Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP Computer jumps to 100% processing


  • This topic is locked This topic is locked
21 replies to this topic

#1 EbonyStealth

EbonyStealth

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 27 March 2010 - 05:30 PM

Hello,

After starting my computer jumps immediately to 100% usage and therefore immediately becomes usėless. Here is all the information that may be of use for the diagnosis:

When i start I get a pop up that says that "your computer my be at risk..You have turned off F-Secure 9.0"'...I open my fescure and it says that I am fully protected so i don't know if the pop up is a fake.

I scanned for spyware using Malware bytes and it came back with two threats found. Both with Trojan Vundo H. The program says that it cannot delete these threats but will do so upon startup.. When I scan again the threats show up again. I scanned with Fsecure and it says that no threats are found.

Even non internet programs are taking forever to open

Here is the DSS log that it says to post in the board instructions:


DDS (Ver_10-03-17.01) - NTFSx86
Run by John S at 21:54:27.48 on Fri 03/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.536 [GMT -4:00]

AV: F-Secure PSB Workstation Security 9.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure PSB Workstation Security 9.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\1169769463\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\F-Secure\Common\FSHDLL32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\John S\Desktop\dds.scr
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {13605f74-2e92-4c8b-be17-1a0901bedfa6} -
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\john S\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [HostManager] c:\program files\common files\aol\1169769463\ee\AOLSoftware.exe
mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Xqivebegukopos] rundll32.exe "c:\windows\erotozun.dll",Startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
StartupFolder: c:\documents and settings\john S\start menu\programs\startup\syspck32.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\f-secure\fsps\program\FSLSP.DLL
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
LSA: Notification Packages = scecli fuwageza.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-12-5 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-12-5 80016]
R0 nrhjmumv;nrhjmumv;c:\windows\system32\drivers\nrhjmumv.sys [2005-8-16 23424]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2009-12-5 68080]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure\anti-virus\fsgk32st.exe [2009-12-5 219760]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2009-12-5 107104]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure\orsp client\fsorsp.exe [2009-12-5 55992]
S2 FSORSPClientSpooler;F-Secure ORSP Client FSORSPClientSpooler; [x]
S2 gvkvfy;gvkvfy;c:\windows\system32\drivers\crqff.sys --> c:\windows\system32\drivers\crqff.sys [?]
S2 hdgc;hdgc;c:\windows\system32\drivers\lmbsuy.sys --> c:\windows\system32\drivers\lmbsuy.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2009-12-5 39792]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2009-12-5 25200]

=============== Created Last 30 ================

2010-03-25 20:48:47 120 ----a-w- c:\windows\Qhewinewun.dat
2010-03-25 20:48:47 0 ----a-w- c:\windows\Mhexis.bin
2010-03-25 01:21:05 804864 ----a-w- c:\windows\system32\drivers\mhqspsj.sys
2010-03-25 01:20:58 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-25 01:20:58 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-19 19:29:36 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-19 19:28:08 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-02-28 01:42:53 230808 ----a-r- c:\windows\cpnprt2.cid
2010-02-28 01:42:47 230808 ------w- c:\windows\system32\cpnprt2.cid
2010-02-28 01:42:42 0 d-----w- c:\windows\Cache
2010-02-28 01:42:30 0 d-----w- c:\program files\Coupons

==================== Find3M ====================

2010-03-06 01:30:35 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-09-08 00:24:40 17277 ----a-w- c:\program files\common files\udari.db
2009-09-08 00:24:40 11102 ----a-w- c:\program files\common files\uzemahadol.lib
2009-09-03 21:45:26 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-11-30 23:00:23 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-09-03 21:45:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090320090904\index.dat
2009-11-30 23:00:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009113020091201\index.dat
2009-11-30 22:35:13 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-30 22:35:13 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-30 22:35:13 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:55:58.71 ===============


I have also attached the DSS file that the intsructions say to attach

**Update*..I'm trying to run GMER but after ahile I get the blue screen

Attached Files


Edited by EbonyStealth, 28 March 2010 - 08:11 AM.


BC AdBot (Login to Remove)

 


#2 EbonyStealth

EbonyStealth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 29 March 2010 - 07:27 PM

attached is the gmer log...I wouldn't let me edit my post to add it

Attached Files

  • Attached File  ark.txt   11.44KB   8 downloads


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:16 PM

Posted 31 March 2010 - 02:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 EbonyStealth

EbonyStealth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 31 March 2010 - 06:08 PM

Description of the issue remains the same as above. There was a message o the GMER log that said root kit activity...Thank you for your help..



DDS (Ver_10-03-17.01) - NTFSx86
Run by John s at 17:40:56.31 on Wed 03/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.600 [GMT -4:00]

AV: F-Secure PSB Workstation Security 9.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure PSB Workstation Security 9.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\1169769463\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\F-Secure\Common\FSHDLL32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Documents and Settings\John s\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {13605f74-2e92-4c8b-be17-1a0901bedfa6} -
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\john s\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [HostManager] c:\program files\common files\aol\1169769463\ee\AOLSoftware.exe
mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Xqivebegukopos] rundll32.exe "c:\windows\erotozun.dll",Startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
LSA: Notification Packages = scecli fuwageza.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-12-5 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-12-5 80016]
R0 nrhjmumv;nrhjmumv;c:\windows\system32\drivers\nrhjmumv.sys [2005-8-16 23424]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2009-12-5 68080]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure\anti-virus\fsgk32st.exe [2009-12-5 219760]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2009-12-5 111296]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure\orsp client\fsorsp.exe [2009-12-5 55992]
S2 FSORSPClientSpooler;F-Secure ORSP Client FSORSPClientSpooler; [x]
S2 gvkvfy;gvkvfy;c:\windows\system32\drivers\crqff.sys --> c:\windows\system32\drivers\crqff.sys [?]
S2 hdgc;hdgc;c:\windows\system32\drivers\lmbsuy.sys --> c:\windows\system32\drivers\lmbsuy.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2009-12-5 39792]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2009-12-5 25200]

=============== Created Last 30 ================

2010-03-25 20:48:47 120 ----a-w- c:\windows\Qhewinewun.dat
2010-03-25 20:48:47 0 ----a-w- c:\windows\Mhexis.bin
2010-03-25 01:21:05 804864 ----a-w- c:\windows\system32\drivers\mhqspsj.sys
2010-03-25 01:20:58 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-25 01:20:58 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-19 19:29:36 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-19 19:28:08 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-06 01:30:35 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-09-08 00:24:40 17277 ----a-w- c:\program files\common files\udari.db
2009-09-08 00:24:40 11102 ----a-w- c:\program files\common files\uzemahadol.lib
2009-09-03 21:45:26 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-11-30 23:00:23 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-09-03 21:45:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090320090904\index.dat
2009-11-30 23:00:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009113020091201\index.dat
2009-11-30 22:35:13 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-30 22:35:13 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-30 22:35:13 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:42:00.73 ===============

Attached Files



#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:16 PM

Posted 02 April 2010 - 12:06 PM

Hello, EbonyStealth
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.






Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 EbonyStealth

EbonyStealth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 April 2010 - 07:52 PM

Attached is the ComboFix log as requested. Just do you know it did not ask me for a recovery console. Also, my computer name is my name so Ļ did a fid and replace on it. The directory has been changed to "John S" from my full name let me know if this is not okay. Thank you very much for all of your help.




ComboFix 10-04-01.02 - John S 04/02/2010 20:20:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.573 [GMT -4:00]
Running from: c:\documents and settings\John S\Desktop\schrauber.exe
AV: F-Secure PSB Workstation Security 9.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure PSB Workstation Security 9.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\afycohi.inf
c:\documents and settings\All Users\Documents\ynag.reg
c:\documents and settings\John S\Local Settings\Application Data\{E9BEE37F-2919-4762-8E5C-3CBA0A23A92D}
c:\documents and settings\John S\Local Settings\Application Data\{E9BEE37F-2919-4762-8E5C-3CBA0A23A92D}\chrome.manifest
c:\documents and settings\John S\Local Settings\Application Data\{E9BEE37F-2919-4762-8E5C-3CBA0A23A92D}\chrome\content\_cfg.js
c:\documents and settings\John S\Local Settings\Application Data\{E9BEE37F-2919-4762-8E5C-3CBA0A23A92D}\chrome\content\overlay.xul
c:\documents and settings\John S\Local Settings\Application Data\{E9BEE37F-2919-4762-8E5C-3CBA0A23A92D}\install.rdf
c:\windows\AppPatch\AcAdProc.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\erotozun.dll
c:\windows\run.log
c:\windows\system32\drivers\fklpvmia.sys
c:\windows\system32\drivers\mhqspsj.sys
c:\windows\system32\drivers\nrhjmumv.sys
c:\windows\system32\gncxjww.dll
c:\windows\system32\zeojibo.dll
c:\windows\Tasks\At2.job
c:\windows\Tasks\bdbucffd.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NRHJMUMV
-------\Legacy_ovfsthlirprqhbaijeyfvitswaktxmyxyxjxbo
-------\Service_6to4
-------\Service_nrhjmumv
-------\Service_ovfsthlirprqhbaijeyfvitswaktxmyxyxjxbo
-------\Legacy_mhqspsj
-------\Service_mhqspsj


((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-03-25 20:48 . 2010-04-03 00:07 120 ----a-w- c:\windows\Qhewinewun.dat
2010-03-25 20:48 . 2010-04-02 18:43 0 ----a-w- c:\windows\Mhexis.bin
2010-03-25 01:20 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-25 01:20 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-22 21:54 . 2010-04-01 19:59 -------- d-----w- c:\documents and settings\John S\Local Settings\Application Data\Temp
2010-03-22 21:53 . 2010-03-22 21:54 -------- d-----w- c:\documents and settings\John S\Local Settings\Application Data\Deployment
2010-03-19 19:29 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-19 19:28 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 01:30 . 2006-08-20 11:53 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-28 22:33 . 2010-02-15 15:33 -------- d-----w- c:\documents and settings\John S\Application Data\uTorrent
2010-02-28 01:42 . 2010-02-28 01:42 -------- d-----w- c:\program files\Coupons
2010-02-25 06:24 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-15 16:00 . 2005-12-29 08:15 -------- d-----w- c:\program files\Google
2010-01-27 01:24 . 2010-01-27 01:24 3584 ----a-r- c:\documents and settings\John S\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-21 01:12 . 2009-12-05 23:09 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-01-14 01:59 . 2009-12-02 17:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-12-02 17:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-02 17:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 16:41 . 2010-01-06 16:41 42144 ----a-w- c:\documents and settings\John S\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 00:24 . 2009-09-08 00:24 17277 ----a-w- c:\program files\Common Files\udari.db
2009-09-08 00:24 . 2009-09-08 00:24 11102 ----a-w- c:\program files\Common Files\uzemahadol.lib
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\John S\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1169769463\ee\AOLSoftware.exe" [2009-07-20 41264]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-12-11 1653360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-12-11 301680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169769463\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\F-Secure\\Anti-Virus\\fsav32.exe"=
"c:\\Program Files\\F-Secure\\Common\\FSMA32.EXE"=
"c:\\Program Files\\F-Secure\\Anti-Virus\\fsgk32st.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [12/5/2009 7:09 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [12/5/2009 6:43 PM 80016]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [12/5/2009 6:42 PM 68080]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [12/5/2009 6:42 PM 111296]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [12/5/2009 6:42 PM 55992]
S2 FSORSPClientSpooler;F-Secure ORSP Client FSORSPClientSpooler; [x]
S2 gvkvfy;gvkvfy;c:\windows\system32\drivers\crqff.sys --> c:\windows\system32\drivers\crqff.sys [?]
S2 hdgc;hdgc;c:\windows\system32\drivers\lmbsuy.sys --> c:\windows\system32\drivers\lmbsuy.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [12/5/2009 6:42 PM 39792]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [12/5/2009 6:42 PM 25200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NRHJMUMV
*Deregistered* - nrhjmumv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kxkidfob
.
Contents of the 'Scheduled Tasks' folder

2010-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005Core.job
- c:\documents and settings\John S\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 21:54]

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005UA.job
- c:\documents and settings\John S\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 21:54]

2010-04-02 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2009-12-05 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Xqivebegukopos - c:\windows\erotozun.dll
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WININET.dll
c:\program files\F-Secure\Spam Control\fsscoepl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\F-Secure\Common\FSHDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-04-02 20:37:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-03 00:37
ComboFix2.txt 2009-05-03 00:10

Pre-Run: 93,104,398,336 bytes free
Post-Run: 93,145,194,496 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 235828656931C79575DD6CB5395F291F


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:16 PM

Posted 03 April 2010 - 12:16 PM

Hi,


Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/305318/help-computer-jumps-to-100-processing/

Collect::
c:\windows\Qhewinewun.dat
c:\windows\Mhexis.bin
c:\program files\Common Files\udari.db
c:\program files\Common Files\uzemahadol.lib
c:\windows\system32\drivers\crqff.sys
c:\windows\system32\drivers\lmbsuy.sys

Driver::
gvkvfy
hdgc
nrhjmumv
kxkidfob

NetSvc::
kxkidfob


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 EbonyStealth

EbonyStealth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 03 April 2010 - 05:05 PM

ComboFix 10-04-03.01 - John S 04/03/2010 18:15:23.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.575 [GMT -4:00]
Running from: c:\documents and settings\John S\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\John S\Desktop\CFScript.txt
AV: F-Secure PSB Workstation Security 9.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure PSB Workstation Security 9.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

file zipped: c:\program files\Common Files\udari.db
file zipped: c:\program files\Common Files\uzemahadol.lib
file zipped: c:\windows\Mhexis.bin
file zipped: c:\windows\Qhewinewun.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\udari.db
c:\program files\Common Files\uzemahadol.lib
c:\windows\Mhexis.bin
c:\windows\Qhewinewun.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KXKIDFOB
-------\Legacy_NRHJMUMV
-------\Service_gvkvfy
-------\Service_hdgc


((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-03-25 01:20 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-25 01:20 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-22 21:54 . 2010-04-01 19:59 -------- d-----w- c:\documents and settings\John S\Local Settings\Application Data\Temp
2010-03-22 21:53 . 2010-03-22 21:54 -------- d-----w- c:\documents and settings\John S\Local Settings\Application Data\Deployment
2010-03-19 19:29 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-19 19:28 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 01:30 . 2006-08-20 11:53 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-28 22:33 . 2010-02-15 15:33 -------- d-----w- c:\documents and settings\John S\Application Data\uTorrent
2010-02-28 01:42 . 2010-02-28 01:42 -------- d-----w- c:\program files\Coupons
2010-02-25 06:24 . 2005-08-16 10:18 916480 ------w- c:\windows\system32\wininet.dll
2010-02-15 16:00 . 2005-12-29 08:15 -------- d-----w- c:\program files\Google
2010-01-27 01:24 . 2010-01-27 01:24 3584 ----a-r- c:\documents and settings\John S\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-21 01:12 . 2009-12-05 23:09 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-01-14 01:59 . 2009-12-02 17:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-12-02 17:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-02 17:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 16:41 . 2010-01-06 16:41 42144 ----a-w- c:\documents and settings\John S\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\John S\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1169769463\ee\AOLSoftware.exe" [2009-07-20 41264]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-12-11 1653360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-12-11 301680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1169769463\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\F-Secure\\Anti-Virus\\fsav32.exe"=
"c:\\Program Files\\F-Secure\\Common\\FSMA32.EXE"=
"c:\\Program Files\\F-Secure\\Anti-Virus\\fsgk32st.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [12/5/2009 7:09 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [12/5/2009 6:43 PM 80016]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [12/5/2009 6:42 PM 68080]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [12/5/2009 6:42 PM 111296]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [12/5/2009 6:42 PM 55992]
S2 FSORSPClientSpooler;F-Secure ORSP Client FSORSPClientSpooler; [x]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [12/5/2009 6:42 PM 39792]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [12/5/2009 6:42 PM 25200]
.
Contents of the 'Scheduled Tasks' folder

2010-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005Core.job
- c:\documents and settings\John S\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 21:54]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005UA.job
- c:\documents and settings\John S\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 21:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\F-Secure\Common\FSHDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2010-04-03 18:29:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-03 22:29
ComboFix2.txt 2010-04-03 00:37
ComboFix3.txt 2009-05-03 00:10

Pre-Run: 93,104,160,768 bytes free
Post-Run: 93,106,917,376 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 7368BFED690E4F9626C18AF89BF83BF2

Edited by EbonyStealth, 03 April 2010 - 05:38 PM.


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:16 PM

Posted 04 April 2010 - 12:39 PM

Hi,

Please update your version of Malwarebytes and run a quick scan, post back with the content of the logfile.


  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 EbonyStealth

EbonyStealth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 04 April 2010 - 03:23 PM

I did not take any action on Malware Bytes..


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/4/2010 4:04:14 PM
mbam-log-2010-04-04 (16-04-14).txt

Scan type: Quick scan
Objects scanned: 110994
Time elapsed: 15 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken.




\OTL logfile created on: 4/4/2010 4:08:06 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\John s\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 560.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.74 Gb Total Space | 86.97 Gb Free Space | 81.48% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D7QK8391
Current User Name: John s
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/04 16:05:16 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John s\Desktop\OTL.exe
PRC - [2010/03/01 17:34:38 | 000,055,992 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
PRC - [2010/01/20 21:12:28 | 000,619,616 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
PRC - [2010/01/20 21:12:28 | 000,480,352 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
PRC - [2009/12/11 12:37:36 | 000,301,680 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Common\FSM32.EXE
PRC - [2009/12/11 12:37:36 | 000,186,992 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Common\FSMA32.EXE
PRC - [2009/12/11 12:37:34 | 000,088,688 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Common\FSHDLL32.EXE
PRC - [2009/12/11 12:36:20 | 000,522,864 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
PRC - [2009/12/11 12:35:18 | 000,219,760 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
PRC - [2009/12/11 12:35:12 | 000,358,512 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
PRC - [2009/10/11 05:17:45 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/07/20 15:52:23 | 000,041,264 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\1169769463\ee\aolsoftware.exe
PRC - [2008/10/10 06:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2004/09/07 18:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2003/08/27 12:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/04/04 16:05:16 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John s\Desktop\OTL.exe
MOD - [2009/12/11 12:37:16 | 000,330,352 | ---- | M] (F-Secure Corporation) -- c:\Program Files\F-Secure\HIPS\fshook32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (FSORSPClientSpooler)
SRV - [2010/03/01 17:34:38 | 000,055,992 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\F-Secure\ORSP Client\fsorsp.exe -- (FSORSPClient)
SRV - [2009/12/11 12:37:36 | 000,186,992 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\F-Secure\Common\FSMA32.EXE -- (FSMA)
SRV - [2009/12/11 12:36:20 | 000,522,864 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe -- (FSDFWD)
SRV - [2009/12/11 12:35:18 | 000,219,760 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter)
SRV - [2008/10/10 06:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [2004/09/07 18:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)
SRV - [2004/09/07 18:05:10 | 000,360,521 | ---- | M] (Intel Corporation ) [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/09/07 18:02:40 | 000,086,016 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2004/09/07 18:02:04 | 000,139,264 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2003/08/27 12:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKLM\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.aol.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 5555
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - HKLM\software\mozilla\Firefox\extensions\\litmus-ff@f-secure.com: C:\Program Files\F-Secure\NRS\litmus-ff@f-secure.com [2010/01/20 21:12:58 | 000,000,000 | ---D | M]

[2009/11/28 21:24:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\Mozilla\Extensions
[2010/02/15 12:02:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\Mozilla\Firefox\Profiles\q27m5eqq.default\extensions
[2009/11/28 21:29:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\John s\Application Data\Mozilla\Firefox\Profiles\q27m5eqq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/02 15:52:02 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\John s\Application Data\Mozilla\Firefox\Profiles\q27m5eqq.default\searchplugins\askcom.xml
[2010/01/26 21:28:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/19 18:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 18:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2010/04/03 18:24:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AOL Toolbar Loader) - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\F-Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\F-Secure\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169769463\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/16 06:22:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/04 16:05:12 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John s\Desktop\OTL.exe
[2010/04/02 20:13:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/22 17:54:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John s\Local Settings\Application Data\Temp
[2010/03/22 17:53:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John s\Local Settings\Application Data\Deployment
[2009/11/26 12:39:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/10/25 21:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\AOL
[2009/09/09 14:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\F-Secure
[2009/09/03 17:50:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/22 22:00:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/22 22:00:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/22 21:58:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/04/21 16:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla

========== Files - Modified Within 14 Days ==========

[2010/04/04 16:05:16 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John s\Desktop\OTL.exe
[2010/04/04 15:59:09 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005UA.job
[2010/04/04 15:31:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/04 15:31:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/04 09:36:26 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\John s\ntuser.ini
[2010/04/04 09:36:24 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\John s\NTUSER.DAT
[2010/04/03 19:30:57 | 000,000,618 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/03 18:24:38 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 18:24:26 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/03 18:11:24 | 003,907,113 | R--- | M] () -- C:\Documents and Settings\John s\Desktop\schrauber.exe
[2010/04/03 17:59:01 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005Core.job
[2010/04/01 16:00:43 | 000,002,351 | ---- | M] () -- C:\Documents and Settings\John s\Desktop\Google Chrome.lnk
[2010/03/31 16:46:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/26 21:38:43 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\John s\Desktop\dds.scr
[2010/03/26 21:20:51 | 000,000,345 | RHS- | M] () -- C:\boot.ini
[2010/03/22 12:06:22 | 000,000,348 | ---- | M] () -- C:\WINDOWS\dellstat.ini

========== Files Created - No Company Name ==========

[2010/04/03 18:11:13 | 003,907,113 | R--- | C] () -- C:\Documents and Settings\John s\Desktop\schrauber.exe
[2010/04/02 20:19:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/02 20:19:27 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/28 07:37:33 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\John s\Desktop\gmer.exe
[2010/03/26 21:38:42 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\John s\Desktop\dds.scr
[2010/03/22 17:57:17 | 000,002,351 | ---- | C] () -- C:\Documents and Settings\John s\Desktop\Google Chrome.lnk
[2010/03/22 17:54:31 | 000,001,014 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005UA.job
[2010/03/22 17:54:30 | 000,000,962 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005Core.job
[2009/12/05 19:09:18 | 000,033,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2009/04/20 18:23:08 | 000,004,014 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\13605F74-2E92-4C8B-BE17-1A0901BEDFA6.txt
[2007/08/15 19:17:53 | 000,001,346 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/24 18:26:30 | 000,000,348 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/08/20 07:53:19 | 000,004,704 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/03/24 10:12:32 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\John s\Application Data\PFP120JPR.{PB
[2006/03/24 10:12:32 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\John s\Application Data\PFP120JCM.{PB
[2006/01/11 19:21:09 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\John s\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2006/01/09 19:46:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2006/01/09 19:46:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2006/01/05 20:00:02 | 000,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2006/01/04 18:16:24 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\John s\Local Settings\Application Data\fusioncache.dat
[2006/01/04 18:16:22 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\John s\NTUSER.DAT
[2006/01/04 18:16:22 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\John s\ntuser.dat.LOG
[2006/01/04 18:16:22 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\John s\ntuser.ini
[2006/01/04 18:16:02 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2006/01/04 18:16:02 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/12/29 04:30:56 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/29 04:20:17 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/12/29 04:13:02 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2005/12/29 03:47:12 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2005/12/29 03:47:12 | 000,000,200 | ---- | C] () -- C:\WINDOWS\System32\dlbcplc.ini
[2005/12/29 03:47:10 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbcvs.dll
[2005/12/29 03:47:10 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\dlbccoin.ini
[2005/12/29 03:46:26 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/16 06:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 06:18:40 | 000,006,672 | ---- | C] () -- C:\WINDOWS\System32\advpack.dllk.dat
[2005/08/05 16:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/09 19:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/12 10:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll

========== LOP Check ==========

[2005/08/16 22:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2009/12/05 18:42:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\f-secure
[2009/12/05 18:41:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fssg
[2009/05/02 06:04:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/11/15 10:06:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/11/26 20:34:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\F-Secure
[2007/01/03 07:47:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\Juniper Networks
[2006/01/11 18:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\Leadertech
[2010/02/28 18:33:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\uTorrent
[2007/01/22 19:10:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2006/08/10 17:39:51 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe


< MD5 for: AGP440.SYS >
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/09/03 17:26:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/09/03 17:26:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/09/03 17:26:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/09/03 17:26:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 20:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/08/16 06:27:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/08/16 06:27:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/08/16 06:27:08 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >




OTL Extras logfile created on: 4/4/2010 4:08:06 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\John S\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 560.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.74 Gb Total Space | 86.97 Gb Free Space | 81.48% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D7QK8391
Current User Name: John S
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1169769463\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1169769463\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (AOL LLC)
"C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Home & Business 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Home & Business 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Home & Business 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Home & Business 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\AOL 9.5\waol.exe" = C:\Program Files\AOL 9.5\waol.exe:*:Enabled:AOL -- (AOL, LLC.)
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed -- (AOL LLC)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL LLC)
"C:\Program Files\F-Secure\Anti-Virus\fsav32.exe" = C:\Program Files\F-Secure\Anti-Virus\fsav32.exe:*:Enabled:fsav32 -- (F-Secure Corporation)
"C:\Program Files\F-Secure\Common\FSMA32.EXE" = C:\Program Files\F-Secure\Common\FSMA32.EXE:*:Enabled:FSMA32 -- (F-Secure Corporation)
"C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe" = C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe:*:Enabled:fsgk32st -- (F-Secure Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = Virtools 3D Life Player 4.1
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{64A77F14-0E08-4A97-A859-E93CFF428756}" = Broadcom Management Programs 2
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B3F1E526-180B-4480-9FEC-3E2DCB8EA9CE}" = F-Secure PSC Prerequisites
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3DE07CB-036F-45BC-85BD-D6FFC5D33603}" = TurboTax 2008 wnyiper
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AOL Toolbar" = AOL Toolbar
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.9x Modem
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"Dell Photo Printer 720" = Dell Photo Printer 720
"Dell Photo Printer 720 Logger" = Dell Photo Printer 720 Logger
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESPNMotion" = ESPNMotion
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"F-Secure Product 440" = F-Secure PSB Workstation Security
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{64A77F14-0E08-4A97-A859-E93CFF428756}" = Broadcom Management Programs 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"ProInst" = Intel® PROSet/Wireless Software
"QuickBooks 2000" = QuickBooks 2000
"RealPlayer 6.0" = RealPlayer Basic
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TurboTax 2008" = TurboTax 2008
"TurboTax Business 2006" = TurboTax Business 2006
"TurboTax Business 2007" = TurboTax Business 2007
"TurboTax Home & Business 2006" = TurboTax Home & Business 2006
"TurboTax Premier 2007" = TurboTax Premier 2007
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Neoteris_Cache_Cleaner 5.2.0" = Juniper Networks Cache Cleaner 5.2.0
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/4/2010 6:32:30 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 8 2010-03-05 21:07:31-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of com/sun/xml/internal/ws/server/EndpointFactory.class
was aborted due to exceeded scanning time limit. The file may be in use or reading
it was too slow (e.g. network connection was under stress).

Error - 4/4/2010 6:32:30 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 9 2010-03-05 21:08:39-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of java/util/logging/LogManager$5.class was aborted
due to exceeded scanning time limit. The file may be in use or reading it was too
slow (e.g. network connection was under stress).

Error - 4/4/2010 6:32:30 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 10 2010-03-05 21:09:52-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/management/relation/RoleNotFoundException.class
was aborted due to exceeded scanning time limit. The file may be in use or reading
it was too slow (e.g. network connection was under stress).

Error - 4/4/2010 6:32:30 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 11 2010-03-05 21:10:56-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/print/attribute/standard/PrinterInfo.class
was aborted due to exceeded scanning time limit. The file may be in use or reading
it was too slow (e.g. network connection was under stress).

Error - 4/4/2010 6:32:30 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 12 2010-03-05 21:11:54-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/naming/directory/BasicAttributes$AttrEnumImpl.class
was aborted due to exceeded scanning time limit. The file may be in use or reading
it was too slow (e.g. network connection was under stress).

Error - 4/4/2010 6:42:30 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 13 2010-03-05 21:13:36-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/management/remote/rmi/RMIConnector$RMIClientCommunicatorAdmin.class
was aborted due to exceeded scanning time limit. The file may be in use or reading
it was too slow (e.g. network connection was under stress).

Error - 4/4/2010 7:22:35 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 14 2010-03-05 21:15:26-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/security/auth/Subject$ClassSet$1.class was
aborted due to exceeded scanning time limit. The file may be in use or reading
it was too slow (e.g. network connection was under stress).

Error - 4/4/2010 7:22:35 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 15 2010-03-05 21:16:24-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/management/loading/MLetContent.class was
aborted due to exceeded scanning time limit. The file may be in use or reading it
was too slow (e.g. network connection was under stress).

Error - 4/4/2010 9:08:18 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 1 2010-03-05 21:17:28-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/sql/CommonDataSource.class was aborted due
to exceeded scanning time limit. The file may be in use or reading it was too slow
(e.g. network connection was under stress).

Error - 4/4/2010 9:08:28 AM | Computer Name = D7QK8391 | Source = F-Secure Anti-Virus | ID = 103
Description = 2 2010-03-05 21:18:26-04:00 d7qk8391 D7QK8391\John S
F-Secure Anti-Virus Scanning of javax/sql/RowSetEvent.class was aborted due to exceeded
scanning time limit. The file may be in use or reading it was too slow (e.g. network
connection was under stress).

[ System Events ]
Error - 4/3/2010 6:34:59 PM | Computer Name = D7QK8391 | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 4/3/2010 6:35:05 PM | Computer Name = D7QK8391 | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 4/3/2010 6:35:16 PM | Computer Name = D7QK8391 | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 4/4/2010 5:42:05 AM | Computer Name = D7QK8391 | Source = Service Control Manager | ID = 7001
Description = The Spectrum24 Event Monitor service depends on the EvtEng service
which failed to start because of the following error: %%1058

Error - 4/4/2010 8:12:43 AM | Computer Name = D7QK8391 | Source = Service Control Manager | ID = 7001
Description = The Spectrum24 Event Monitor service depends on the EvtEng service
which failed to start because of the following error: %%1058

Error - 4/4/2010 8:24:17 AM | Computer Name = D7QK8391 | Source = Service Control Manager | ID = 7001
Description = The Spectrum24 Event Monitor service depends on the EvtEng service
which failed to start because of the following error: %%1058

Error - 4/4/2010 8:28:12 AM | Computer Name = D7QK8391 | Source = Service Control Manager | ID = 7001
Description = The Spectrum24 Event Monitor service depends on the EvtEng service
which failed to start because of the following error: %%1058

Error - 4/4/2010 3:31:49 PM | Computer Name = D7QK8391 | Source = Service Control Manager | ID = 7001
Description = The Spectrum24 Event Monitor service depends on the EvtEng service
which failed to start because of the following error: %%1058

Error - 4/4/2010 3:34:58 PM | Computer Name = D7QK8391 | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 4/4/2010 3:35:08 PM | Computer Name = D7QK8391 | Source = F-Secure Gatekeeper | ID = 327681
Description =


< End of report >


#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:16 PM

Posted 05 April 2010 - 11:10 AM

Hi,


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Please re-run Malwarebytes and delete the threats found by the tool.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 5555
    FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.





I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




How is your system running? Do you have your windows CD handy?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 EbonyStealth

EbonyStealth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 06 April 2010 - 05:14 PM

Hello,

I ran the OTL fix. The results are below. Same with the online scan...I let it run for about 5 hours before it stopped it...It was only on 51%. I just wanted to make sure that it was susposed to take that long before I reran the scan. I have the windows cd that you asked about. The computer appears to run better.

OTL FIX
++++++++++

All processes killed
Error: Unable to interpret <OTL> in the current context!
Error: Unable to interpret <IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>> in the current context!
Error: Unable to interpret <IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171> in the current context!
Error: Unable to interpret <FF - prefs.js..network.proxy.http: "127.0.0.1"> in the current context!
Error: Unable to interpret <FF - prefs.js..network.proxy.http_port: 5555> in the current context!
Error: Unable to interpret <FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users
->Flash cache emptied: 35 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: John S
->Temp folder emptied: 602376 bytes
->Temporary Internet Files folder emptied: 8231765 bytes
->Java cache emptied: 55446410 bytes
->FireFox cache emptied: 64102289 bytes
->Google Chrome cache emptied: 159686411 bytes
->Flash cache emptied: 1518685 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32768 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 100706 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 276.00 mb


OTL by OldTimer - Version 3.2.1.0 log created on 04052010_182619

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\John S\Local Settings\Temp\~DF2562.tmp not found!
File\Folder C:\Documents and Settings\John S\Local Settings\Temp\~DF2588.tmp not found!
File\Folder C:\Documents and Settings\John S\Local Settings\Temp\~DF26C1.tmp not found!
File\Folder C:\Documents and Settings\John S\Local Settings\Temp\~DF26D9.tmp not found!
File\Folder C:\Documents and Settings\John S\Local Settings\Temp\~DF27EC.tmp not found!
File\Folder C:\Documents and Settings\John S\Local Settings\Temp\~DF2804.tmp not found!
C:\Documents and Settings\John S\Local Settings\Temporary Internet Files\Content.IE5\O33VJN57\iframe[1].htm moved successfully.
C:\Documents and Settings\John S\Local Settings\Temporary Internet Files\Content.IE5\GGNRHFXO\topic305318[1].htm moved successfully.

Registry entries deleted on Reboot...




OTL RERUN


+++++++++++


OTL logfile created on: 4/6/2010 6:59:47 PM - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\John s\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 551.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.74 Gb Total Space | 86.93 Gb Free Space | 81.44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D7QK8391
Current User Name: John s
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\John s\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Anti-Virus\fssm32.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Common\FSM32.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Common\FSMA32.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Common\FSHDLL32.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Anti-Virus\fsav32.exe (F-Secure Corporation)
PRC - C:\Program Files\Common Files\AOL\1169769463\ee\aolsoftware.exe (AOL LLC)
PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\John s\Desktop\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\F-Secure\HIPS\fshook32.dll (F-Secure Corporation)


========== Win32 Services (SafeList) ==========

SRV - (FSORSPClientSpooler) -- File not found
SRV - (FSORSPClient) -- C:\Program Files\F-Secure\ORSP Client\fsorsp.exe (F-Secure Corporation)
SRV - (FSMA) -- C:\Program Files\F-Secure\Common\FSMA32.EXE (F-Secure Corporation)
SRV - (FSDFWD) -- C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe (F-Secure Corporation)
SRV - (F-Secure Gatekeeper Handler Starter) -- C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)
SRV - (WLANKEEPER) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
SRV - (S24EventMonitor) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (EvtEng) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (RegSrvc) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (WANMiniportService) WAN Miniport (ATW) -- C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)


========== Driver Services (SafeList) ==========

DRV - (F-Secure Gatekeeper) -- C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys ()
DRV - (fsbts) -- C:\WINDOWS\system32\Drivers\fsbts.sys ()
DRV - (F-Secure HIPS) -- C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (F-Secure Corporation)
DRV - (FSFW) -- C:\WINDOWS\System32\drivers\fsdfw.sys (F-Secure Corporation)
DRV - (F-Secure Filter) -- C:\Program Files\F-Secure\Anti-Virus\win2k\fsfilter.sys ()
DRV - (F-Secure Recognizer) -- C:\Program Files\F-Secure\Anti-Virus\win2k\fsrec.sys ()
DRV - (Changer) -- C:\WINDOWS\system32\drivers\changer.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\dsproct.sys (Gteko Ltd.)
DRV - (ASCTRM) -- C:\WINDOWS\system32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (STAC97) -- C:\WINDOWS\system32\drivers\STAC97.sys (SigmaTel, Inc.)
DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Inc)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKLM\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.aol.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 5555
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/03 03:00:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/02/17 19:06:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\litmus-ff@f-secure.com: C:\Program Files\F-Secure\NRS\litmus-ff@f-secure.com [2010/01/20 21:12:58 | 000,000,000 | ---D | M]

[2009/11/28 21:24:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\Mozilla\Extensions
[2009/11/28 21:24:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John s\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/02/15 12:02:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John s\Application Data\Mozilla\Firefox\Profiles\q27m5eqq.default\extensions
[2009/11/28 21:29:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\John s\Application Data\Mozilla\Firefox\Profiles\q27m5eqq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/02 15:52:02 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\John s\Application Data\Mozilla\Firefox\Profiles\q27m5eqq.default\searchplugins\askcom.xml
[2010/01/26 21:28:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/26 21:25:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/12/24 18:42:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2009/11/19 18:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/10/11 05:17:27 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/11/19 18:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2010/01/27 20:46:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/01/27 20:46:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/01/27 20:46:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/01/27 20:46:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/01/27 20:46:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/01/27 20:46:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/01/27 20:46:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

O1 HOSTS File: ([2010/04/03 18:24:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AOL Toolbar Loader) - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\F-Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\F-Secure\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169769463\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\John s\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/05 20:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/05 18:28:18 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/05 18:26:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/04 16:05:12 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John s\Desktop\OTL.exe
[2010/04/02 20:13:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/24 21:20:58 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/03/24 21:20:58 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/03/22 17:54:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John s\Local Settings\Application Data\Temp
[2010/03/22 17:53:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John s\Local Settings\Application Data\Deployment
[2010/03/19 15:29:36 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/03/19 15:28:08 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2009/11/26 12:39:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/10/25 21:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\AOL
[2009/09/09 14:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\F-Secure
[2009/09/03 17:50:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/22 22:00:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/22 22:00:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/22 21:58:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/04/21 16:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla

========== Files - Modified Within 30 Days ==========

[2010/04/06 18:59:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005UA.job
[2010/04/06 18:56:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/06 18:56:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/06 18:55:02 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\John s\ntuser.ini
[2010/04/06 18:55:00 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\John s\NTUSER.DAT
[2010/04/06 17:59:07 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005Core.job
[2010/04/06 16:35:49 | 000,000,618 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/06 16:34:51 | 000,000,508 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2010/04/04 16:05:16 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John s\Desktop\OTL.exe
[2010/04/03 18:24:38 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 18:24:26 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/03 18:11:24 | 003,907,113 | R--- | M] () -- C:\Documents and Settings\John s\Desktop\schrauber.exe
[2010/04/01 16:00:43 | 000,002,351 | ---- | M] () -- C:\Documents and Settings\John s\Desktop\Google Chrome.lnk
[2010/03/31 16:46:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/26 21:38:43 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\John s\Desktop\dds.scr
[2010/03/26 21:20:51 | 000,000,345 | RHS- | M] () -- C:\boot.ini
[2010/03/22 12:06:22 | 000,000,348 | ---- | M] () -- C:\WINDOWS\dellstat.ini
[2010/03/19 20:41:51 | 000,543,004 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/19 20:41:51 | 000,455,394 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/19 20:41:51 | 000,077,806 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/19 17:26:22 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/19 17:07:38 | 002,005,320 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2010/03/12 21:26:18 | 000,084,494 | ---- | M] () -- C:\Documents and Settings\John s\Desktop\poprt.rpt.pdf
[2010/03/12 21:25:30 | 000,084,494 | ---- | M] () -- C:\Documents and Settings\John s\My Documents\poprt.rpt.pdf
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== Files Created - No Company Name ==========

[2010/04/04 16:28:28 | 000,000,508 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2010/04/03 18:11:13 | 003,907,113 | R--- | C] () -- C:\Documents and Settings\John s\Desktop\schrauber.exe
[2010/04/02 20:19:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/02 20:19:27 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/28 07:37:33 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\John s\Desktop\gmer.exe
[2010/03/26 21:38:42 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\John s\Desktop\dds.scr
[2010/03/22 17:57:17 | 000,002,351 | ---- | C] () -- C:\Documents and Settings\John s\Desktop\Google Chrome.lnk
[2010/03/22 17:54:31 | 000,001,014 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005UA.job
[2010/03/22 17:54:30 | 000,000,962 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2426779416-4112530064-173872271-1005Core.job
[2010/03/12 21:26:18 | 000,084,494 | ---- | C] () -- C:\Documents and Settings\John s\Desktop\poprt.rpt.pdf
[2010/03/12 21:25:34 | 000,084,494 | ---- | C] () -- C:\Documents and Settings\John s\My Documents\poprt.rpt.pdf
[2009/12/05 19:09:18 | 000,033,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2009/04/20 18:23:08 | 000,004,014 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\13605F74-2E92-4C8B-BE17-1A0901BEDFA6.txt
[2007/08/15 19:17:53 | 000,001,346 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/24 18:26:30 | 000,000,348 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/08/20 07:53:19 | 000,004,704 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/03/24 10:12:32 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\John s\Application Data\PFP120JPR.{PB
[2006/03/24 10:12:32 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\John s\Application Data\PFP120JCM.{PB
[2006/01/11 19:21:09 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\John s\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2006/01/09 19:46:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2006/01/09 19:46:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2006/01/05 20:00:02 | 000,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2006/01/04 18:16:24 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\John s\Local Settings\Application Data\fusioncache.dat
[2006/01/04 18:16:22 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\John s\NTUSER.DAT
[2006/01/04 18:16:22 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\John s\ntuser.dat.LOG
[2006/01/04 18:16:22 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\John s\ntuser.ini
[2006/01/04 18:16:02 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2006/01/04 18:16:02 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/12/29 04:30:56 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/29 04:20:17 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/12/29 04:13:02 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2005/12/29 03:47:12 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2005/12/29 03:47:12 | 000,000,200 | ---- | C] () -- C:\WINDOWS\System32\dlbcplc.ini
[2005/12/29 03:47:10 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbcvs.dll
[2005/12/29 03:47:10 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\dlbccoin.ini
[2005/12/29 03:46:26 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/16 06:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 06:18:40 | 000,006,672 | ---- | C] () -- C:\WINDOWS\System32\advpack.dllk.dat
[2005/08/05 16:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/09 19:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/12 10:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
< End of report >




ESET Scan
+++++++++
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f78a94c0bf729042bdb312bd3a714c41
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-06 02:51:46
# local_time=2010-04-05 10:51:46 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 35604396 35604396 0 0
# compatibility_mode=2304 16777175 100 0 0 0 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=57356
# found=0
# cleaned=0
# scan_time=8396
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f78a94c0bf729042bdb312bd3a714c41
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-07 01:08:06
# local_time=2010-04-06 09:08:06 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 35689204 35689204 0 0
# compatibility_mode=2304 16777191 100 0 0 0 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=88432
# found=0
# cleaned=0
# scan_time=7252

Edited by EbonyStealth, 06 April 2010 - 08:11 PM.


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:16 PM

Posted 08 April 2010 - 12:08 PM

Hi,

Let's run the Windows System File Checker utility

You will need your XP CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.


Let me know what happens, and how your computer behaves after running the utility.



Please post back with a fresh OTL logfile and tell me how the system is running smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 EbonyStealth

EbonyStealth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 10 April 2010 - 07:03 AM

Sorry..I though I had the disk. I usually keep such things but i cannot seem to find it...

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:16 PM

Posted 11 April 2010 - 08:58 AM

Please repeat the OTL fix-step. You copied OTL instead of :OTL into the custom scan box.

Can you borrow a cd?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users