Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible backdoor trojan/Trojan Startpage 1505?


  • This topic is locked This topic is locked
30 replies to this topic

#1 Mc Barnes

Mc Barnes

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 20 March 2010 - 04:57 PM

Hi

My problem started over a week ago when I was browsing online and noticed the McAfee security center had stopped working. I was unable to restart it (MISP shell has stopped working). I clicked on windows update and would get a quick flash or the browser would open to the site and then just hang. Then I noticed add/remove programs wasn't working (I downloaded a program Your Uninstaller! to uninstall McAfee thinking that might be the problem but uninstalling did not make a difference). I (stupidly?) tried system restore but it didn't help. Since I've been trying to troubleshoot this, many more strange things have happened (not being able run certain programs -- Quickbooks for one -- and some scanning and security software I've tried to download doesn't work). I downloaded and updated Malwarebytes, ran it and came up clean. I did the same with Super AntiSpyware, running it in safemode and found nothing. Also ran ESET scan. Tried to download Dr. Web Cure it but it wouldn't download so I downloaded a free 30-day trial of Dr. Web AntiVirus and ran a (16 hour!) scan in safe mode. I saved an xcel file from the scan window because sometimes I can't save logs!

Data1.cab/_1_ccp_o1.exe\data001;C:\Program Files\Intuit\QuickBooks 2006\Components\PConfig\Data1.cab/_1_ccp_o1.exe;Probably BACKDOOR.Trojan;;
_1_ccp_o1.exe;C:\Program Files\Intuit\QuickBooks 2006\Components\PConfig;Container contains infected objects;;
Data1.cab/_1_ipp_o1.exe\data001;C:\Program Files\Intuit\QuickBooks 2006\Components\PConfig\Data1.cab/_1_ipp_o1.exe;Probably BACKDOOR.Trojan;;
_1_ipp_o1.exe;C:\Program Files\Intuit\QuickBooks 2006\Components\PConfig;Container contains infected objects;;
Data1.cab;C:\Program Files\Intuit\QuickBooks 2006\Components\PConfig;Archive contains infected objects;Moved.;
A0032036.reg;C:\System Volume Information\_restore{24059F95-B864-40A8-B6F2-597109CD52D9}\RP341;Trojan.StartPage.1505;Moved.;

I had the choice to delete or move the infected files and I chose move. I found the files in the Dr. Web Infected!!! folder as expected but when I right-clicked on the Trojan.StartPage.1505 file to read the properties, the file disappeared from the folder (never to be seen again).

In any case, quanrantining these files has not helped -- I'm wondering if they really are the problem.

My DDS logs are included here; however, I cannot send a GMER log. I ran GMER (twice! very long scan) and the scan completed but when I went to save the log as soon as I tried to type in the file name my entire desktop disappears. The second time I actually took a photo of the completed scan first (I can upload a jpg if you like) but here's the scoop... all the files that showed up at the end of the scan were related to dwprot.sys {Dr. Web Protection for Windows/Doctor Web. Ltd} except for this one:

Name: File System\Fastfat\Fat
Value: fltmgr.sys {microsoft Filesystem Filter Manger/Microsoft Corporation}

I'm hoping someone can help me because I'm worried if I can't find the virus all my backup files (on external drives) will be compromised and I won't know what tool to use to scan them.

Thank you so much in advance!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Sharon at 20:13:04.64 on Fri 03/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\sharon\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WatchingService] "c:\program files\d-link\d-link d-viewcam\bin\wdsvc.exe" sys_auto_run c:\program files\d-link\d-link d-viewcam\Bin
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpIDerAgent] "c:\program files\drweb\SpIDerAgent.exe"
mRun: [SpIDerMail] "c:\program files\drweb\spiderml.exe" -autorun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\drweb\drwebsp.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243652136053
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.222/xplugLiteDL.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sharon\applic~1\mozilla\firefox\profiles\6uiafs9p.default\
FF - plugin: c:\documents and settings\sharon\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\sharon\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-03-19 22:41:03 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-18 23:41:42 115960 ----a-w- c:\windows\system32\drivers\dwprot.sys
2010-03-18 23:41:37 68088 ----a-w- c:\windows\system32\drivers\spiderg3.sys
2010-03-18 23:41:29 0 d-----w- c:\program files\DrWeb
2010-03-18 23:41:29 0 d-----w- c:\program files\common files\Doctor Web
2010-03-18 23:41:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Doctor Web
2010-03-18 23:20:31 0 d-----w- c:\program files\Your Uninstaller 2010
2010-03-18 22:44:21 0 d-----w- c:\documents and settings\sharon\DoctorWeb
2010-03-17 20:42:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 20:42:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:04:56 0 d-----w- c:\docume~1\sharon\applic~1\SUPERAntiSpyware.com
2010-03-17 18:04:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-17 18:04:18 0 d-----w- C:\Troubleshooting
2010-03-15 02:51:04 0 d-----w- c:\windows\system32\NtmsData
2010-03-10 16:32:04 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-10 16:30:08 0 d--h--w- c:\windows\ie8
2010-03-10 15:07:00 0 d-----w- c:\windows\system32\CatRoot2
2010-03-10 03:36:17 0 d-----w- c:\docume~1\sharon\applic~1\URSoft
2010-03-10 03:36:13 0 d-----w- c:\program files\Your Uninstaller
2010-03-09 04:18:05 0 d-----w- c:\docume~1\sharon\applic~1\Malwarebytes
2010-03-09 04:17:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-09 04:17:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 03:50:16 0 d-----w- C:\Temporary
2010-03-09 01:55:13 0 d-----w- c:\windows\pss
2010-03-08 23:30:05 0 d-----w- c:\program files\ESET
2010-03-04 19:22:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-25 00:52:57 7481 ----a-w- c:\windows\system32\novap5.ctm

==================== Find3M ====================

2009-12-30 18:50:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 18:17:57 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 20:13:47.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 PM

Posted 22 March 2010 - 03:20 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki man acch?
Yadi thak, tahal
Ki kshama kart paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 22 March 2010 - 04:41 PM

Thanks for your reply! I will work on getting you the new logs. I was able to produce a GMER log in safe mode... I don't think I am running emulation software but I will try that fix anyway to see if it makes a difference and I will try a new log in regular mode.

I also noticed that my dds log does not include anything under the section services running... I'm not sure why but I will re-run that log again as well. I did disable security software but maybe I'll try uninstalling it.

In the meantime, my difficulties continue so I am very grateful for any help.

McBarnes

#4 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 22 March 2010 - 09:21 PM

Here are my new logs. This time I was able to get the gmer report to run in normal as opposed to safe mode. My DDS log still does not show anything under "Running Processes." I've downloaded the dds link 4 times and run it and it always the same -- is there perhaps a setting on my computer that I need to change so that these processes show up?


Thanks for any help you can give me!



DDS (Ver_10-03-17.01) - NTFSx86
Run by Sharon at 16:42:38.60 on Mon 03/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\sharon\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243652136053
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.222/xplugLiteDL.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sharon\applic~1\mozilla\firefox\profiles\6uiafs9p.default\
FF - plugin: c:\documents and settings\sharon\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\sharon\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-03-22 22:07:01 0 ----a-w- c:\documents and settings\sharon\defogger_reenable
2010-03-22 21:15:25 0 d-----w- c:\docume~1\sharon\applic~1\TeamViewer
2010-03-22 21:01:33 0 d-----w- c:\program files\Microsoft Easy Assist
2010-03-22 21:01:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Applications
2010-03-22 18:53:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-20 13:49:26 0 d-sh--w- C:\DrWeb Quarantine
2010-03-19 22:41:03 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-18 23:41:29 0 d-----w- c:\program files\DrWeb
2010-03-18 23:20:31 0 d-----w- c:\program files\Your Uninstaller 2010
2010-03-18 22:44:21 0 d-----w- c:\documents and settings\sharon\DoctorWeb
2010-03-17 20:42:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 20:42:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:04:56 0 d-----w- c:\docume~1\sharon\applic~1\SUPERAntiSpyware.com
2010-03-17 18:04:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-17 18:04:18 0 d-----w- C:\Troubleshooting
2010-03-15 02:51:04 0 d-----w- c:\windows\system32\NtmsData
2010-03-10 16:32:04 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-10 16:30:08 0 d--h--w- c:\windows\ie8
2010-03-10 15:07:00 0 d-----w- c:\windows\system32\CatRoot2
2010-03-10 03:36:17 0 d-----w- c:\docume~1\sharon\applic~1\URSoft
2010-03-10 03:36:13 0 d-----w- c:\program files\Your Uninstaller
2010-03-09 04:18:05 0 d-----w- c:\docume~1\sharon\applic~1\Malwarebytes
2010-03-09 04:17:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-09 04:17:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 03:50:16 0 d-----w- C:\Temporary
2010-03-09 01:55:13 0 d-----w- c:\windows\pss
2010-03-08 23:30:05 0 d-----w- c:\program files\ESET
2010-03-04 19:22:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-25 00:52:57 7481 ----a-w- c:\windows\system32\novap5.ctm

==================== Find3M ====================

2009-12-30 18:50:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-21 18:17:57 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:42:45.50 ===============

Attached Files



#5 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 24 March 2010 - 05:52 PM

Hi Blind Faith!

Things have gone from bad to worse here.... I know you're very busy and I'm trying to hang on here but I'm down to my fingernails!

I'm trying to stay off the internet on the corrupted machine because I cannot run any firewall or security software that I've tried. (I get constant "error" messages in the event viewer when I try... ie "The description for Event ID (5300) in Source (Dr. Web Engine) cannot be found. The local computer many not have the necessary registry information or messge DLL files to display messges from a remote computer, etc.)

Also, I cannot access "internet options" in my control panel. I wanted to check if I was obtaining an IP address automatically but I cannot check that. Instead of an icon with the words "internet options" next to it, I have the icon only. It is at the top of the list in control panel with no words next to it and I cannot open it. When I doubleclick on it nothing happens. When I right-click and select "open" same thing -- nothing.

I cannot turn on the windows firwall (I get this message: "Windows cannot start the Windows\Firewall\Internet Connection Sharing (ICS) service.").

My browser window for IE looks odd (no "file" "edit" "view" "favories" "tools" "help" etc.) Just the top blue bar and the internet tab.

In my start-up menu, I cannot disable Remote Access Connection Manager. (Error 1053. The service did not respond to the start or control request in a timely fashion.)

This is my main work computer (I work independently) and I'm really in need of help here.

Thanks so much

Mc Barnes

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:44 PM

Posted 26 March 2010 - 12:07 PM

Hello, Mc Barnes
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 26 March 2010 - 01:52 PM

Hello Tom!

Thank you so much for helping me with my problem. I'm sending tons of great kharma your way for your generosity and time!

Here is my combo fix log (the only thing I did prior to downloading/renaming and running Combo Fix was to install the browser Opera because I could not figure out how on Fire Fox to bypass the auto download so that I could rename the file first. Thus you might see 3 attempts at downloading Combo Fix... but the 3rd download using Opera was done correctly and renamed prior to saving to my desktop.)

ComboFix 10-03-26.01 - Sharon 03/26/2010 12:34:07.1.1 - x86
Running from: c:\documents and settings\Sharon\Desktop\schrauber.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET11.tmp
c:\program files\Internet Explorer\SET12.tmp
c:\program files\Internet Explorer\SET41.tmp
c:\program files\Internet Explorer\SET42.tmp
c:\program files\Internet Explorer\SET71.tmp
c:\program files\Internet Explorer\SET72.tmp
c:\windows\system32\bszip.dll
c:\windows\system32\Cache
c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-26 18:26 . 2010-03-26 18:26 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Opera
2010-03-26 18:25 . 2010-03-26 18:25 -------- d-----w- c:\program files\Opera
2010-03-22 21:15 . 2010-03-22 21:15 -------- d-----w- c:\documents and settings\Sharon\Application Data\TeamViewer
2010-03-22 21:01 . 2010-03-22 21:01 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-03-22 21:01 . 2010-03-22 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-03-22 18:53 . 2010-03-22 18:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-20 13:49 . 2010-03-22 20:00 -------- d-sh--w- C:\DrWeb Quarantine
2010-03-19 22:41 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-18 23:41 . 2010-03-22 22:34 -------- d-----w- c:\program files\DrWeb
2010-03-18 23:20 . 2010-03-26 16:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-18 23:20 . 2010-03-18 23:20 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-03-18 22:44 . 2010-03-18 23:46 -------- d-----w- c:\documents and settings\Sharon\DoctorWeb
2010-03-17 20:42 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 20:42 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:04 . 2010-03-17 18:04 -------- d-----w- c:\documents and settings\Sharon\Application Data\SUPERAntiSpyware.com
2010-03-17 18:04 . 2010-03-17 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-17 18:04 . 2010-03-24 14:48 -------- d-----w- C:\Troubleshooting
2010-03-15 02:51 . 2010-03-15 02:51 -------- d-----w- c:\windows\system32\NtmsData
2010-03-10 16:32 . 2010-03-10 16:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-10 16:30 . 2010-03-18 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-10 16:30 . 2010-03-10 16:30 -------- d--h--w- c:\windows\ie8
2010-03-10 15:07 . 2010-03-26 18:34 -------- d-----w- c:\windows\system32\CatRoot2
2010-03-10 03:36 . 2010-03-10 03:36 -------- d-----w- c:\documents and settings\Sharon\Application Data\URSoft
2010-03-10 03:36 . 2010-03-10 16:26 -------- d-----w- c:\program files\Your Uninstaller
2010-03-09 23:16 . 2010-03-10 16:26 -------- d-----w- c:\documents and settings\Test\UserData
2010-03-09 21:33 . 2010-03-09 21:33 69048 ----a-w- c:\documents and settings\Test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-09 21:33 . 2010-03-09 21:33 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Apple Computer
2010-03-09 21:33 . 2010-03-09 21:33 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\ATI
2010-03-09 21:33 . 2010-03-09 21:33 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Adobe
2010-03-09 21:31 . 2010-03-10 16:30 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Microsoft
2010-03-09 21:31 . 2010-03-10 16:30 -------- d-s---w- c:\documents and settings\Test
2010-03-09 04:18 . 2010-03-09 04:18 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-03-09 04:17 . 2010-03-09 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-09 04:17 . 2010-03-10 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 03:50 . 2010-03-09 03:51 -------- d-----w- C:\Temporary
2010-03-08 23:30 . 2010-03-08 23:30 -------- d-----w- c:\program files\ESET
2010-03-08 23:05 . 2010-03-10 16:30 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-04 19:22 . 2010-03-10 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 18:37 . 2009-05-30 06:49 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-03-26 18:37 . 2009-05-30 06:49 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-03-19 00:53 . 2009-05-30 03:16 67128 ----a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 00:19 . 2009-05-30 05:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-09 21:53 . 2009-05-30 01:55 87263 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-03-09 08:30 . 2009-06-10 23:03 -------- d-----w- c:\program files\Softland
2010-02-26 18:01 . 2009-05-30 19:46 -------- d-----w- c:\documents and settings\Sharon\Application Data\Apple Computer
2010-02-26 18:00 . 2009-06-01 05:16 -------- d-----w- c:\program files\iTunes
2010-02-05 17:39 . 2010-02-05 17:39 251376 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-31 16:50 . 2009-05-30 03:31 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 18:50 . 2009-12-30 18:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-30 18:49 . 2009-12-30 18:49 152576 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-30 18:49 . 2009-12-30 18:49 79488 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-10 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 22:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:TCP"= 8000:TCP:UniArgus Port1
"8001:TCP"= 8001:TCP:UniArgus Port2

R1 SASDIFSV;SASDIFSV;c:\docume~1\Sharon\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\docume~1\Sharon\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
R3 SASENUM;SASENUM;c:\docume~1\Sharon\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [x]

.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003Core1cac6f3d5458a9c.job
- c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 20:27]

2010-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003UA.job
- c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.222/xplugLiteDL.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\
FF - plugin: c:\documents and settings\Sharon\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\windows\system32\msiexec.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\BCMSMMSG.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-26 12:43:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 18:43

Pre-Run: 665,406,078,976 bytes free
Post-Run: 665,449,123,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 89E866AB9F3FAA4BC658AAF37D16C1AD




#8 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 27 March 2010 - 01:11 AM

Hi Thomas,

I had an additional thought regarding the Combofix log I've posted.... a couple days ago, I went into my control panel settings for Sevices (Local) and changed several settings that were set to "automatic" or "manual" to disabled. I'm wondering if this might prevent combofix from finding something significant... i.e. a start-up service that would have been running on my system at the time my problem started.

I could go back and change the settings back to how they were before (I found the Default Settings for windows xp, which I'm sure is what I was using as I never had cause to tweak these settings before).

Anyway, I promise not to change anything until I hear from you!

Thank you so much,

Mc Barnes

P.S. I'm also wondering about server-related messages that I've found in my event logs as I am not running a server, or participating in any kind of file sharing service:

"Virtual Server 1:C\Inetpub\mailroot\Drop will be used for the drop directory."
"A fatal error occurred while creating an SSL server credential."
"TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attemps."

Any insight you might have into these error messages would be appreciated. Thanks again!

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:44 PM

Posted 27 March 2010 - 09:33 AM

Hi smile.gif

QUOTE
prior to downloading/renaming and running Combo Fix was to install the browser Opera because I could not figure out how on Fire Fox to bypass the auto download so that I could rename the file first.


Rightclick the download link and choose "Save as" smile.gif


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RegNUll::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.






Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.






  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    safebootminimal
    safebootnetwork
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 27 March 2010 - 01:13 PM

Hi Thomas,

Thanks again for working with me!

Here are the reports you requested. A couple of notes:

I drug the notepad with the code you supplied me into the "ComboFix.exe icon as the pictured showed, instead of the renamed "Shrauber.exe" version of ComboFix. I got a message asking me if I wanted to update ComboFix, but I declined. Maybe I should have updated?

After I ran ComboFix and my computer rebooted and produced the Combofix log, I was able to turn on the windows firewall (which I have not been able to do previously). It was not on when Combofix ran but I did turn it on while I was running the Malwarebytes and OTL reports, which maybe I shouldn't have done. Let me know if this is a problem and I will re-run them. I did not have any other virus programs running at any time doing these reports as I've actually uninstalled all anti-ivirus programs (or tried to anyway!).

Thank you Thomas.

Mc Barnes

ComboFix 10-03-26.01 - Sharon 03/27/2010 10:50:40.2.1 - x86
Running from: c:\documents and settings\Sharon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sharon\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-26 18:26 . 2010-03-26 18:26 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Opera
2010-03-26 18:25 . 2010-03-26 18:25 -------- d-----w- c:\program files\Opera
2010-03-22 21:15 . 2010-03-22 21:15 -------- d-----w- c:\documents and settings\Sharon\Application Data\TeamViewer
2010-03-22 21:01 . 2010-03-22 21:01 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-03-22 21:01 . 2010-03-22 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-03-22 18:53 . 2010-03-22 18:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-20 13:49 . 2010-03-22 20:00 -------- d-sh--w- C:\DrWeb Quarantine
2010-03-19 22:41 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-18 23:41 . 2010-03-22 22:34 -------- d-----w- c:\program files\DrWeb
2010-03-18 23:20 . 2010-03-26 16:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-18 23:20 . 2010-03-18 23:20 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-03-18 22:44 . 2010-03-18 23:46 -------- d-----w- c:\documents and settings\Sharon\DoctorWeb
2010-03-17 20:42 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 20:42 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:04 . 2010-03-17 18:04 -------- d-----w- c:\documents and settings\Sharon\Application Data\SUPERAntiSpyware.com
2010-03-17 18:04 . 2010-03-17 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-17 18:04 . 2010-03-27 16:44 -------- d-----w- C:\Troubleshooting
2010-03-15 02:51 . 2010-03-15 02:51 -------- d-----w- c:\windows\system32\NtmsData
2010-03-10 16:32 . 2010-03-10 16:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-10 16:30 . 2010-03-18 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-10 16:30 . 2010-03-10 16:30 -------- d--h--w- c:\windows\ie8
2010-03-10 15:07 . 2010-03-27 16:50 -------- d-----w- c:\windows\system32\CatRoot2
2010-03-10 03:36 . 2010-03-10 03:36 -------- d-----w- c:\documents and settings\Sharon\Application Data\URSoft
2010-03-10 03:36 . 2010-03-10 16:26 -------- d-----w- c:\program files\Your Uninstaller
2010-03-09 23:16 . 2010-03-10 16:26 -------- d-----w- c:\documents and settings\Test\UserData
2010-03-09 21:33 . 2010-03-09 21:33 69048 ----a-w- c:\documents and settings\Test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-09 21:33 . 2010-03-09 21:33 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Apple Computer
2010-03-09 21:33 . 2010-03-09 21:33 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\ATI
2010-03-09 21:33 . 2010-03-09 21:33 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Adobe
2010-03-09 21:31 . 2010-03-10 16:30 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Microsoft
2010-03-09 21:31 . 2010-03-10 16:30 -------- d-s---w- c:\documents and settings\Test
2010-03-09 04:18 . 2010-03-09 04:18 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-03-09 04:17 . 2010-03-09 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-09 04:17 . 2010-03-27 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 03:50 . 2010-03-09 03:51 -------- d-----w- C:\Temporary
2010-03-08 23:30 . 2010-03-08 23:30 -------- d-----w- c:\program files\ESET
2010-03-08 23:05 . 2010-03-10 16:30 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-04 19:22 . 2010-03-10 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 16:56 . 2009-05-30 06:49 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-03-27 16:56 . 2009-05-30 06:49 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-03-19 00:53 . 2009-05-30 03:16 67128 ----a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 00:19 . 2009-05-30 05:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-09 21:53 . 2009-05-30 01:55 87263 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-03-09 08:30 . 2009-06-10 23:03 -------- d-----w- c:\program files\Softland
2010-02-26 18:01 . 2009-05-30 19:46 -------- d-----w- c:\documents and settings\Sharon\Application Data\Apple Computer
2010-02-26 18:00 . 2009-06-01 05:16 -------- d-----w- c:\program files\iTunes
2010-02-05 17:39 . 2010-02-05 17:39 251376 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-31 16:50 . 2009-05-30 03:31 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 18:50 . 2009-12-30 18:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-30 18:49 . 2009-12-30 18:49 152576 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-30 18:49 . 2009-12-30 18:49 79488 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-26_18.38.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-27 16:57 . 2010-03-27 16:57 16384 c:\windows\temp\Perflib_Perfdata_7c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-10 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 22:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:TCP"= 8000:TCP:UniArgus Port1
"8001:TCP"= 8001:TCP:UniArgus Port2

R1 SASDIFSV;SASDIFSV;c:\docume~1\Sharon\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\docume~1\Sharon\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
R3 SASENUM;SASENUM;c:\docume~1\Sharon\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [x]

.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003Core1cac6f3d5458a9c.job
- c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 20:27]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003UA.job
- c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-10 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.222/xplugLiteDL.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(1688)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\windows\system32\msiexec.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\BCMSMMSG.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-27 11:01:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 17:01
ComboFix2.txt 2010-03-26 18:43

Pre-Run: 667,274,473,472 bytes free
Post-Run: 667,235,307,520 bytes free

- - End Of File - - 2E7132EB6778D38116F90E5A125C0E3B



Malwarebytes' Anti-Malware 1.44
Database version: 3921
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2010 11:21:14 AM
mbam-log-2010-03-27 (11-21-14).txt

Scan type: Quick Scan
Objects scanned: 127312
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




OTL logfile created on: 3/27/2010 11:25:42 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Sharon\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.63 Gb Total Space | 621.41 Gb Free Space | 88.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGBLUE
Current User Name: Sharon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/27 11:23:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
PRC - [2010/03/18 01:43:38 | 000,835,952 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2009/05/05 11:19:14 | 000,451,904 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2008/09/30 16:04:26 | 000,905,512 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2008/09/30 16:04:26 | 000,258,856 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2008/09/30 16:04:22 | 000,251,176 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2008/09/30 16:04:12 | 000,592,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/03 18:28:08 | 001,392,640 | R--- | M] (PalmSource, Inc) -- C:\Program Files\Palm\Hotsync.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2003/02/20 16:45:40 | 000,028,672 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
PRC - [2002/10/29 09:18:24 | 000,049,152 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
PRC - [2002/09/30 01:00:00 | 000,045,056 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe


========== Modules (SafeList) ==========

MOD - [2010/03/27 11:23:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
MOD - [2003/02/20 16:45:52 | 000,061,440 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAGENT.DLL


========== Win32 Services (SafeList) ==========

SRV - [2009/10/30 13:38:19 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/05/05 11:19:14 | 000,451,904 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2008/09/30 16:04:26 | 000,258,856 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/10 10:31:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/18 18:09:39 | 000,000,000 | ---D | M]

[2009/05/29 23:31:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Extensions
[2010/03/23 08:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\extensions
[2009/07/02 11:14:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/03 13:17:45 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/03/19 16:42:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/27 10:57:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AsioReg] C:\WINDOWS\System32\CTASIO.DLL (Creative Technology Ltd)
O4 - HKLM..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1243652136053 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://www.ritzpix.com/net/Uploader/LPUploader57.cab (Image Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} http://192.168.1.222/xplugLiteDL.cab (Gif89 Lite Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\GoToMyPC: DllName - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/31 12:00:26 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/05/29 19:56:06 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/27 11:23:30 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
[2010/03/27 11:08:10 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sharon\Desktop\mbam-setup.exe
[2010/03/26 12:37:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/03/26 12:33:22 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/26 12:30:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/26 12:30:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/26 12:30:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/26 12:30:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/26 12:30:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/26 12:28:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/26 12:26:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Local Settings\Application Data\Opera
[2010/03/26 12:26:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Application Data\Opera
[2010/03/26 12:25:55 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2010/03/26 12:24:45 | 009,849,864 | ---- | C] (Opera Software ASA ) -- C:\Documents and Settings\Sharon\Desktop\Opera_1051_en_Setup.exe
[2010/03/22 15:15:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Application Data\TeamViewer
[2010/03/22 15:01:33 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Easy Assist
[2010/03/22 15:01:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/03/20 07:49:26 | 000,000,000 | -HSD | C] -- C:\DrWeb Quarantine
[2010/03/19 20:39:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Desktop\4th transfer
[2010/03/19 19:11:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/03/18 17:41:29 | 000,000,000 | ---D | C] -- C:\Program Files\DrWeb
[2010/03/18 17:20:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/18 17:20:31 | 000,000,000 | ---D | C] -- C:\Program Files\Your Uninstaller 2010
[2010/03/18 17:13:59 | 046,055,472 | ---- | C] (Doctor Web, Ltd. ) -- C:\Documents and Settings\Sharon\Desktop\drweb-600-win-x86.exe
[2010/03/18 16:44:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\DoctorWeb
[2010/03/18 16:25:33 | 014,827,320 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sharon\Desktop\6m3ze36z.exe
[2010/03/17 14:42:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/17 14:42:08 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/17 12:04:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Application Data\SUPERAntiSpyware.com
[2010/03/17 12:04:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/17 12:04:18 | 000,000,000 | ---D | C] -- C:\Troubleshooting
[2010/03/14 20:51:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/06/10 17:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Softland
[2009/05/30 00:39:58 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2009/05/29 21:16:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/05/29 20:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/05/29 19:56:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/05/29 19:56:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[110 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/27 11:23:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
[2010/03/27 11:10:39 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sharon\Desktop\mbam-setup.exe
[2010/03/27 11:01:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/27 10:57:29 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/27 10:57:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/27 10:57:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/27 10:56:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/27 10:56:14 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/27 10:56:14 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/27 10:56:14 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/27 10:56:14 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/27 10:56:14 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/03/27 10:56:14 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/03/27 10:56:14 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
[2010/03/27 10:56:14 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
[2010/03/27 10:55:53 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Sharon\NTUSER.DAT
[2010/03/27 10:55:53 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Sharon\ntuser.ini
[2010/03/27 10:49:02 | 004,481,358 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.CDF
[2010/03/27 10:44:02 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\Word 2003.lnk
[2010/03/27 02:37:05 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003UA.job
[2010/03/26 17:41:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003Core1cac6f3d5458a9c.job
[2010/03/26 15:00:22 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/03/26 12:33:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/26 12:27:51 | 003,903,349 | R--- | M] () -- C:\Documents and Settings\Sharon\Desktop\schrauber.exe
[2010/03/26 12:25:56 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/26 12:25:05 | 009,849,864 | ---- | M] (Opera Software ASA ) -- C:\Documents and Settings\Sharon\Desktop\Opera_1051_en_Setup.exe
[2010/03/26 12:20:10 | 003,903,349 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix(2).exe
[2010/03/26 12:10:39 | 003,903,349 | R--- | M] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix.exe
[2010/03/22 20:22:34 | 004,323,662 | -H-- | M] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\IconCache.db
[2010/03/22 16:21:15 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds(4).scr
[2010/03/22 16:07:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Sharon\defogger_reenable
[2010/03/22 16:06:14 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\Defogger.exe
[2010/03/22 15:33:36 | 000,001,337 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/22 15:15:07 | 002,234,136 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\TeamViewerQS.exe
[2010/03/22 12:53:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/19 20:26:41 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\gmer.zip
[2010/03/19 20:10:39 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds(3).scr
[2010/03/19 20:07:40 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds(2).scr
[2010/03/19 20:06:18 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds.scr
[2010/03/19 17:08:23 | 000,000,440 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/18 19:47:24 | 001,526,560 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/18 18:53:48 | 000,067,128 | ---- | M] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/18 17:20:33 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\Your Uninstaller!.lnk
[2010/03/18 17:16:21 | 046,055,472 | ---- | M] (Doctor Web, Ltd. ) -- C:\Documents and Settings\Sharon\Desktop\drweb-600-win-x86.exe
[2010/03/18 16:25:36 | 014,827,320 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sharon\Desktop\6m3ze36z.exe
[2010/03/17 14:42:12 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[110 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/26 12:33:25 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/26 12:33:22 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/26 12:30:45 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/26 12:30:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/26 12:30:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/26 12:30:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/26 12:30:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/26 12:27:51 | 003,903,349 | R--- | C] () -- C:\Documents and Settings\Sharon\Desktop\schrauber.exe
[2010/03/26 12:25:56 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/26 12:20:10 | 003,903,349 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix(2).exe
[2010/03/26 12:10:39 | 003,903,349 | R--- | C] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix.exe
[2010/03/22 16:21:15 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds(4).scr
[2010/03/22 16:07:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Sharon\defogger_reenable
[2010/03/22 16:06:14 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\Defogger.exe
[2010/03/22 15:15:06 | 002,234,136 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\TeamViewerQS.exe
[2010/03/22 12:53:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/19 20:27:07 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\gmer.zip
[2010/03/19 20:10:39 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds(3).scr
[2010/03/19 20:07:39 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds(2).scr
[2010/03/19 20:06:18 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds.scr
[2010/03/19 17:08:23 | 000,000,440 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/18 17:36:29 | 000,000,930 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003Core1cac6f3d5458a9c.job
[2010/03/18 17:20:33 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\Your Uninstaller!.lnk
[2010/03/17 14:42:12 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/03 12:06:20 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2010/01/03 12:06:19 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2010/01/03 12:06:04 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2010/01/03 12:06:02 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2010/01/03 12:06:00 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/06/25 19:53:46 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/30 20:18:57 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\fusioncache.dat
[2009/05/30 13:17:18 | 000,078,336 | ---- | C] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/30 11:47:30 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/05/30 00:41:26 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/05/30 00:40:24 | 000,066,807 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini
[2009/05/30 00:40:24 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/05/30 00:40:08 | 000,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI
[2009/05/30 00:40:08 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2009/05/30 00:37:42 | 000,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2009/05/30 00:03:49 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/05/29 22:33:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/29 20:53:21 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2008/02/19 00:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/03/22 15:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009/05/30 11:52:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/05/31 12:09:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2009/05/30 11:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2010/03/26 10:28:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/18 11:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/31 23:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/06/07 13:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\.purple
[2009/05/30 13:54:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/06/07 10:07:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\gtk-2.0
[2009/05/30 11:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\HotSync
[2010/03/26 12:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\Opera
[2010/03/22 15:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\TeamViewer
[2010/03/09 21:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\URSoft

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/05/29 21:09:35 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/05/29 21:09:35 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/07/16 10:40:05 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2009/05/29 21:09:35 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/05/29 21:09:35 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2003/07/16 10:18:31 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2003/07/02 19:00:00 | 000,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\WINDOWS\OemDir\iaStor.sys
[2003/07/02 19:00:00 | 000,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 286 bytes -> C:\Documents and Settings\Sharon\Desktop\Office.Space.1999.1080p.Bluray.DTS.x264.mkv:AFP_RESOURCE
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51
< End of report >



OTL Extras logfile created on: 3/27/2010 11:25:42 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Sharon\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.63 Gb Total Space | 621.41 Gb Free Space | 88.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGBLUE
Current User Name: Sharon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"8000:TCP" = 8000:TCP:*:Enabled:UniArgus Port1
"8001:TCP" = 8001:TCP:*:Enabled:UniArgus Port2

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\Sharon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Sharon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Sharon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Sharon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP100_series" = Canon iP100 series
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{243DA072-8E39-424A-86A3-F63152021383}" = Adobe Glyphlet Creation Tool CS3
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{2F1D77A3-1D68-4E71-AD37-8E372AC0F455}" = ZipMail for Gmail
"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{405D8563-BDD7-487C-9498-942518B366BE}" = Setup Wizard SE
"{40F2BCF4-4EED-4AD4-BFB6-A58946C561A1}" = Adobe Creative Suite 3 Production Premium
"{4324BC93-C82F-ED16-BA86-5E34B9E05303}" = ccc-core-static
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{4ED118EE-785C-CC18-5D2E-D5CA4BAA03F0}" = Catalyst Control Center Graphics Full New
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{539475B7-44B7-8B0A-134C-F01B9C8B7569}" = ccc-core-preinstall
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC
"{5AC7AE54-55DF-1126-076C-623F008D40B6}" = Catalyst Control Center Graphics Full Existing
"{6351D217-3EE3-1967-29BE-6A77635FE485}" = Skins
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69B02159-7622-4DBB-B9EE-F933039830AD}" = QuickBooks Pro 2006
"{6AB9CD3A-F91F-233B-923B-6C59BA63524D}" = Catalyst Control Center HydraVision Full
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{73E81E9B-7319-43AD-B7CC-1C61405E5089}" = Adobe After Effects CS3 Template Projects & Footage
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7ECEF10B-F1C2-4FD5-861F-A3FCB4653304}" = Adobe After Effects CS3 Third Party Content
"{82CA0A0C-A3EC-4167-B694-909205B2EDEC}" = muvee Plugin 1.0
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{85A91C22-C369-FCFB-5F1F-D59EB21AD0E1}" = CCC Help English
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8D49D55D-9837-4E0E-AE3B-05C7BEC5CD1F}" = Opera 10.51
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{92A300C0-E97B-48CC-9702-AB1AAED167E1}" = Adobe Soundbooth CS3 Scores
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{998AD896-5B25-466D-8D56-CC0CC9228A68}" = Adobe Audition 2.0 Loopology Content
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{A6D0140F-E62F-9D1E-2408-9CFF91FF6FC8}" = ccc-utility
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BA67E3E1-25EE-4481-857D-D3CA99DA71C8}" = Adobe Setup
"{BBF6D0CD-A081-369F-B0B8-F168594CBB6B}" = Google Talk Plugin
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C44A7422-E380-44BE-79FE-1C032D8A03A7}" = Catalyst Control Center Core Implementation
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DC017035-1939-425F-8F86-63B462C76C6A}" = PDF Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E5D24929-91A4-B0A1-DE00-AFC453921EF7}" = Catalyst Control Center Graphics Light
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E6C09BFB-BA75-15C7-5B18-A2CE31C4F42B}" = Catalyst Control Center Graphics Previews Common
"{E82BF103-904F-49C0-B77F-6EC110B71E87}" = Sound Blaster Audigy 2
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F1223D5A-C34D-46DB-8E3A-4E051A0EC824}" = FlipShare
"{F1D93F5B-881F-49E3-BA56-B4B8FA991059}" = Adobe Encore CS3 Library
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}" = Palm Desktop by ACCESS
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Audition 3.0" = Adobe Audition 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_aefc483f26b23ab60cc5653016d5017" = Add or Remove Adobe Creative Suite 3 Production Premium
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MemoriesOnTV3_is1" = MemoriesOnTV 3.1.8
"MemoriesOnTV4_is1" = MemoriesOnTV 4.1.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"Pidgin" = Pidgin
"PROSet" = Intel® PRO Network Adapters and Drivers
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"VLC media player" = VLC media player 1.0.3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YU2010_is1" = Your Uninstaller! 2010
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/27/2010 2:37:05 AM | Computer Name = BIGBLUE | Source = Google Update | ID = 20
Description =

Error - 3/27/2010 3:37:05 AM | Computer Name = BIGBLUE | Source = Google Update | ID = 20
Description =

Error - 3/27/2010 4:08:43 AM | Computer Name = BIGBLUE | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 3/27/2010 4:37:05 AM | Computer Name = BIGBLUE | Source = Google Update | ID = 20
Description =

Error - 3/27/2010 12:24:28 PM | Computer Name = BIGBLUE | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 3/27/2010 12:26:20 PM | Computer Name = BIGBLUE | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 3/27/2010 12:38:37 PM | Computer Name = BIGBLUE | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 3/27/2010 12:40:03 PM | Computer Name = BIGBLUE | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 3/27/2010 12:57:17 PM | Computer Name = BIGBLUE | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 3/27/2010 12:59:16 PM | Computer Name = BIGBLUE | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

[ System Events ]
Error - 3/26/2010 2:40:43 PM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/26/2010 11:56:19 PM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 4:10:31 AM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 4:49:02 AM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 4:49:45 AM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 5:25:06 AM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 12:26:20 PM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 12:40:03 PM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 12:59:16 PM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

Error - 3/27/2010 1:25:54 PM | Computer Name = BIGBLUE | Source = DCOM | ID = 10005
Description = DCOM got error "%1068" attempting to start the service IISADMIN with
arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}


< End of report >


#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:44 PM

Posted 27 March 2010 - 04:26 PM

Good smile.gif


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt



Please post back with a fresh OTL logfile and tell me how your system is running.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 28 March 2010 - 04:21 PM

Hi Thomas,

Happy Sunday to you!

I ran the ESET scan (see below) and it found nothing, however my problems continue. Here are my main problems:

- cannot open add/remove programs (get quick "flash" but nothing happens)
- cannot update Windows (get quick "flash" but nothing happens)
- Internet explorer does not open
- cannot start the windows firewall. I get a pop-up window that says "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? When I click "yes" it tries to start the service, then shows the message "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.
- cannot open QuickBooks

Previous to running Combofix etc. my mouse was constantly flashing with an hour glass and behaving a bit erratically ... now it is not flashing and it is behaving more normally.
Also, both times I ran Combofix, immediately after combofix rebooted the computer, I was able to turn on the Windows firewall. However, after I reboot the computer again normally I lose that function and am not able to turn on the firewall.

Thanks so much for your help!

Here is my ESET log (ESET did not give me an opportunity to save a file to the desktop after it finished the scan... perhaps because it didn't find anything?)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1de5962593fb664fac86956e00aa6e98
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-09 01:21:34
# local_time=2010-03-08 06:21:34 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=153692
# found=0
# cleaned=0
# scan_time=6559
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=de6d46a80d595a45ab81591f97563279
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-28 07:34:00
# local_time=2010-03-28 01:34:00 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=157312
# found=0
# cleaned=0
# scan_time=8979



Here is my OTL log. I did not paste the items into the custom scan box as you had me do last time. If I was supposed to paste them in again, please let me know and I'll re-run. Also, I just got one report this time.

OTL logfile created on: 3/28/2010 2:57:02 PM - Run 2
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Sharon\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.63 Gb Total Space | 621.37 Gb Free Space | 88.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGBLUE
Current User Name: Sharon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/27 11:23:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
PRC - [2010/03/18 01:43:38 | 000,835,952 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2009/05/05 11:19:14 | 000,451,904 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2008/09/30 16:04:26 | 000,905,512 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2008/09/30 16:04:26 | 000,258,856 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2008/09/30 16:04:22 | 000,251,176 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2008/09/30 16:04:12 | 000,592,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/03 18:28:08 | 001,392,640 | R--- | M] (PalmSource, Inc) -- C:\Program Files\Palm\Hotsync.exe
PRC - [2003/02/20 16:45:40 | 000,028,672 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
PRC - [2002/10/29 09:18:24 | 000,049,152 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
PRC - [2002/09/30 01:00:00 | 000,045,056 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe


========== Modules (SafeList) ==========

MOD - [2010/03/27 11:23:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
MOD - [2003/02/20 16:45:52 | 000,061,440 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAGENT.DLL


========== Win32 Services (SafeList) ==========

SRV - [2009/10/30 13:38:19 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/05/05 11:19:14 | 000,451,904 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2008/09/30 16:04:26 | 000,258,856 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/10 10:31:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/18 18:09:39 | 000,000,000 | ---D | M]

[2009/05/29 23:31:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Extensions
[2010/03/27 12:52:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\extensions
[2009/07/02 11:14:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/03 13:17:45 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Sharon\Application Data\Mozilla\Firefox\Profiles\6uiafs9p.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/03/27 12:52:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/27 10:57:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AsioReg] C:\WINDOWS\System32\CTASIO.DLL (Creative Technology Ltd)
O4 - HKLM..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2025429265-1343024091-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1243652136053 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://www.ritzpix.com/net/Uploader/LPUploader57.cab (Image Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} http://192.168.1.222/xplugLiteDL.cab (Gif89 Lite Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\GoToMyPC: DllName - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/31 12:00:26 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/27 13:33:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/27 11:23:30 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
[2010/03/27 11:08:10 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sharon\Desktop\mbam-setup.exe
[2010/03/26 12:37:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/03/26 12:33:22 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/26 12:30:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/26 12:30:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/26 12:30:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/26 12:30:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/26 12:30:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/26 12:28:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/26 12:26:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Local Settings\Application Data\Opera
[2010/03/26 12:26:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Application Data\Opera
[2010/03/26 12:25:55 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2010/03/26 12:24:45 | 009,849,864 | ---- | C] (Opera Software ASA ) -- C:\Documents and Settings\Sharon\Desktop\Opera_1051_en_Setup.exe
[2010/03/22 15:15:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Application Data\TeamViewer
[2010/03/22 15:01:33 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Easy Assist
[2010/03/22 15:01:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/03/20 07:49:26 | 000,000,000 | -HSD | C] -- C:\DrWeb Quarantine
[2010/03/19 20:39:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Desktop\4th transfer
[2010/03/19 19:11:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/03/18 17:41:29 | 000,000,000 | ---D | C] -- C:\Program Files\DrWeb
[2010/03/18 17:20:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/18 17:20:31 | 000,000,000 | ---D | C] -- C:\Program Files\Your Uninstaller 2010
[2010/03/18 17:13:59 | 046,055,472 | ---- | C] (Doctor Web, Ltd. ) -- C:\Documents and Settings\Sharon\Desktop\drweb-600-win-x86.exe
[2010/03/18 16:44:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\DoctorWeb
[2010/03/18 16:25:33 | 014,827,320 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sharon\Desktop\6m3ze36z.exe
[2010/03/17 14:42:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/17 14:42:08 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/17 12:04:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sharon\Application Data\SUPERAntiSpyware.com
[2010/03/17 12:04:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/17 12:04:18 | 000,000,000 | ---D | C] -- C:\Troubleshooting
[2010/03/14 20:51:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/06/10 17:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Softland
[2009/05/30 00:39:58 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2009/05/29 21:16:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/05/29 20:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/05/29 19:56:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/05/29 19:56:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[110 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/28 13:39:49 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Sharon\NTUSER.DAT
[2010/03/28 11:00:51 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\esetsmartinstaller_enu.exe
[2010/03/28 10:59:30 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\Word 2003.lnk
[2010/03/28 10:57:10 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\Windows Explorer.lnk
[2010/03/28 10:56:51 | 000,001,147 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\esetSmartInstall.png
[2010/03/28 10:45:12 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/28 10:43:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/28 10:43:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/28 02:27:44 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/28 02:27:44 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/28 02:27:44 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/28 02:27:44 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/28 02:27:44 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/03/28 02:27:44 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/03/28 02:27:44 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
[2010/03/28 02:27:44 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
[2010/03/28 02:27:23 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Sharon\ntuser.ini
[2010/03/28 02:27:19 | 004,481,358 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.CDF
[2010/03/27 13:37:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003UA.job
[2010/03/27 13:15:08 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/03/27 11:23:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sharon\Desktop\OTL.exe
[2010/03/27 11:10:39 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sharon\Desktop\mbam-setup.exe
[2010/03/27 10:57:29 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/27 10:57:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/26 17:41:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003Core1cac6f3d5458a9c.job
[2010/03/26 12:33:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/26 12:27:51 | 003,903,349 | R--- | M] () -- C:\Documents and Settings\Sharon\Desktop\schrauber.exe
[2010/03/26 12:25:56 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/26 12:25:05 | 009,849,864 | ---- | M] (Opera Software ASA ) -- C:\Documents and Settings\Sharon\Desktop\Opera_1051_en_Setup.exe
[2010/03/26 12:20:10 | 003,903,349 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix(2).exe
[2010/03/26 12:10:39 | 003,903,349 | R--- | M] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix.exe
[2010/03/22 20:22:34 | 004,323,662 | -H-- | M] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\IconCache.db
[2010/03/22 16:21:15 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds(4).scr
[2010/03/22 16:07:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Sharon\defogger_reenable
[2010/03/22 16:06:14 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\Defogger.exe
[2010/03/22 15:33:36 | 000,001,337 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/22 15:15:07 | 002,234,136 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\TeamViewerQS.exe
[2010/03/22 12:53:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/19 20:26:41 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\gmer.zip
[2010/03/19 20:10:39 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds(3).scr
[2010/03/19 20:07:40 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds(2).scr
[2010/03/19 20:06:18 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\dds.scr
[2010/03/19 17:08:23 | 000,000,440 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/18 19:47:24 | 001,526,560 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/18 18:53:48 | 000,067,128 | ---- | M] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/18 17:20:33 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\Sharon\Desktop\Your Uninstaller!.lnk
[2010/03/18 17:16:21 | 046,055,472 | ---- | M] (Doctor Web, Ltd. ) -- C:\Documents and Settings\Sharon\Desktop\drweb-600-win-x86.exe
[2010/03/18 16:25:36 | 014,827,320 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sharon\Desktop\6m3ze36z.exe
[2010/03/17 14:42:12 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[110 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/28 11:00:51 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\esetsmartinstaller_enu.exe
[2010/03/28 10:56:51 | 000,001,147 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\esetSmartInstall.png
[2010/03/26 12:33:25 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/26 12:33:22 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/26 12:30:45 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/26 12:30:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/26 12:30:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/26 12:30:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/26 12:30:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/26 12:27:51 | 003,903,349 | R--- | C] () -- C:\Documents and Settings\Sharon\Desktop\schrauber.exe
[2010/03/26 12:25:56 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/26 12:20:10 | 003,903,349 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix(2).exe
[2010/03/26 12:10:39 | 003,903,349 | R--- | C] () -- C:\Documents and Settings\Sharon\Desktop\ComboFix.exe
[2010/03/22 16:21:15 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds(4).scr
[2010/03/22 16:07:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Sharon\defogger_reenable
[2010/03/22 16:06:14 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\Defogger.exe
[2010/03/22 15:15:06 | 002,234,136 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\TeamViewerQS.exe
[2010/03/22 12:53:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/19 20:27:07 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\gmer.zip
[2010/03/19 20:10:39 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds(3).scr
[2010/03/19 20:07:39 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds(2).scr
[2010/03/19 20:06:18 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\dds.scr
[2010/03/19 17:08:23 | 000,000,440 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/18 17:36:29 | 000,000,930 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-839522115-1003Core1cac6f3d5458a9c.job
[2010/03/18 17:20:33 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\Sharon\Desktop\Your Uninstaller!.lnk
[2010/03/17 14:42:12 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/03 12:06:20 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2010/01/03 12:06:19 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2010/01/03 12:06:04 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2010/01/03 12:06:02 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2010/01/03 12:06:00 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/06/25 19:53:46 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/30 20:18:57 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\fusioncache.dat
[2009/05/30 13:17:18 | 000,078,336 | ---- | C] () -- C:\Documents and Settings\Sharon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/30 11:47:30 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/05/30 00:41:26 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/05/30 00:40:24 | 000,066,807 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini
[2009/05/30 00:40:24 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/05/30 00:40:08 | 000,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI
[2009/05/30 00:40:08 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2009/05/30 00:37:42 | 000,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2009/05/30 00:03:49 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/05/29 22:33:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/29 20:53:21 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2008/02/19 00:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/03/22 15:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009/05/30 11:52:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/05/31 12:09:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2009/05/30 11:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2010/03/26 10:28:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/18 11:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/31 23:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/06/10 17:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Softland
[2009/06/07 13:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\.purple
[2009/05/30 13:54:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/06/07 10:07:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\gtk-2.0
[2009/05/30 11:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\HotSync
[2010/03/26 12:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\Opera
[2010/03/22 15:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\TeamViewer
[2010/03/09 21:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sharon\Application Data\URSoft

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 286 bytes -> C:\Documents and Settings\Sharon\Desktop\Office.Space.1999.1080p.Bluray.DTS.x264.mkv:AFP_RESOURCE
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51
< End of report >





#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:44 PM

Posted 29 March 2010 - 12:16 PM

Hi,

Please post back with a fresh Gmer logfile.


We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 Mc Barnes

Mc Barnes
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:06:44 AM

Posted 29 March 2010 - 05:11 PM

Hi Thomas,

Thanks for sticking with me! It does seem like my problem is a toughie and I really appreciate your work on it.

I ran the (3.5 hr!) GMER scan again and this time I got this message at the end... "GMER hasn't found any system modification." I saved the log but there wasn't anything in the window at all.

The Junction file produced the log below (I didn't know whether to "clean up" the log by removing all the lines of periods inbetween the entries. I decided not to and pasted exactly as the log produced... so sorry for the scrolling!)

I noted that one of the entries produced said "the process cannot access the file because it is being used by another process" Just to clarify: I was not using any other programs at the time ... no other windows were open and I was not connected to the cable modem.


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\DrWeb Quarantine: Access is denied.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\CCC\2.0.0.0__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_CCC_90ba9c70f846762e_2.0.0.0_x-ww_c7ed2bb0
Substitute Name: C:\WINDOWS\WinSxS\MSIL_CCC_90ba9c70f846762e_2.0.0.0_x-ww_c7ed2bb0

\\?\c:\\WINDOWS\assembly\GAC_MSIL\CLI\2.0.0.0__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_CLI_90ba9c70f846762e_2.0.0.0_x-ww_42656733
Substitute Name: C:\WINDOWS\WinSxS\MSIL_CLI_90ba9c70f846762e_2.0.0.0_x-ww_42656733



\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\LOG\2.0.3343.28329__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_LOG_90ba9c70f846762e_2.0.3343.28329_x-ww_2d908276
Substitute Name: C:\WINDOWS\WinSxS\MSIL_LOG_90ba9c70f846762e_2.0.3343.28329_x-ww_2d908276

\\?\c:\\WINDOWS\assembly\GAC_MSIL\MOM\2.0.0.0__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_MOM_90ba9c70f846762e_2.0.0.0_x-ww_a60193a8
Substitute Name: C:\WINDOWS\WinSxS\MSIL_MOM_90ba9c70f846762e_2.0.0.0_x-ww_a60193a8

...

...

...

...

...

...

...

...

.



#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:44 PM

Posted 31 March 2010 - 12:18 PM

Hm, let's try this one:


RootRepeal - Rootkit Detector


Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Clickthe Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users