Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit infection...


  • This topic is locked This topic is locked
26 replies to this topic

#1 lukewoolfson

lukewoolfson

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 March 2010 - 12:28 PM

Hi, I recently had a BSOD error 0x0000007E which was caused by a corrupted Iastor.sys file. (see my prior post) after coping a clean version of iastor.sys I got my computer booting again in to safe mode...its not that stable in normal mode or safe mode with networking support. After running mbr.exe it appears I still have some form of root kit that mbr can't remove. I get the the following when i run mbr -f:

C:\>mbr -t
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01C9FBE85
malicious code @ sector 0x01C9FBE88 !
PE file found in sector at 0x01C9FBE9E !

C:\>

see the DDS log below and the attached files as requested. Any help is much welcomed.


DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Luke at 17:35:35.37 on 28/03/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.707 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Luke\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 169.254.111.116:1001
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {0246A1A7-820A-469A-85A7-7B7F01EB808C} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Iomega Automatic Backup Pro] "c:\program files\iomega\automatic backup pro\LiveSystem.exe" -s
uRun: [Google Media Scanner] "c:\program files\google\google media server\GoogleMediaScanner.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [Zone Labs Client] c:\program files\zonealarm\zlclient.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RFX_auto_upgrade]
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRunOnce: [3DxAssociateFileExts] c:\program files\3dconnexion\3dconnexion 3dxsoftware\3dxviewer\register.exe "FileExts"
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: + &Mass Downloader: download this file - c:\docume~1\luke\desktop\file\keepfi~1\Add_Url.htm
IE: + Mass Downloader: download &All files - c:\docume~1\luke\desktop\file\keepfi~1\Add_All.htm
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with Go!Zilla - file://c:\program files\go!zillanew\download-with-gozilla.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open Client to Monitor &1 - c:\windows\web\AOpenClient.htm
IE: Open Client to Monitor &2 - c:\windows\web\AOpenClient.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: totalvid.com
Trusted Zone: totalvid.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxp://components.metastream.com/MTSInstallers/MetaStream3.cab
DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} - hxxp://www.parallelgraphics.com/bin/cortvrml10.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://c:\ptc\proewildfire 2.0\i486_nt\obj\pvx_install.exe
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - hxxp://www.cult3d.com/download/cult.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - hxxp://www.parallelgraphics.com/bin/cortvrml.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38056.0318287037
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luke\applic~1\mozilla\firefox\profiles\oifwjpah.default user2\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\luke\application data\mozilla\firefox\profiles\oifwjpah.default user2\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\protomold\protoview\npProtoView.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [2006-6-22 25344]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-10-11 85265]
S0 kluxis;kluxis;c:\windows\system32\drivers\jnxmslgj.sys --> c:\windows\system32\drivers\jnxmslgj.sys [?]
S0 oomy;oomy;c:\windows\system32\drivers\wkgvqhk.sys --> c:\windows\system32\drivers\wkgvqhk.sys [?]
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-3-28 3968]
S1 LWMouCon;LWMouCon; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
S2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-8-11 30208]
S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2002-11-11 417029]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-7-12 12672]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 224768]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100114.008\NAVENG.sys [2010-1-15 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100114.008\NAVEX15.sys [2010-1-15 1323568]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 PfsTape;1Vision Tape Drive;c:\windows\system32\drivers\pfstape.sys --> c:\windows\system32\drivers\PfsTape.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 sc2k;sc2k;c:\windows\system32\drivers\sc2k.sys [2003-10-14 21536]
S4 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2002-11-11 53248]
S4 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-12-17 651264]
S4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-2-3 4408616]
S4 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-2-3 112936]

=============== Created Last 30 ================

2010-03-28 16:35:10 792064 ----a-w- c:\windows\system32\COMRES.DLL
2010-03-28 16:24:49 0 ----a-w- c:\documents and settings\luke\defogger_reenable
2010-03-28 15:46:24 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-03-28 15:28:22 2 --shatr- c:\windows\winstart.bat
2010-03-28 15:27:40 0 d-----w- c:\program files\UnHackMe
2010-03-07 00:17:45 0 d-----w- c:\program files\trend micro
2010-03-06 22:56:20 77312 ----a-w- C:\mbr.exe
2010-03-06 14:01:07 764868 -c----w- c:\windows\system32\dllcache\apph_sp.sdb
2010-03-06 14:01:06 1197294 -c--a-w- c:\windows\system32\dllcache\sysmain.sdb
2010-02-28 14:58:20 823 ----a-w- C:\txtsetup.oem
2010-02-28 14:05:07 0 d-----w- c:\program files\MSXML 6.0
2010-02-28 14:02:52 8192 -c--a-w- c:\windows\system32\dllcache\tsbyuv.dll
2010-02-28 14:02:52 8192 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-28 14:02:52 47616 -c--a-w- c:\windows\system32\dllcache\iyuv_32.dll
2010-02-28 14:02:52 25600 -c--a-w- c:\windows\system32\dllcache\msvidc32.dll
2010-02-28 14:02:52 25600 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-28 13:47:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-02-28 13:47:33 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-28 13:47:33 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-28 13:47:33 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-28 13:47:32 0 d-----w- c:\program files\COMODO
2010-02-28 13:39:46 399360 ------w- c:\windows\system32\SET2E4.tmp
2010-02-28 13:39:45 473088 ----a-w- c:\windows\system32\wbem\SET2E8.tmp
2010-02-28 13:39:45 453120 ----a-w- c:\windows\system32\wbem\SET2E7.tmp
2010-02-28 13:39:45 227840 ----a-w- c:\windows\system32\wbem\SET2E6.tmp
2010-02-28 13:37:38 1172480 ------w- c:\windows\system32\SET26A.tmp
2010-02-28 13:35:36 332800 ----a-w- c:\windows\system32\SET176.tmp
2010-02-28 11:42:20 0 d-----w- c:\program files\MSConfig CleanUp
2010-02-28 11:36:57 262144 ----a-w- c:\windows\system32\default_user_class.dat
2010-02-28 11:35:04 0 d-----w- c:\program files\UPHClean
2010-02-28 11:08:49 0 d-----w- c:\program files\Microsoft Bootvis
2010-02-28 10:35:10 0 d-----w- C:\MGtools
2010-02-27 17:57:01 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-27 17:56:56 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-27 17:56:56 0 d-----w- c:\docume~1\luke\applic~1\SUPERAntiSpyware.com
2010-02-27 17:55:25 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-27 14:34:39 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-02-03 20:30:47 28873 ----a-w- c:\windows\system32\tablet.dat
2010-01-16 14:02:00 249856 ------w- c:\windows\Setup1.exe
2010-01-16 14:01:58 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-16 12:59:48 640512 ----a-w- c:\windows\system32\gfbaksm.dll
2010-01-16 12:59:48 640512 ----a-w- c:\windows\system32\gfbaksm.dat
2010-01-16 12:54:04 39424 ----a-w- c:\windows\zipinst.exe
2010-01-16 12:28:39 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-01-16 12:28:39 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-01-10 15:05:59 104421 ----a-w- c:\windows\fonts\AdobeFnt.lst
2006-03-12 19:22:01 153681 ----a-w- c:\program files\SolidWorksswxJRNL.BAK

============= FINISH: 17:35:52.65 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:47 PM

Posted 01 April 2010 - 05:46 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 lukewoolfson

lukewoolfson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 02 April 2010 - 03:15 AM

Hi, thanks for helping me out. I havn't touched my PC since posting so no need to post new logs.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 AM

Posted 04 April 2010 - 06:41 AM

Hello, lukewoolfson.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

I also see that you have a registry cleaner installed (in your case CCleaner). Here at BC, we do not recommend using registry cleaners.

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578



Step 1

A proxy server is set up on this machine. Did you set up a proxy server?

You do appear to have some remnants on your machine, it appears to be Vundo. The iaStor.sys error you had was likely a backdoor rootkit so I will give you this warning below. Also, the MBR log is clean at this point. The malicious code can't be removed, but it's not active since "User & Kernel MBR OK".

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 2

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as lukewoolfsonCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on lukewoolfsonCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 lukewoolfson

lukewoolfson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 06 April 2010 - 06:05 AM

thanks for helping me out I'll give it a combo fix a try when I have some free time over the next few days.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 AM

Posted 06 April 2010 - 05:24 PM

ok, please post your logs when you have a chance to run it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 AM

Posted 10 April 2010 - 08:04 AM

Did you have a chance to run Combofix yet?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 lukewoolfson

lukewoolfson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 12 April 2010 - 04:36 AM

not yet will be probably be tomorrow. Is it ok to run in safe mode? or should I try and boot in to normal mode?

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 AM

Posted 12 April 2010 - 07:16 AM

Preference is normal mode, but it can be run in safe mode if you can't get into normal mode.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 lukewoolfson

lukewoolfson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 14 April 2010 - 11:46 AM

hi, ok i couldn't boot in to normal mode as i get the following BSOD after I log in:

*** STOP: 0x000000008E

*** SASKUTIL.SYS

Before logging in the 'Windows is starting up...' seems to take a while too

In safe mode I get the following error just after the 'combofix is preparing to run' dialong

NirCmd.exe - Entry point not found
the procedure entry point SetFileSecurityI could not be loaded in the dynamic link library MSDARK.DLL

I then get a pop up saying to download microsoft recovery console...but I dont have an internet connection in safe mode so i hit no

i then get 'mbr.cfexe' has encounted a problem and needs to close

Combofix then ran through all the stages, deleted some files in the 'winPCap' folder and then rebooted See attached log (sorry i had to zip it up as it is 667kb which is to big to be attached)

Attached Files



#11 lukewoolfson

lukewoolfson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 14 April 2010 - 04:16 PM

i also did a norton antivirus scan it came up with boot.mebroot on my MBR (i guess this is the rootkit?) and backdoor.Tidserv!inf in an old copy of iaStor.sys

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 AM

Posted 14 April 2010 - 05:56 PM

Hello, lukewoolfson.

OK, let's take a step back. I need to run an OTL report. Your MBR appears ok, so that may be a false positive, but I'll look for Mebroot remnants.

Do you have Norton installed on your system? I do not see it running in your logs. Having an A/V updated and running is needed otherwise we'll be constantly getting reinfected.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case CCleaner). Here at BC, we do not recommend using registry cleaners.

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578




Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.



Step 2

Download and run HAMeb_check.exe
Post the contents of the resulting log.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 lukewoolfson

lukewoolfson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 15 April 2010 - 04:19 AM

I do have Norton installed but it doesn't seem to be running in safe mode. I will do the scans later today when I get back from work, cheers for the help

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 AM

Posted 17 April 2010 - 06:06 AM

hi, have you had a chance to continue with the instructions?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 lukewoolfson

lukewoolfson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 18 April 2010 - 03:58 AM

OTL log:

OTL logfile created on: 18/04/2010 09:37:42 - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Luke\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.55 Gb Total Space | 11.50 Gb Free Space | 29.07% Space Free | Partition Type: NTFS
Drive D: | 32.37 Gb Total Space | 1.45 Gb Free Space | 4.47% Space Free | Partition Type: NTFS
Drive E: | 58.53 Gb Total Space | 0.99 Gb Free Space | 1.69% Space Free | Partition Type: NTFS
Drive F: | 39.06 Gb Total Space | 0.35 Gb Free Space | 0.90% Space Free | Partition Type: NTFS
Drive G: | 39.96 Gb Total Space | 0.20 Gb Free Space | 0.51% Space Free | Partition Type: NTFS
Drive H: | 19.53 Gb Total Space | 0.25 Gb Free Space | 1.29% Space Free | Partition Type: NTFS
Drive I: | 93.15 Gb Total Space | 71.57 Gb Free Space | 76.83% Space Free | Partition Type: NTFS
Drive K: | 73.24 Gb Total Space | 0.70 Gb Free Space | 0.95% Space Free | Partition Type: NTFS
Drive L: | 73.24 Gb Total Space | 24.22 Gb Free Space | 33.07% Space Free | Partition Type: NTFS
Drive M: | 86.40 Gb Total Space | 15.61 Gb Free Space | 18.06% Space Free | Partition Type: NTFS
Drive O: | 1.91 Gb Total Space | 0.01 Gb Free Space | 0.74% Space Free | Partition Type: FAT

Computer Name: BART
Current User Name: Luke
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/18 09:35:17 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/18 09:22:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Luke\Desktop\OTL.exe
PRC - [2003/05/11 22:12:10 | 000,996,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/18 09:22:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Luke\Desktop\OTL.exe
MOD - [2006/08/25 16:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2002/08/29 13:00:00 | 000,143,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msimtf.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/07/16 10:30:15 | 000,072,704 | ---- | M] (SolidWorks) [Disabled | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2009/07/15 17:13:04 | 000,112,936 | ---- | M] (Wacom Technology, Corp.) [Disabled | Stopped] -- C:\Program Files\WTouch\WTouchService.exe -- (WTouchService)
SRV - [2009/07/15 17:13:02 | 004,408,616 | ---- | M] (Wacom Technology, Corp.) [Disabled | Stopped] -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen)
SRV - [2008/06/28 01:34:46 | 000,084,440 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe -- (HotspotShieldService)
SRV - [2007/03/26 14:06:24 | 000,292,864 | ---- | M] (Nokia.) [Disabled | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2005/09/30 19:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2004/07/14 05:16:06 | 000,139,264 | ---- | M] (OTi) [Disabled | Stopped] -- C:\WINDOWS\System32\UStorSrv.exe -- (UStorage Server Service)
SRV - [2003/12/17 21:56:20 | 000,651,264 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003/12/17 21:35:58 | 000,032,768 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2003/09/15 01:00:00 | 000,073,838 | ---- | M] (Intel) [Disabled | Stopped] -- C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -- (IAANTMon)
SRV - [2003/07/18 09:50:46 | 000,135,170 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\DCPFLICS\DCPFLICS.exe -- (DCPFLICS)
SRV - [2003/03/03 13:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2002/12/12 13:03:36 | 000,046,080 | ---- | M] (C-Dilla Ltd) [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\CDANTSRV.EXE -- (C-DillaSrv)
SRV - [2002/11/11 15:54:10 | 000,053,248 | ---- | M] (ATI Technologies, Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\frxhser.exe -- (FGLRXUtil)
SRV - [2002/07/19 18:17:18 | 000,029,184 | ---- | M] (Dantz Development Corporation) [Disabled | Stopped] -- C:\Program Files\Dantz\Retrospect\retrorun.exe -- (RetroLauncher)
SRV - [2001/08/09 03:01:00 | 000,090,112 | ---- | M] (SEIKO EPSON CORPORATION) [Disabled | Stopped] -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1004336348-492894223-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1004336348-492894223-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1004336348-492894223-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 169.254.111.116:1001

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {FF2FA6A4-B3B1-11DD-B910-6C9A55D89593}:0.26
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.4.1
FF - prefs.js..extensions.enabledItems: {c50ca3c4-5656-43c2-a061-13e717f73fc8}:2.02
FF - prefs.js..extensions.enabledItems: max@subfighter.com:1.0.2
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.1.9
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:6.3.1.1
FF - prefs.js..extensions.enabledItems: LDSI_plashcor@gmail.com:0.6.4
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.6.11

FF - HKLM\software\mozilla\Flock\Extensions\\Plugins: C:\Program Files\Flock\flock\plugins [2010/03/28 14:07:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock\Extensions\\Components: C:\Program Files\Flock\flock\components [2009/01/17 15:03:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/18 09:35:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/18 09:35:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.14\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/02/27 17:33:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.14\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/03/28 14:07:46 | 000,000,000 | ---D | M]

[2008/06/17 23:57:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Extensions
[2009/08/29 21:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions
[2008/09/28 12:10:57 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\{049952B3-A745-43bd-8D26-D1349B1ED944}
[2008/09/28 12:10:56 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2008/09/28 12:10:56 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2008/09/28 12:10:58 | 000,000,000 | ---D | M] (MetaProducts Integration) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}
[2008/09/28 12:10:54 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2007/08/01 00:47:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\firefox@facebook.com
[2009/02/27 12:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\refspoof@mozdev.org
[2009/02/27 12:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\staged-xpis
[2008/06/24 17:24:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\tabsplitter@nathanhelton.helsoft
[2005/12/12 23:08:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\9cl4knu9.default\extensions\temp
[2010/03/06 14:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions
[2009/06/11 19:31:05 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/01/27 18:35:35 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2009/06/11 19:47:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/06/11 19:56:07 | 000,000,000 | ---D | M] (Fast Video Download) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}
[2010/01/15 22:31:04 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/06/11 19:45:58 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2010/01/27 20:14:05 | 000,000,000 | ---D | M] (Bazzacuda Image Saver Plus) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\{FF2FA6A4-B3B1-11DD-B910-6C9A55D89593}
[2010/01/27 20:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\LDSI_plashcor@gmail.com
[2009/06/11 19:31:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\oifwjpah.Default User2\extensions\max@subfighter.com
[2010/03/06 14:23:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/19 13:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
[2007/03/10 00:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2010/04/14 17:14:41 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (no name) - {0246A1A7-820A-469A-85A7-7B7F01EB808C} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O3 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\..\Toolbar\WebBrowser: (no name) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - No CLSID value found.
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe (Intel)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe (ScanSoft, Inc)
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe (Nokia)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKU\.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-21-1004336348-492894223-725345543-1003..\Run: [Iomega Automatic Backup Pro] C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe (Iomega Corporation)
O4 - HKU\S-1-5-21-1004336348-492894223-725345543-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-1004336348-492894223-725345543-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Download with Go!Zilla - C:\Program Files\Go!Zillanew\download-with-gozilla.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINDOWS\Web\AOpenClient.htm ()
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINDOWS\Web\AOpenClient.htm ()
O9 - Extra Button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\..Trusted Domains: totalvid.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1004336348-492894223-725345543-1003\..Trusted Domains: totalvid.com ([www] http in Trusted sites)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} http://components.metastream.com/MTSInstal...MetaStream3.cab (Reg Error: Key error.)
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} http://www.parallelgraphics.com/bin/cortvrml10.cab (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...ector/swdir.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} file://C:\ptc\proeWildfire 2.0\i486_nt\obj\pvx_install.exe (ProductView Express)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Reg Error: Key error.)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} http://www.cult3d.com/download/cult.cab (Cult3D ActiveX Player)
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/i263_32.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} http://www.parallelgraphics.com/bin/cortvrml.cab (ParallelGraphics Cortona Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8056.0318287037 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab (Quantum Streaming IE VersionManager Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\System32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop Components:0 () - http://static.flickr.com/118/314448200_685c1a1eff_d.jpg
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/02/03 20:44:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/10/05 17:20:10 | 000,017,735 | ---- | M] () - F:\auto-jardim-car-hire-complete.php.htm -- [ NTFS ]
O32 - AutoRun File - [2010/03/29 11:14:11 | 000,000,000 | ---- | M] () - I:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/10/11 10:02:09 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: {24D20E73-BE6B-42D7-8014AC99C3A92E90} - File not found
NetSvcs: {C1FC924F-5005-45B2-A261D4B38FD47966} - File not found

MsConfig - Services: "iPodService"
MsConfig - StartUpFolder: C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Xacti Screen Capture 1.1.lnk - C:\Documents and Settings\Luke\Application Data\Microsoft\Installer\{37327654-EBF7-410C-9161-C24D68E02753}\_E47B9B72500055712D025F.exe - ()
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} -
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2cc9d512-6db6-4f1c-8979-9a41fae88de0} - Q837009
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} -
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {689e5762-8d75-4346-90cf-bc1902c32d63} - KB896688
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {795d0712-722c-43ec-906a-fc5e678eada9} - Q831167
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {eddbec60-89cb-44ef-8291-0850fd28ff6a} - Q832894
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {F5776D81-AE53-4935-8E84-B0B283D8BCEF} - Q330994
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Ligos Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll (Ligos Corporation)
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll (Ligos Corporation)
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Ligos Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/18 09:36:31 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Luke\Desktop\OTL.exe
[2010/04/18 09:18:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/04/14 22:45:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/14 17:20:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/14 16:51:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/14 16:51:18 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/14 16:51:18 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/14 16:51:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/15 21:09:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\WTablet
[2010/01/10 15:29:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/10 15:24:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/26 23:01:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/10/07 15:37:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/23 22:16:43 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2003/10/11 10:05:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2003/10/11 10:02:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[43 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Luke\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Luke\Local Settings\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\Luke\Application Data\*.tmp files -> C:\Documents and Settings\Luke\Application Data\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/18 09:22:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Luke\Desktop\OTL.exe
[2010/04/18 09:18:07 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/18 09:16:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/14 22:47:40 | 019,922,944 | ---- | M] () -- C:\Documents and Settings\Luke\ntuser.dat
[2010/04/14 22:47:40 | 000,000,280 | -HS- | M] () -- C:\Documents and Settings\Luke\ntuser.ini
[2010/04/14 22:39:20 | 000,241,152 | ---- | M] () -- C:\Documents and Settings\Luke\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/14 17:14:54 | 000,000,329 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/14 17:14:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/14 16:50:22 | 003,915,064 | R--- | M] () -- C:\Documents and Settings\Luke\Desktop\lukewoolfsonCF.exe
[2010/04/14 16:40:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[43 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Luke\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Luke\Local Settings\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\Luke\Application Data\*.tmp files -> C:\Documents and Settings\Luke\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/14 16:51:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/14 16:51:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/14 16:51:18 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/14 16:51:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/14 16:50:47 | 003,915,064 | R--- | C] () -- C:\Documents and Settings\Luke\Desktop\lukewoolfsonCF.exe
[2010/03/28 17:24:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Luke\defogger_reenable
[2010/01/30 20:22:15 | 000,008,954 | ---- | C] () -- C:\Documents and Settings\Luke\UserCustomPreset_Adobe Premiere Elements 3.0.vpr
[2010/01/27 20:02:57 | 000,000,036 | ---- | C] () -- C:\WINDOWS\ezmacros.INI
[2010/01/16 13:58:51 | 000,275,456 | ---- | C] () -- C:\WINDOWS\System32\gfkernel.dll
[2010/01/16 13:28:39 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2009/08/29 09:46:22 | 000,000,150 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/27 15:44:06 | 000,042,496 | ---- | C] () -- C:\WINDOWS\System32\spwini.dll
[2009/04/08 19:16:36 | 000,019,752 | ---- | C] () -- C:\WINDOWS\System32\HPSJ95CI.DLL
[2009/04/08 19:10:56 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[2009/04/08 19:10:56 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2009/03/29 19:04:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\clikbook.ini
[2009/01/19 23:49:51 | 000,000,133 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2007/06/03 10:07:48 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/06/03 10:07:47 | 000,471,552 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2007/02/26 17:05:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2006/11/10 00:55:04 | 000,022,079 | ---- | C] () -- C:\Documents and Settings\Luke\Application Data\Comma Separated Values (DOS).ADR
[2006/09/09 10:24:05 | 000,186,902 | ---- | C] () -- C:\Documents and Settings\All Users\NCCD.log
[2006/06/13 16:35:32 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2006/05/04 21:58:45 | 000,010,392 | ---- | C] () -- C:\Documents and Settings\Luke\ptc_proe_wf2.dat
[2006/05/02 23:38:24 | 000,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini
[2006/03/07 13:15:50 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Luke\PUTTY.RND
[2006/03/04 22:30:31 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\OPDSL.DLL
[2006/02/20 20:43:40 | 000,001,544 | ---- | C] () -- C:\WINDOWS\FlipBook.INI
[2006/02/04 00:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/01/22 18:16:18 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2005/12/07 13:31:00 | 000,202,752 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2005/11/30 12:52:58 | 003,706,880 | ---- | C] () -- C:\WINDOWS\System32\qt-mt312.dll
[2005/11/30 12:52:20 | 001,392,640 | ---- | C] () -- C:\WINDOWS\System32\IvTune.dll
[2005/11/30 12:51:48 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\IvDLTiff.dll
[2005/11/30 12:51:48 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\IvDLZlib.dll
[2005/11/30 12:51:46 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\IvDLPng.dll
[2005/11/30 12:51:44 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IvDLJasper.dll
[2005/11/30 12:51:44 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\IvDLJpeg.dll
[2005/11/30 12:51:42 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\IvDLFreetype.dll
[2005/11/30 12:51:40 | 000,319,488 | ---- | C] () -- C:\WINDOWS\System32\IvDLFlt.DLL
[2005/11/30 12:51:38 | 000,413,696 | ---- | C] () -- C:\WINDOWS\System32\IvDLDxf.DLL
[2005/11/30 12:51:38 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\IvDLALut.dll
[2005/10/30 11:47:56 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/10/23 23:27:07 | 000,002,149 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/10/23 23:14:47 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2005/10/23 23:14:47 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2005/10/15 14:24:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2005/03/29 23:15:33 | 000,003,548 | ---- | C] () -- C:\WINDOWS\System32\drivers\WinFlash.sys
[2005/03/29 23:15:16 | 000,023,612 | ---- | C] () -- C:\WINDOWS\System32\FlashMenu.sys
[2005/03/05 13:09:04 | 000,000,331 | ---- | C] () -- C:\WINDOWS\doom3.ini
[2005/02/18 21:56:46 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2005/02/18 21:56:42 | 000,006,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\ds1410d.sys
[2004/12/27 03:44:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\GRAPHEDT.INI
[2004/12/27 03:21:53 | 000,000,435 | ---- | C] () -- C:\WINDOWS\ECMS.INI
[2004/10/05 23:37:20 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2004/04/19 08:04:55 | 000,000,341 | ---- | C] () -- C:\WINDOWS\monitor.INI
[2004/03/28 17:03:11 | 019,922,944 | ---- | C] () -- C:\Documents and Settings\Luke\ntuser.dat
[2004/03/20 22:08:19 | 000,007,180 | ---- | C] () -- C:\Documents and Settings\Luke\settingsVE.das
[2004/03/20 22:06:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Luke\DAsystem.log
[2004/03/12 11:41:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\Jones.dll
[2004/03/07 23:37:38 | 000,000,100 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/02/04 15:44:06 | 000,000,004 | ---- | C] () -- C:\WINDOWS\info147.sys
[2004/01/31 13:05:21 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2004/01/31 00:59:52 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\gozlib.dll
[2004/01/30 17:46:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2004/01/03 17:24:20 | 000,174,080 | ---- | C] () -- C:\WINDOWS\System32\HOPEold.dll
[2004/01/03 17:24:20 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\Hope.dll
[2003/12/17 21:51:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2003/11/15 10:47:46 | 000,000,186 | ---- | C] () -- C:\WINDOWS\CROCCLIP.INI
[2003/10/23 11:31:57 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2003/10/19 20:02:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lmtools.INI
[2003/10/15 22:52:31 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2003/10/15 18:38:37 | 000,025,601 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2003/10/15 18:34:02 | 000,000,525 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2003/10/11 15:02:02 | 000,000,192 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2003/10/11 15:02:00 | 000,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini
[2003/10/11 12:15:59 | 000,241,152 | ---- | C] () -- C:\Documents and Settings\Luke\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/10/11 12:10:36 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2003/10/11 11:21:40 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/10/11 11:03:33 | 000,153,681 | ---- | C] () -- C:\Program Files\SolidWorksswxJRNL.BAK
[2003/10/11 10:29:53 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Instdll.dll
[2003/10/11 10:27:30 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003/10/11 10:06:10 | 001,409,024 | -H-- | C] () -- C:\Documents and Settings\Luke\ntuser.dat.LOG
[2003/10/11 10:06:10 | 000,000,280 | -HS- | C] () -- C:\Documents and Settings\Luke\ntuser.ini
[2003/08/07 20:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2002/10/30 13:20:10 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HydraFra.dll
[2002/10/30 13:20:10 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\HydraNln.dll
[2002/10/30 13:20:10 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\HydraIta.dll
[2002/10/30 13:20:10 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HydraSvs.dll
[2002/10/30 13:20:10 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HydraNon.dll
[2002/10/30 13:20:10 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\HydraJan.dll
[2002/10/30 13:20:10 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\HydraKor.dll
[2002/10/30 13:20:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\HydraZht.dll
[2002/10/30 13:20:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\HydraZhs.dll
[2002/10/30 13:20:10 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\ViewHook.dll
[2002/10/30 13:20:08 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HydraFif.dll
[2002/10/30 13:20:08 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HydraDad.dll
[2002/04/11 11:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
[2002/04/01 19:45:50 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\ODBCMON.DLL
[2002/03/26 20:18:27 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll
[2002/02/04 15:39:52 | 000,088,064 | ---- | C] () -- C:\WINDOWS\System32\Tszd.dll
[2001/11/08 01:27:16 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\glut32.dll
[2001/08/02 10:56:52 | 000,463,904 | ---- | C] () -- C:\WINDOWS\System32\Owl253f.dll
[1995/08/29 03:52:00 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\BIVBX11C.DLL

========== LOP Check ==========

[2003/10/27 12:21:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1Vision
[2006/01/22 18:14:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alias
[2007/09/11 22:45:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bluebeam Software
[2008/05/17 22:09:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
[2003/10/23 00:51:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2007/12/10 22:26:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2010/01/27 19:32:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Free Labs
[2007/12/10 22:25:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2009/11/15 18:50:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Keronsoft
[2010/01/27 19:52:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\KeyText
[2008/07/29 19:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2010/02/27 17:35:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OpTaliX
[2009/01/26 22:59:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2004/09/05 14:25:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Retrospect
[2010/02/27 17:32:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\River Past G5
[2003/10/23 11:03:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2003/10/15 18:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2003/10/15 18:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
[2010/01/27 19:44:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/13 15:00:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/11/08 23:54:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2006/09/30 14:51:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{E0FD8DB4-0B1B-427B-B11A-E920A60A344E}
[2005/02/18 21:46:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\3Dconnexion
[2006/01/22 18:13:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Alias
[2009/11/29 17:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Amazon
[2009/01/23 21:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Arduino
[2005/11/05 23:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Azureus
[2009/09/08 20:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2009/09/28 20:33:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Canon
[2006/02/20 20:28:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\CellSoft
[2003/10/11 12:15:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\CoreCodec
[2003/10/23 00:51:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\DassaultSystemes
[2007/07/05 21:48:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\DataLayer
[2006/03/20 11:34:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\DWGEditor
[2007/02/07 19:20:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Flickr
[2006/11/30 21:09:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Flock
[2004/04/14 17:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\FUJIFILM
[2008/06/23 02:17:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\GrabPro
[2010/02/11 22:44:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\GriffinTechnology
[2003/10/11 12:08:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\InterTrust
[2006/10/21 13:28:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Iomega Automatic Backup Pro
[2003/10/29 11:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\IrfanView
[2010/01/15 22:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\jah
[2006/06/22 22:52:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Leadertech
[2010/01/27 19:38:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Macro Recorder
[2007/03/21 22:54:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\MetaProducts
[2007/12/10 22:32:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Nokia
[2007/02/25 12:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Nokia Multimedia Player
[2009/09/06 16:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\OpenOffice.org
[2006/03/11 13:04:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Opera
[2010/01/27 22:09:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Orbit
[2007/12/13 09:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\PC Suite
[2009/01/24 15:26:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Processing
[2005/02/18 23:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\PTC
[2006/11/30 23:46:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\River Past G5
[2003/10/15 18:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\ScanSoft
[2006/09/30 14:51:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Seven Zip
[2009/10/28 22:14:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\sldIM
[2006/03/07 22:22:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\SSH
[2005/10/10 20:28:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Thunderbird
[2007/02/25 11:34:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\tunebite
[2007/05/22 00:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\uTorrent
[2009/09/13 15:00:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\Viewpoint
[2010/02/03 23:34:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Luke\Application Data\WTouch
[2006/11/08 01:13:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\naomi\Application Data\Iomega Automatic Backup Pro
[2009/02/19 23:33:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\naomi\Application Data\Orbit
[2007/03/15 10:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\naomi\Application Data\PC Suite
[2007/03/15 17:16:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\naomi\Application Data\Thunderbird
[2008/04/12 19:46:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tom\Application Data\Nokia
[2008/04/12 19:47:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tom\Application Data\Nokia Multimedia Player
[2008/04/12 18:59:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tom\Application Data\PC Suite

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[43 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >
[2010/03/06 23:54:32 | 000,077,312 | ---- | M] () -- C:\mbr.exe


< MD5 for: AGP440.SYS >
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys
[2004/08/04 07:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\agp440.sys
[2001/08/17 13:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 13:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\system32\dllcache\agp440.sys
[2001/08/17 13:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\system32\drivers\agp440.sys
[2001/08/17 13:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2002/08/29 13:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\dllcache\atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\drivers\atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2004/08/04 06:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[2004/08/04 08:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\eventlog.dll
[2002/08/29 13:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2002/08/29 13:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2002/08/29 13:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2003/03/21 01:00:00 | 000,201,088 | ---- | M] (Intel Corporation) MD5=18E3972D9632485D80D609D4674F9D83 -- C:\WINDOWS\OemDir\iaStor.sys
[2003/03/21 00:00:00 | 000,201,088 | ---- | M] (Intel Corporation) MD5=18E3972D9632485D80D609D4674F9D83 -- C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\iaStor.sys
[2003/02/27 01:00:00 | 000,201,216 | ---- | M] (Intel Corporation) MD5=D476E78A20F00A77D1FDE364B39D55CC -- C:\WINDOWS\system32\drivers\iaStor.sys
[2003/09/15 01:00:00 | 000,274,816 | ---- | M] (Intel Corporation) MD5=E6E806A4080E35D37C49D4CCF694EC56 -- C:\Program Files\Intel\Intel Application Accelerator\Driver\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2002/08/29 13:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2002/08/29 13:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2002/08/29 13:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 08:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 08:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\scecli.dll
[2002/08/29 13:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2002/08/29 13:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2002/08/29 13:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\system32\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2005/04/26 16:22:40 | 000,060,928 | R--- | M] (VIA Technologies inc,.ltd) MD5=0363E216E4EB5052969C96608934DBDE -- C:\WINDOWS\system32\drivers\viamraid.sys

< %systemroot%\*. /mp /s >
< End of report >



HAMeb log:

C:\Documents and Settings\Luke\Desktop\programs\HAMeb_check.exe
18/04/2010 at 9:52:11.48

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1004336348-492894223-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.BART.003

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.BART
HelpAssistant.BART.000
HelpAssistant.BART.001
HelpAssistant.BART.002
HelpAssistant.BART.003

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"8150:TCP"=8150:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"3832:TCP"=3832:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"8150:TCP"=8150:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"3832:TCP"=3832:TCP:*:Enabled:Services


~~ EOF ~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users