-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3986340745-2730311142-871471110-1000:
Process 864 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3986340745-2730311142-871471110-1000

Record Number: 118
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080522080512.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Owner-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 22
Source Name: Microsoft-Windows-Search
Time Written: 20080521232728.000000-000
Event Type: Warning
User:

Computer Name: 26L2233B2-11
Event Code: 1036
Message: InitializePrintProvider failed for provider inetpp.dll. This can occur because of system instability or a lack of system resources.
Record Number: 13
Source Name: Microsoft-Windows-SpoolerSpoolss
Time Written: 20080521232127.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: HPLAPTOP
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 5635
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080601022616.073344-000
Event Type: Audit Success
User:

Computer Name: HPLAPTOP
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: HPLAPTOP$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x29c
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 5634
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080601022616.073344-000
Event Type: Audit Success
User:

Computer Name: HPLAPTOP
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: HPLAPTOP$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x29c
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 5633
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080601022616.073344-000
Event Type: Audit Success
User:

Computer Name: HPLAPTOP
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5

Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege
Record Number: 5632
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080601022615.745742-000
Event Type: Audit Success
User:

Computer Name: HPLAPTOP
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: HPLAPTOP$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x29c
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 5631
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080601022615.745742-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%GTK_BASEPATH%\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ggobi
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 104 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6802
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"GTK_BASEPATH"=C:\GTK

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-22 09:04:40
Windows 6.0.6002 Service Pack 2
Running: ljx4vm0p.exe; Driver: C:\Users\Owner\AppData\Local\Temp\uglyipow.sys


---- System - GMER 1.0.15 ----

SSDT 87A15FD0 ZwAlertResumeThread
SSDT 87A187A0 ZwAlertThread
SSDT 87A01600 ZwAllocateVirtualMemory
SSDT 87A19DF0 ZwCreateMutant
SSDT 87A114B8 ZwCreateThread
SSDT 87A06D70 ZwFreeVirtualMemory
SSDT 87A15E50 ZwImpersonateAnonymousToken
SSDT 87A15F10 ZwImpersonateThread
SSDT 8797A4F0 ZwMapViewOfSection
SSDT 87A19D30 ZwOpenEvent
SSDT 87A020A8 ZwOpenProcessToken
SSDT 8797A2F8 ZwOpenThreadToken
SSDT 87A06C20 ZwResumeThread
SSDT 8798D488 ZwSetContextThread
SSDT 8797A3B8 ZwSetInformationProcess
SSDT 8798D3C8 ZwSetInformationThread
SSDT 87A19C70 ZwSuspendProcess
SSDT 87A188A8 ZwSuspendThread
SSDT 87A02348 ZwTerminateProcess
SSDT 8798D308 ZwTerminateThread
SSDT 8797A478 ZwUnmapViewOfSection
SSDT 87A01530 ZwWriteVirtualMemory

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e379d2d7e
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e379d2d7e@000db53720f6 0x8F 0xF1 0x0A 0xC0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e379d2d7e (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e379d2d7e@000db53720f6 0x8F 0xF1 0x0A 0xC0 ...

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  gmer.log   3.38KB   7 downloads
  • Attached File  log.txt   33.91KB   7 downloads
  • Attached File  info.txt   33.97KB   7 downloads

Edited by aommaster, 22 March 2010 - 12:45 PM.


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 PM

Posted 22 March 2010 - 12:49 PM

Hello, EuanR.
We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 EuanR

EuanR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 23 March 2010 - 09:10 PM

Hi aommaster. Please see attached logs.

-Euan

ComboFix 10-03-23.03 - Owner 03/23/2010 19:44:59.2.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1461 [GMT -5:00]
Running from: c:\users\Owner\Desktop\fixes\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-24 00:50 . 2010-03-24 00:50 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-03-24 00:50 . 2010-03-24 00:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-24 00:50 . 2010-03-24 00:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-23 22:26 . 2010-02-04 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\NAVENG.SYS
2010-03-23 22:26 . 2010-02-04 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\NAVEX15.SYS
2010-03-23 22:26 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\NAVENG32.DLL
2010-03-23 22:26 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\NAVEX32A.DLL
2010-03-23 22:26 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\ERASER.SYS
2010-03-23 22:26 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\EECTRL.SYS
2010-03-23 22:26 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\CCERASER.DLL
2010-03-23 22:26 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100323.002\ECMSVR32.DLL
2010-03-22 13:18 . 2010-03-22 13:19 -------- d-----w- C:\rsit
2010-03-22 01:58 . 2010-03-22 01:58 -------- d-----w- c:\users\Owner\DoctorWeb
2010-03-21 18:47 . 2010-02-04 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\NAVENG.SYS
2010-03-21 18:47 . 2010-02-04 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\NAVEX15.SYS
2010-03-21 18:47 . 2009-12-14 09:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\EECTRL.SYS
2010-03-21 18:47 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\ECMSVR32.DLL
2010-03-21 18:47 . 2009-12-14 09:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\NAVENG32.DLL
2010-03-21 18:47 . 2009-12-14 09:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\NAVEX32A.DLL
2010-03-21 18:47 . 2009-12-14 09:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\ERASER.SYS
2010-03-21 18:47 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100321.004\CCERASER.DLL
2010-03-20 23:18 . 2009-08-20 04:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-03-20 23:18 . 2009-08-20 04:50 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2010-03-20 15:21 . 2010-03-20 15:21 -------- d-----w- c:\users\Owner\AppData\Local\Apple
2010-03-20 15:17 . 2010-03-20 15:22 -------- d-----w- c:\users\Owner\AppData\Local\Apple Computer
2010-03-19 23:33 . 2009-12-16 19:42 872960 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-19 23:33 . 2009-12-16 19:42 43008 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-19 23:33 . 2009-12-16 19:42 340480 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-19 23:33 . 2009-12-16 19:41 346624 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-19 22:22 . 2010-03-20 04:16 -------- d-----w- c:\users\Owner\AppData\Local\Adobe
2010-03-19 03:19 . 2010-03-19 03:19 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-03-19 03:19 . 2010-03-19 03:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-19 03:19 . 2010-03-19 03:19 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-03-19 03:15 . 2010-03-19 03:15 62776 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-03-19 03:15 . 2010-03-19 03:20 -------- d-----w- c:\programdata\DivX
2010-03-18 23:07 . 2010-03-19 00:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-18 23:07 . 2010-03-18 23:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-18 03:46 . 2010-03-18 03:46 -------- d-----w- c:\program files\Trend Micro
2010-03-18 02:55 . 2010-03-24 00:26 -------- d-----w- c:\users\TEMP
2010-03-14 18:02 . 2010-03-14 17:16 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-14 17:14 . 2010-03-14 17:14 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-14 17:14 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-14 17:14 . 2010-03-14 17:14 -------- d-----w- c:\program files\Lavasoft
2010-03-12 21:56 . 2010-03-12 21:56 -------- d-----w- c:\windows\system32\no-NO
2010-03-12 21:56 . 2010-03-12 21:56 6656 ----a-w- c:\windows\system32\bcmwlrc.dll
2010-03-12 21:50 . 2010-03-12 21:50 10134 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2010-03-12 21:50 . 2010-03-19 23:21 -------- d-----w- c:\windows\Downloaded Installations
2010-03-12 02:25 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 02:25 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-12 02:25 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-06 04:23 . 2010-03-06 04:23 -------- d-----w- c:\programdata\Ableton
2010-03-06 04:23 . 2010-03-06 04:23 -------- d-----w- c:\users\Owner\AppData\Roaming\Ableton
2010-03-06 04:20 . 2009-06-13 01:53 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-06 04:20 . 2009-06-13 01:53 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-03-06 04:17 . 2010-03-06 04:17 -------- d-----w- c:\program files\Ableton

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 02:45 . 2009-01-15 23:42 -------- d-----w- c:\programdata\Google Updater
2010-03-22 23:45 . 2008-05-21 23:22 2140 ----a-w- c:\windows\bthservsdp.dat
2010-03-22 22:20 . 2009-03-03 23:37 88947 ----a-w- c:\programdata\nvModes.dat
2010-03-22 02:22 . 2008-11-24 00:26 -------- d-----w- c:\users\Owner\AppData\Roaming\BitTorrent
2010-03-21 17:19 . 2010-03-14 17:16 885736 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-20 23:11 . 2008-05-26 19:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-18 03:08 . 2008-05-21 21:29 105776 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-18 02:40 . 2008-05-21 21:29 680 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2010-03-14 17:16 . 2010-03-14 17:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-14 17:16 . 2010-03-14 17:16 95024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-14 17:16 . 2010-03-14 17:16 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-14 17:16 . 2010-03-14 17:16 566608 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-14 17:16 . 2010-03-14 17:16 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-14 17:16 . 2010-03-14 17:16 1230160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-14 17:16 . 2010-03-14 17:16 247120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-14 17:16 . 2010-03-14 17:16 6330848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-14 17:16 . 2010-03-14 17:16 17480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-14 17:14 . 2008-12-08 00:50 -------- d-----w- c:\programdata\Lavasoft
2010-03-13 06:27 . 2009-01-15 23:42 -------- d-----w- c:\program files\Google
2010-03-12 21:50 . 2009-08-03 20:30 -------- d-----w- c:\program files\HP
2010-03-12 02:31 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 02:30 . 2008-05-26 16:41 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 15:16 . 2009-10-03 15:05 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-18 23:22 . 2009-12-08 18:25 -------- d-----r- c:\program files\Skype
2010-02-18 23:21 . 2009-12-24 21:13 -------- d-----w- c:\users\Owner\AppData\Roaming\Vso
2010-02-18 23:21 . 2009-12-24 21:13 47360 ----a-w- c:\users\Owner\AppData\Roaming\pcouffin.sys
2010-02-18 23:21 . 2009-12-24 21:13 47360 ----a-w- c:\users\Owner\AppData\Roaming\pcouffin.sys
2010-02-17 04:08 . 2009-12-24 21:13 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-02-10 01:15 . 2009-01-19 22:44 -------- d-----w- c:\program files\TurboTax
2010-02-07 19:47 . 2010-01-30 19:27 -------- d-----w- c:\users\Owner\AppData\Roaming\gtk-2.0
2010-02-06 23:51 . 2010-02-06 23:51 -------- d-----w- c:\users\Owner\AppData\Roaming\Helios
2010-02-06 23:50 . 2010-02-06 23:50 -------- d-----w- c:\program files\TextPad 5
2010-02-06 21:38 . 2009-06-30 15:42 -------- d-----w- c:\program files\C2
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-04 15:53 . 2010-03-14 17:16 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-25 12:00 . 2010-02-23 20:27 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 20:27 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 20:27 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 20:27 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 20:27 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 20:27 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 20:27 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 20:27 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-23 20:27 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-23 23:02 . 2009-09-06 21:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 22:58 . 2009-10-26 23:40 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-23 16:06 . 2009-02-26 23:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-23 09:26 . 2010-02-23 20:27 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-07 22:07 . 2009-09-06 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-09-06 21:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 18:11 . 2010-01-07 18:12 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-07 18:11 . 2010-01-07 18:10 38784 ----a-w- c:\users\Owner\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-06 15:39 . 2010-02-23 20:27 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-23 20:27 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-23 20:27 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 20:27 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 20:27 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-23 20:27 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-23 20:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 23:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 23:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 23:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 23:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 20:09 . 2009-12-31 20:09 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 02:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 02:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 02:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Google Update"="c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-09-13 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^hpzrcv01.LNK]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\hpzrcv01.LNK
backup=c:\windows\pss\hpzrcv01.LNK.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-12-21 23:35 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-12-22 06:26 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-13 14:49 133104 ----atw- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-04-10 17:29 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:a0,f0,d6,9f,65,3a,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-21 1263728]
R3 lwldr1a7;Lumenera USB Loader Driver (lwldr1a7.sys);c:\windows\system32\Drivers\lwldr1a7.sys [2008-04-10 26752]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
R3 USBLucam1a7;Lumenera Scientific Camera (1a7);c:\windows\system32\Drivers\lwcam1a7.sys [2008-04-10 464896]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 20:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-15 07:47]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 06:26]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 06:26]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3986340745-2730311142-871471110-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-13 14:49]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3986340745-2730311142-871471110-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-13 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj65l5xm.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.comcast.net/~reavie/
FF - component: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\users\Owner\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Owner\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 19:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4988)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
Completion time: 2010-03-23 19:52:55
ComboFix-quarantined-files.txt 2010-03-24 00:52
ComboFix2.txt 2010-03-24 00:38

Pre-Run: 102,087,680,000 bytes free
Post-Run: 102,050,197,504 bytes free

- - End Of File - - 6C40D3BDEF55B9F6038A301A1E734BFF


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:59 PM, on 3/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Search Toolbar\tbcore3.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [googletalk] C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9769 bytes

Attached Files


Edited by aommaster, 23 March 2010 - 11:04 PM.


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 PM

Posted 23 March 2010 - 11:15 PM

Hello, EuanR.
Please copy and paste logs into your replies, as they make it easier for me to read smile.gif

We need to run GooredFix
  1. Please download Gooredfix from one of the following mirrors:
    Download Mirror #1
    Download Mirror #2
  2. Ensure all Firefox windows are closed.
  3. Double-click Gooredfix.exe to run it.
  4. When prompted to run the scan, click Yes.
  5. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


In your next reply, please include the following:
  • Goored.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 EuanR

EuanR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 25 March 2010 - 07:22 PM

See GooredFix log below. Many thanks.

-EuanR

GooredFix by jpshortstuff (08.01.10.1)
Log created at 19:19 on 25/03/2010 (Owner)
Firefox version 3.6.2 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:25 19/03/2010]

C:\Users\Owner\Application Data\Mozilla\Firefox\Profiles\yj65l5xm.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [23:33 19/03/2010]
{3112ca9c-de6d-4884-a869-9855de68056c} [23:33 19/03/2010]
{3d7eb24f-2740-49df-8937-200b1cc08f8a} [23:33 19/03/2010]
{DDC359D1-844A-42a7-9AA1-88A850A938A8} [23:33 19/03/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:47 14/02/2009]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}" [00:12 25/11/2009]

-=E.O.F=-


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 PM

Posted 25 March 2010 - 08:48 PM

Hi!

I'm assuming you still have the ads popping up?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 EuanR

EuanR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 26 March 2010 - 10:04 AM

Hi there. Yes, there are still banner ads showing up. If I clear the Firefox cache it seems to stop the ads for that session, but they soon start up again the next time I open Firefox.

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 PM

Posted 26 March 2010 - 10:35 AM

Hello, EuanR.
Let's use a more in-depth scanner...

We need to run OTL
  1. Please download OTL
  2. Save it to your desktop.
  3. Double click on the OTL icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Change the "Extra Registry" option to "SafeList"
  6. Push the Run Scan button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply, please include the following:
  • OTL Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 EuanR

EuanR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 27 March 2010 - 01:40 PM

Hi again. See OTL log below. Still getting banners being inserted and the occasional blue-screen crash. I have no idea if the two problems are linked. All the best - EuanR.


OTL logfile created on: 3/27/2010 1:22:11 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Owner\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 36.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 85.38 Gb Free Space | 36.66% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 148.79 Gb Total Space | 5.37 Gb Free Space | 3.61% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HPLAPTOP
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/26 14:41:40 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
PRC - [2010/03/23 21:49:49 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/21 12:18:24 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/21 12:18:22 | 001,263,728 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/03/05 10:32:28 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2009/12/21 18:35:18 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/09/18 21:09:14 | 001,980,560 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2009/09/18 21:09:14 | 000,670,864 | R--- | M] (Carbonite, Inc.) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
PRC - [2009/09/08 21:09:38 | 010,309,408 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2009/08/17 22:54:54 | 012,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/19 17:11:24 | 001,138,688 | ---- | M] (Last.fm) -- C:\Program Files\Last.fm\LastFM.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/06/19 19:08:44 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2008/01/19 02:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/01/01 16:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe
PRC - [2006/11/28 06:34:38 | 000,134,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/11/28 06:34:18 | 001,962,136 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/11/28 06:34:00 | 000,030,872 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/11/22 17:12:36 | 000,107,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/11/22 17:12:16 | 000,107,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe


========== Modules (SafeList) ==========

MOD - [2010/03/26 14:41:40 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
MOD - [2009/04/11 01:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/21 12:18:22 | 001,263,728 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/01/17 11:46:59 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/09/24 20:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/09/18 21:09:14 | 001,980,560 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/06/19 19:08:44 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/03/05 09:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)
SRV - [2006/11/28 06:34:26 | 000,122,008 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/11/28 06:34:18 | 001,962,136 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/11/28 06:34:00 | 000,030,872 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/11/22 17:12:16 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2006/11/22 17:12:16 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2006/10/31 10:32:09 | 002,541,248 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)


========== Driver Services (SafeList) ==========

DRV - [2010/02/04 10:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/02/04 04:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100325.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/04 04:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100325.002\NAVENG.SYS -- (NAVENG)
DRV - [2009/08/27 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/27 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/12/04 03:42:00 | 007,606,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/09/30 23:16:44 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/06/19 19:07:50 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/04/10 12:16:06 | 000,464,896 | ---- | M] (Lumenera Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lwcam1a7.sys -- (USBLucam1a7) Lumenera Scientific Camera (1a7)
DRV - [2008/04/10 12:15:48 | 000,026,752 | ---- | M] (Lumenera Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lwldr1a7.sys -- (lwldr1a7) Lumenera USB Loader Driver (lwldr1a7.sys)
DRV - [2008/03/29 18:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2008/03/28 03:06:00 | 000,199,472 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/03/04 02:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2007/12/12 13:12:38 | 000,080,936 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2007/12/12 13:12:38 | 000,080,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2007/12/12 13:12:38 | 000,016,168 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2007/11/01 08:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/11/01 08:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/11/01 08:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/10/18 06:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/08/28 15:47:36 | 000,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/07/11 02:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/06/18 16:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/05/30 15:40:42 | 000,735,232 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/02/16 13:50:32 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/22 16:17:06 | 000,274,328 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2006/11/22 16:17:06 | 000,247,144 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2006/11/22 16:17:06 | 000,025,448 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2006/11/14 17:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 04:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 04:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/10/06 14:26:16 | 000,406,672 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\Windows\system32\speedfan.sys -- (speedfan)
DRV - [2006/04/04 16:20:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2006/01/13 15:35:34 | 000,470,048 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/12/22 17:02:22 | 000,051,840 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/11/16 20:28:32 | 000,028,928 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/01/01 20:11:43 | 000,003,968 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2005/01/01 20:07:05 | 000,009,728 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = https://hermod.nrri.umn.edu/exchweb/bin/aut...e/&reason=0
IE - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.startup.homepage: "http://home.comcast.net/~reavie/"
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.13
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.8

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/11/24 19:12:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/23 21:49:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/23 21:49:50 | 000,000,000 | ---D | M]

[2010/03/19 18:26:13 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\mozilla\Extensions
[2010/03/27 12:38:19 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\yj65l5xm.default\extensions
[2010/03/19 18:33:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/19 18:33:25 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/19 18:33:26 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/03/19 18:33:25 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\yj65l5xm.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/03/19 18:25:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/11/07 11:48:17 | 000,000,019 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (TBSB05974 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Search Toolbar\tbcore3.dll File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3986340745-2730311142-871471110-1000..\Run: [googletalk] C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-3986340745-2730311142-871471110-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254 192.168.254.254
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Owner\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Owner\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/26 14:41:32 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2010/03/23 19:52:57 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/23 19:52:24 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/03/23 19:43:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/23 19:25:46 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/03/23 19:25:46 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/03/23 19:25:46 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/03/23 19:25:31 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/23 19:25:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/22 08:18:55 | 000,000,000 | ---D | C] -- C:\rsit
[2010/03/21 20:58:32 | 000,000,000 | ---D | C] -- C:\Users\Owner\DoctorWeb
[2010/03/20 18:18:36 | 000,046,928 | R--- | C] (Adobe Systems Inc) -- C:\Windows\System32\AdobePDF.dll
[2010/03/20 18:18:36 | 000,022,872 | R--- | C] (Adobe Systems Inc.) -- C:\Windows\System32\AdobePDFUI.dll
[2010/03/20 10:21:19 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Apple
[2010/03/20 10:17:09 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Apple Computer
[2010/03/19 18:36:09 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\fixes
[2010/03/19 18:25:53 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/03/19 17:22:32 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Adobe
[2010/03/18 22:19:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/03/18 22:15:22 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2010/03/18 18:07:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/03/18 18:07:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/03/17 22:46:07 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/14 12:16:47 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2010/03/14 12:16:44 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/03/14 12:14:46 | 000,000,000 | -H-D | C] -- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/03/14 12:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/03/13 01:28:54 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/03/12 16:56:27 | 000,000,000 | ---D | C] -- C:\Windows\System32\no-NO
[2010/03/12 16:50:50 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2010/03/11 21:25:45 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/03/11 21:25:43 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010/03/08 12:59:18 | 000,094,208 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\dpl100.dll
[2010/03/05 23:23:54 | 000,000,000 | ---D | C] -- C:\Users\Owner\Documents\Ableton
[2010/03/05 23:23:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Ableton
[2010/03/05 23:23:52 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Ableton
[2010/03/05 23:20:56 | 000,368,640 | ---- | C] (Propellerhead Software AB) -- C:\Windows\System32\ReWire.dll
[2010/03/05 23:20:56 | 000,233,472 | ---- | C] (Propellerhead Software AB) -- C:\Windows\System32\REX Shared Library.dll
[2010/03/05 23:17:25 | 000,000,000 | ---D | C] -- C:\Program Files\Ableton
[2010/03/02 13:16:04 | 000,353,592 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl
[2009/12/24 16:13:36 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Owner\AppData\Roaming\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2010/03/27 13:22:11 | 007,602,176 | -HS- | M] () -- C:\Users\Owner\ntuser.dat
[2010/03/27 12:53:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3986340745-2730311142-871471110-1000UA.job
[2010/03/27 12:50:27 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3986340745-2730311142-871471110-1000Core.job
[2010/03/27 12:48:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/27 12:43:34 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/27 12:38:52 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/03/27 12:38:27 | 000,088,947 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/03/27 12:38:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/26 14:46:15 | 000,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/26 14:46:15 | 000,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/26 14:41:40 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2010/03/26 09:48:11 | 000,014,079 | ---- | M] () -- C:\Users\Owner\Desktop\ER2 1kireta_abstract.docx
[2010/03/25 22:15:00 | 000,073,216 | ---- | M] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/25 18:16:16 | 000,694,964 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/25 18:16:16 | 000,598,588 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/25 18:16:16 | 000,102,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/24 20:10:40 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/03/24 20:10:40 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/03/24 20:10:31 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/24 20:09:57 | 338,295,276 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/23 19:50:32 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/22 18:45:18 | 000,002,140 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/03/22 18:44:18 | 003,174,076 | -H-- | M] () -- C:\Users\Owner\AppData\Local\IconCache.db
[2010/03/22 17:20:13 | 000,088,947 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/03/18 17:48:51 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/03/17 22:08:00 | 000,105,776 | ---- | M] () -- C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/17 21:56:09 | 001,727,984 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/17 21:40:28 | 000,000,680 | ---- | M] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2010/03/14 12:16:43 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/03/14 12:16:40 | 000,015,880 | ---- | M] () -- C:\Windows\System32\lsdelete.exe
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\Windows\PEV.exe
[2010/03/12 16:56:13 | 000,006,656 | ---- | M] () -- C:\Windows\System32\bcmwlrc.dll
[2010/03/08 12:59:18 | 000,094,208 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\dpl100.dll
[2010/03/02 13:16:04 | 000,353,592 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl

========== Files Created - No Company Name ==========

[2010/03/26 09:48:10 | 000,014,079 | ---- | C] () -- C:\Users\Owner\Desktop\ER2 1kireta_abstract.docx
[2010/03/23 19:25:46 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/03/23 19:25:46 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/03/23 19:25:46 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/03/23 19:25:46 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/03/23 19:25:46 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/03/19 17:19:18 | 338,295,276 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/03/14 13:02:07 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2010/03/13 01:26:14 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/13 01:26:13 | 000,000,880 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/12 16:56:24 | 000,006,656 | ---- | C] () -- C:\Windows\System32\bcmwlrc.dll
[2009/12/24 16:13:57 | 000,000,033 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.log
[2009/12/24 16:13:36 | 000,007,887 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.cat
[2009/12/24 16:13:36 | 000,001,144 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.inf
[2009/12/08 13:28:25 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/11/13 17:25:15 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Local\FnF4.txt
[2009/09/18 08:35:53 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:30:14 | 000,000,363 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 12:37:14 | 000,229,376 | ---- | C] () -- C:\Windows\System32\HPPCPR01.DLL
[2009/05/08 17:37:56 | 000,000,600 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\winscp.rnd
[2009/03/04 00:46:26 | 000,088,947 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/03/03 18:37:10 | 000,088,947 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/01/20 17:28:06 | 000,038,428 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\Comma Separated Values (DOS).ADR
[2008/11/01 16:51:22 | 000,003,262 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\c97a0e88d610e7d
[2008/11/01 16:51:12 | 000,000,128 | -H-- | C] () -- C:\Users\Owner\AppData\Local\Thumbs.db
[2008/09/19 16:57:34 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/09/19 16:55:10 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2008/06/19 19:08:52 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
[2008/06/12 18:50:18 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2008/06/04 18:45:49 | 000,001,389 | ---- | C] () -- C:\Windows\Ncss97.ini
[2008/05/31 21:18:50 | 000,000,040 | ---- | C] () -- C:\Windows\System32\kakle.dll
[2008/05/22 18:43:04 | 000,073,216 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/22 12:41:03 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Local\QSwitch.txt
[2008/05/22 12:41:03 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Local\DSwitch.txt
[2008/05/22 12:41:03 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Local\AtStart.txt
[2008/05/21 16:29:22 | 000,000,680 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2007/12/04 13:55:36 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 17:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/05/06 19:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2004/10/18 16:25:42 | 000,000,005 | ---- | C] () -- C:\Windows\tpdindfefsnersss.dll
[2004/10/18 16:25:34 | 000,000,003 | ---- | C] () -- C:\Windows\tpdindfefsnerssss.dll
[2003/08/07 15:01:50 | 000,237,568 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 7470 bytes -> C:\Users\Owner\Documents\~C:UsersOwnerDesktopRfilesoutput.csv
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:5C321E34
< End of report >


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 PM

Posted 27 March 2010 - 09:30 PM

Hello, EuanR.
We need to run a custom OTL fix
  1. Please run OTL on your desktop.
  2. Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    CODE
    :Files
    C:\Windows\System32\kakle.dll
    C:\Windows\tpdindfefsnerssss.dll
    C:\Windows\tpdindfefsnersss.dll

    :Commands
    [EmptyTemp]
  3. Click the Run Fix button
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click OK
  6. A report will open. Copy and Paste that report in your next reply.

NEXT:

We need to run an MBAM Scan
  1. Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
  2. Make sure you are connected to the Internet.
  3. Double-click on Download_mbam-setup.exe to install the application.
  4. When the installation begins, follow the prompts and do not make any changes to default settings.
  5. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  6. Then click Finish.
  7. Run MBAM and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  8. On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  9. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  10. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  11. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  12. Click OK to close the message box and continue with the removal process.
  13. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  14. Make sure that everything is checked, and click Remove Selected.
  15. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  16. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  17. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • OTL Log
  • MBAM Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 EuanR

EuanR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 28 March 2010 - 02:42 PM

Hi aommaster. I should mention - just before running the OTL fix Symantec Antivirus popped up to tell me that it detected a risk:

RISK-Bloodhound.PDF!gen,
ACTION-Left alone,
FILE-DWHDEDA.tmp,
RISK TYPE-Heuristics,
ORIG LOCATION-C:\Users\Owner\AppData\Local\Temp\,
ACTION-Left alone,
CURRENT LOCATION-C:\Users\Owner\AppData\Local\Temp\,
ACTION-The file was left unchanged,
DATE-3/28/2010 13:55

I didn't do anything else with Symantec. Then I ran OTL and MBAM as you recommended; logs below.
Since restarting for OTL I don't seem to be getting banners, but Firefox has only been open ~10 mins since running MBAM.

Best - EuanR

OTL LOG:
All processes killed
========== FILES ==========
C:\Windows\System32\kakle.dll moved successfully.
C:\Windows\tpdindfefsnerssss.dll moved successfully.
C:\Windows\tpdindfefsnersss.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 45559520 bytes
->Temporary Internet Files folder emptied: 659606414 bytes
->Java cache emptied: 59091486 bytes
->FireFox cache emptied: 53805092 bytes
->Flash cache emptied: 2073120 bytes

User: Public
->Temp folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 329347 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 14079 bytes

Total Files Cleaned = 783.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03282010_135958

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



Malwarebytes' Anti-Malware 1.44
Database version: 3923
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3/28/2010 2:30:01 PM
mbam-log-2010-03-28 (14-30-01).txt

Scan type: Quick Scan
Objects scanned: 115940
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 PM

Posted 28 March 2010 - 02:53 PM

Hello, EuanR.
QUOTE
...just before running the OTL fix Symantec Antivirus popped up to tell me that it detected a risk

Looks like an infection in the temporary directly. Not to worry though, since I had OTL clear your temp files. Whatever was found is now gone.

QUOTE
Since restarting for OTL I don't seem to be getting banners, but Firefox has only been open ~10 mins since running MBAM.

Good to hear. I think we may have nailed it smile.gif

Let's just make sure nothing else is hiding.
We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the Export to button, Post the contents of the ActiveScan report

In your next reply, please include the following:
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 EuanR

EuanR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 28 March 2010 - 06:01 PM

Hi again.

Panda Active Scan didn't find anything, so there is no report. I'm hoping this cleared up the problem, although I'm surprised the infection showed up in the Temp directory, as I have been clearing those regularly (using ATF-Cleaner) since these problems started. Something must have been putting the "Bloodhound.PDF!gen" back periodically, or maybe ATF-Cleaner was not able to truly delete the files. I don't think there is any website that I visit that could be malicious and repeatedly infecting my computer.

Many thanks for all of your help - I'll pop back in the next couple of days if the problem comes back.

Cheers - EuanR.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users