Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

very occasional browser hijack: 6topsearches.com


  • This topic is locked This topic is locked
25 replies to this topic

#1 mattolejack

mattolejack

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 13 April 2010 - 10:09 AM

I've run into browser hijacks before, but this is the first time I've had one that only appears so rarely, this one only seems to hijack my browser once in a while; happens about once a day.

Very occasionally, when I click on a google search result in my browser, or when I use the search box on the browser, I am redirected to a 6topsearches.com page. If I BACK the browser and reclick on the same result, however, I am not sent back to the 6topsearches.com page. When I search google for 6topsearches.com and HIJACK, I don't find any results though.

EDIT: The redirect is not always to 6topsearches.com; I just got one to bestlookit.biz and there was another one earlier as well.

I am running XP home on a little MSI Wind netbook.
I am running firefox 3.6.3

An AVAST scan doesn't show any results.

Here is my HijackTHIS log:

=========================BEGIN==============================


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:02:31 AM, on 4/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Le Robert\Le Robert & Collins\rcwinHyper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\PROGRA~1\IDAILY~1\iDD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msi.com.tw/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Xnazij] rundll32.exe "C:\WINDOWS\ajizuwoc.dll",Startup
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [rcwinHyper] C:\Program Files\Le Robert\Le Robert & Collins\rcwinHyper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [iDailyDiary] "C:\PROGRA~1\IDAILY~1\iDD.exe" /LOGMIN
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\jack\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [rasole64] rundll32.exe "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rasole64\rasole64.dll", DllInit
O4 - HKUS\S-1-5-18\..\Run: [rasole64] rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\rasole64\rasole64.dll", DllInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xmlp2pGame] rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\xmlp2pGame\xmlp2pGame.dll", DllInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nvmcperfd8] rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\nvmcperfd8\nvmcperfd8.dll", DllInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rasole64] rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\rasole64\rasole64.dll", DllInit (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9886e1b28005a) (gupdate1c9886e1b28005a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 13003 bytes

===================================END LOG================================

Any thoughts?

EDIT: Moved from Am I Infected to Malware Removal Logs, more appropriate forum ~ Hamluis.

Attached Files

  • Attached File  DDS.zip   5.32KB   6 downloads

Edited by hamluis, 13 April 2010 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 mattolejack

mattolejack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 14 April 2010 - 10:20 AM

So I pulled a couple of little things off with the help of malwarebytes anti malware. Mainly rasole64.dll (visible above in the HJT Log). Something called xmlp2pgame.dll as well, it was sitting in the same folder.

Second, following advice elsewhere in this forum, I got rid of all Java components on this machine. Why there were two old versions of Java on here I don't know.

Haven't been able to reproduce the hijack since. Maybe rasole64 was the only issue.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 18 April 2010 - 05:04 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 mattolejack

mattolejack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 18 April 2010 - 10:50 AM

Hello Elise,

Thank you for helping me out. I can't believe that a combination of Avast and MBAM and SuperAntiSpyware scans isn't good enough anymore. I sure am glad people like you are out there in the cloud!

So, the browser hijacks are still happening. Today I clicked a google link and was hijacked to a [[ 7search.com ]] site. What is disturbing about these guys is that they only hijack your browser once in a while. Probably so the average user doesn't even know he's been hijacked.

I have now run OTL. Here is are the logs:

=================================BEGIN LOGS=============================

OTL logfile created on: 4/18/2010 8:43:23 AM - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\jack\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 328.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.62 Gb Total Space | 15.99 Gb Free Space | 22.65% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JACK-MINILAPTOP
Current User Name: jack
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/18 08:34:40 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
PRC - [2010/04/01 12:28:36 | 002,010,864 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/04/01 10:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/09 03:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2008/08/26 09:59:44 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/08/26 09:27:02 | 000,155,648 | ---- | M] () -- C:\Program Files\Le Robert\Le Robert & Collins\rcwinHyper.exe
PRC - [2008/06/10 15:39:52 | 000,782,336 | ---- | M] (Mirco-Star International CO., LTD.) -- C:\Program Files\System Control Manager\MGSysCtrl.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 05:00:00 | 000,034,304 | R-S- | M] () -- C:\Documents and Settings\jack\Start Menu\Programs\Startup\monxga32.exe
PRC - [2008/02/21 23:45:40 | 000,159,744 | ---- | M] () -- C:\Program Files\System Control Manager\MSIService.exe
PRC - [2008/01/11 10:54:31 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/12/06 13:03:41 | 000,660,768 | ---- | M] (ABBYY (BIT Software)) -- C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
PRC - [2007/09/28 16:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2002/12/18 11:12:26 | 000,110,592 | ---- | M] (Microsoft Corp.) -- C:\Program Files\WallpaperToy\Wallpapertoy.Exe


========== Modules (SafeList) ==========

MOD - [2010/04/18 08:34:40 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
MOD - [2010/04/17 17:14:25 | 000,042,496 | -H-- | M] () -- C:\WINDOWS\system32\fingexec.dll
MOD - [2008/04/14 05:00:00 | 000,178,688 | ---- | M] () -- C:\WINDOWS\iligonam.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/08/26 09:59:44 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/02/21 23:45:40 | 000,159,744 | ---- | M] () [Auto | Running] -- C:\Program Files\System Control Manager\MSIService.exe -- (Micro Star SCM)
SRV - [2007/12/06 13:03:41 | 000,660,768 | ---- | M] (ABBYY (BIT Software)) [Auto | Running] -- C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Professional.9.0)
SRV - [2007/09/28 16:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2010/03/09 03:12:54 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/03/09 03:12:33 | 000,162,640 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/03/09 03:09:08 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/03/09 03:08:41 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/03/09 03:08:30 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/03/09 03:08:15 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2008/08/22 19:25:00 | 000,308,608 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8187Se.sys -- (rtl8187Se)
DRV - [2008/06/11 12:23:07 | 000,106,368 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/06/11 12:23:01 | 000,156,160 | R--- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR)
DRV - [2008/05/07 19:21:40 | 004,739,072 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 05:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2008/02/15 15:01:06 | 000,131,712 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2008/01/31 15:55:06 | 000,074,240 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2008/01/22 20:57:48 | 000,054,144 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd)
DRV - [2008/01/11 11:04:00 | 000,220,128 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/12/19 11:32:12 | 005,854,688 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/11/29 09:45:44 | 000,036,608 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2007/10/18 14:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2007/10/02 11:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2006/10/10 19:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/01/07 05:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/12/23 04:47:10 | 000,027,392 | R--- | M] (Ulead Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys -- (ULCDRHlp)
DRV - [2004/04/30 00:37:02 | 000,160,640 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\a347bus.sys -- (a347bus)
DRV - [2004/04/30 00:33:00 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\a347scsi.sys -- (a347scsi)
DRV - [2002/09/16 17:14:32 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw

IE - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {aff87fa2-a58e-4edd-b852-0a20203c1e17}:0.7
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.5.10
FF - prefs.js..extensions.enabledItems: {A493C116-1DCB-48C4-95FE-6DA719C86767}:1.9.1
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/06 11:26:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A493C116-1DCB-48C4-95FE-6DA719C86767}: C:\Documents and Settings\jack\Local Settings\Application Data\{A493C116-1DCB-48C4-95FE-6DA719C86767}\ [2010/04/18 06:35:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/07 18:23:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/18 06:26:37 | 000,000,000 | ---D | M]

[2008/08/15 22:58:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\Mozilla\Extensions
[2010/04/18 08:26:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\extensions
[2010/03/30 08:02:40 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/02/06 08:13:08 | 000,000,000 | ---D | M] (gTranslate) -- C:\Documents and Settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
[2010/01/27 11:24:09 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/03/30 08:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\extensions\foxmarks@kei.com
[2010/04/14 23:11:05 | 000,001,575 | ---- | M] () -- C:\Documents and Settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\searchplugins\ixquick.xml
[2010/04/18 08:26:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/16 20:44:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/16 20:43:58 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2009/12/07 23:44:09 | 000,000,763 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.freetetris.org
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe (Mirco-Star International CO., LTD.)
O4 - HKLM..\Run: [Xnazij] C:\WINDOWS\iligonam.DLL ()
O4 - HKU\.DEFAULT..\Run: [nvmcperfd8] File not found
O4 - HKU\.DEFAULT..\Run: [xmlp2pGame] File not found
O4 - HKU\S-1-5-18..\Run: [nvmcperfd8] File not found
O4 - HKU\S-1-5-18..\Run: [xmlp2pGame] File not found
O4 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005..\Run: [iDailyDiary] C:\Program Files\iDailyDiary\iDD.exe ()
O4 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005..\Run: [Ncosofuqoqiw] C:\WINDOWS\mlermse.DLL (CyberLink Corp.)
O4 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005..\Run: [rcwinHyper] C:\Program Files\Le Robert\Le Robert & Collins\rcwinHyper.exe ()
O4 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\jack\Start Menu\Programs\Startup\monxga32.exe ()
O4 - Startup: C:\Documents and Settings\jack\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\jack\Start Menu\Programs\Startup\Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe (Microsoft Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O7 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF 03 [binary data]
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 76.14.0.8 76.14.0.9
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\jack\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - Unable to open key or key not present!
O32 - AutoRun File - [2008/06/10 19:07:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0c5e0b50-f1a2-11dd-b358-001d92c98f28}\Shell\AutoRun\command - "" = isetup.exe
O33 - MountPoints2\{0c5e0b50-f1a2-11dd-b358-001d92c98f28}\Shell\explore\Command - "" = isetup.exe
O33 - MountPoints2\{0c5e0b50-f1a2-11dd-b358-001d92c98f28}\Shell\open\Command - "" = isetup.exe
O33 - MountPoints2\{ffbedfa1-12c5-11de-b379-001d92c98f28}\Shell - "" = AutoRun
O33 - MountPoints2\{ffbedfa1-12c5-11de-b379-001d92c98f28}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ffbedfa1-12c5-11de-b379-001d92c98f28}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: mpnoimon - (C:\WINDOWS\system32\fingexec.dll) - C:\WINDOWS\system32\fingexec.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-21-2222491866-3494719633-2910611971-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/18 08:34:32 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
[2010/04/18 06:35:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jack\Local Settings\Application Data\{A493C116-1DCB-48C4-95FE-6DA719C86767}
[2010/04/18 06:25:25 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irenum.sys
[2010/04/18 06:24:47 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/04/17 17:15:38 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/04/17 17:15:38 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/04/16 20:46:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/04/16 20:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/16 20:44:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/16 20:44:14 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/16 20:44:13 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/16 20:44:13 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/16 20:44:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/16 20:44:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/16 20:43:54 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/16 20:41:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Sun
[2010/04/13 18:35:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/13 09:16:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/13 09:15:57 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/13 07:53:31 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/03/30 08:48:02 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/03/27 14:48:40 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/27 14:48:39 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/27 14:48:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/03/27 08:22:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2010/03/24 08:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/03/23 23:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\nvrssystools
[2010/03/23 23:12:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Malwarebytes
[2010/03/23 23:12:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/23 23:12:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/23 23:02:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\nvmcperfd8
[2009/02/12 21:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/02/12 17:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/02/06 08:18:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/02/06 08:14:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/05 16:58:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/05 16:58:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/09/14 12:02:43 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2008/09/14 12:02:43 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2008/09/01 03:46:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2008/08/17 14:53:38 | 001,110,016 | ---- | C] (Gabest) -- C:\Program Files\mplayerc.exe
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/18 08:41:53 | 002,457,654 | -H-- | M] () -- C:\WINDOWS\System32\toyhide.bmp
[2010/04/18 08:37:52 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\jack\NTUSER.DAT
[2010/04/18 08:35:25 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\rvpchp6i.exe
[2010/04/18 08:34:40 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
[2010/04/18 08:32:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/18 08:32:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/18 08:25:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2222491866-3494719633-2910611971-1005UA.job
[2010/04/18 06:35:38 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Qzirihutafuzac.dat
[2010/04/18 06:35:38 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xqehupunep.bin
[2010/04/18 06:27:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/18 06:26:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/18 06:26:41 | 1062,526,976 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/17 17:14:25 | 000,042,496 | -H-- | M] () -- C:\WINDOWS\System32\fingexec.dll
[2010/04/17 17:13:24 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\jack\Application Data\avdrn.dat
[2010/04/17 09:25:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2222491866-3494719633-2910611971-1005Core.job
[2010/04/16 20:43:58 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/16 20:43:58 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/16 20:43:58 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/16 20:43:58 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/16 20:43:58 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/16 08:53:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/15 09:54:52 | 005,705,703 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\CH1A_L5_P66_LanguageInUse.mp3
[2010/04/15 09:48:53 | 001,075,238 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\CH1A_L5_P65_SentencePatterns.mp3
[2010/04/14 23:28:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\jack\ntuser.ini
[2010/04/14 08:15:17 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/14 08:15:04 | 000,000,063 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2010/04/13 18:36:01 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/13 11:17:59 | 000,005,443 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\DDS.zip
[2010/04/13 09:16:03 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/13 07:53:32 | 000,001,980 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\HiJackThis.lnk
[2010/04/07 18:23:08 | 000,001,612 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/07 18:09:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/30 08:53:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/27 15:19:30 | 003,864,796 | -H-- | M] () -- C:\Documents and Settings\jack\Local Settings\Application Data\IconCache.db
[2010/03/27 14:48:41 | 000,001,710 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/03/27 14:48:38 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/23 23:05:59 | 000,015,726 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\Mh3jm32txN
[2010/03/22 07:03:40 | 000,015,478 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\wo588q8Gd1tnB
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/18 08:35:22 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\rvpchp6i.exe
[2010/04/17 17:14:25 | 000,042,496 | -H-- | C] () -- C:\WINDOWS\System32\fingexec.dll
[2010/04/17 17:13:24 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\jack\Application Data\avdrn.dat
[2010/04/15 09:54:52 | 005,705,703 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\CH1A_L5_P66_LanguageInUse.mp3
[2010/04/15 09:48:50 | 001,075,238 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\CH1A_L5_P65_SentencePatterns.mp3
[2010/04/13 18:36:01 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/13 18:28:24 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\gmer.exe
[2010/04/13 11:55:16 | 000,245,103 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\JavaRa.def
[2010/04/13 11:17:59 | 000,005,443 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\DDS.zip
[2010/04/13 09:16:03 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/13 07:53:32 | 000,001,980 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\HiJackThis.lnk
[2010/04/07 18:23:08 | 000,001,612 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/27 14:48:41 | 000,001,710 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/03/23 23:02:43 | 000,015,726 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mh3jm32txN
[2010/03/23 23:02:43 | 000,015,726 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Mh3jm32txN
[2010/03/21 16:39:18 | 000,015,478 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\wo588q8Gd1tnB
[2010/03/21 16:39:18 | 000,015,478 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wo588q8Gd1tnB
[2010/03/18 22:20:50 | 000,011,448 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3696930130
[2010/03/18 22:20:49 | 000,011,448 | -HS- | C] () -- C:\Documents and Settings\jack\Local Settings\Application Data\hfJ5Mio0m8B0g
[2010/03/18 22:19:04 | 000,011,452 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\hfJ5Mio0m8B0g
[2010/03/18 22:19:04 | 000,011,452 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\hfJ5Mio0m8B0g
[2010/03/17 08:26:52 | 000,014,538 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\6JQ57
[2010/03/17 08:26:52 | 000,014,538 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6JQ57
[2010/03/17 08:26:49 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\rbuwzv.dat
[2009/08/19 13:45:07 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2008/12/17 08:21:48 | 000,000,332 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP23.INI
[2008/11/21 14:47:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/21 14:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/21 14:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/21 14:44:16 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/09/24 11:52:27 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\GetWord.ini
[2008/09/15 04:13:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\setup32.INI
[2008/09/14 14:56:26 | 000,000,184 | ---- | C] () -- C:\WINDOWS\Readiris.ini
[2008/08/28 23:38:36 | 000,000,422 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/08/28 15:12:10 | 000,000,041 | ---- | C] () -- C:\WINDOWS\loc2.INI
[2008/08/28 15:12:05 | 000,000,041 | ---- | C] () -- C:\WINDOWS\FindServ.INI
[2008/08/28 09:31:05 | 000,001,735 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/08/27 06:08:03 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\jack\Application Data\$_hpcst$.hpc
[2008/08/27 03:43:38 | 000,000,096 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2008/08/27 02:06:30 | 000,002,364 | ---- | C] () -- C:\WINDOWS\citation.ini
[2008/08/27 02:06:30 | 000,000,422 | ---- | C] () -- C:\WINDOWS\System32\MSST45.DLL
[2008/08/26 13:51:21 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/08/26 09:44:19 | 000,000,115 | ---- | C] () -- C:\WINDOWS\rcwin.ini
[2008/08/22 12:45:00 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/08/17 14:52:22 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/08/17 14:52:21 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/08/16 13:06:31 | 006,029,312 | -H-- | C] () -- C:\Documents and Settings\jack\NTUSER.DAT
[2008/08/16 13:06:31 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\jack\ntuser.dat.LOG
[2008/08/16 13:06:31 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\jack\ntuser.ini
[2008/08/16 13:06:10 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2008/08/16 13:06:10 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2008/08/16 08:56:08 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\jack\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/11 17:00:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/06/11 16:18:21 | 006,184,960 | R--- | C] () -- C:\WINDOWS\System32\RTS5121icon.dll
[2008/06/11 10:49:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008/06/11 09:54:58 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2008/06/10 18:47:01 | 000,001,188 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/06/10 18:46:53 | 000,178,688 | ---- | C] () -- C:\WINDOWS\iligonam.dll
[2008/01/23 11:25:03 | 000,000,233 | -H-- | C] () -- C:\WINDOWS\gvac.sys
[2007/12/21 16:46:32 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/07/22 21:30:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll

========== Files - Unicode (All) ==========
[2010/02/27 18:37:03 | 000,026,624 | ---- | M] ()(C:\Documents and Settings\jack\My Documents\?? ????? ???????.doc) -- C:\Documents and Settings\jack\My Documents\في البال أُغنيةٌ.doc
[2010/02/27 18:30:08 | 000,026,624 | ---- | C] ()(C:\Documents and Settings\jack\My Documents\?? ????? ???????.doc) -- C:\Documents and Settings\jack\My Documents\في البال أُغنيةٌ.doc
[2009/07/15 09:17:16 | 000,043,520 | ---- | M] ()(C:\Documents and Settings\jack\My Documents\????? ????? ???? ????????? ?????? ?????? ????????.doc) -- C:\Documents and Settings\jack\My Documents\مصالح الأمن تعزز إجراءاتها لحماية العمال الصينيين.doc
[2009/07/15 09:17:15 | 000,043,520 | ---- | C] ()(C:\Documents and Settings\jack\My Documents\????? ????? ???? ????????? ?????? ?????? ????????.doc) -- C:\Documents and Settings\jack\My Documents\مصالح الأمن تعزز إجراءاتها لحماية العمال الصينيين.doc
< End of report >

=======================================BEGIN LOG 2===========================

OTL Extras logfile created on: 4/18/2010 8:43:23 AM - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\jack\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 328.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.62 Gb Total Space | 15.99 Gb Free Space | 22.65% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JACK-MINILAPTOP
Current User Name: jack
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-21-2222491866-3494719633-2910611971-1005\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Documents and Settings\jack\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\jack\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\jack\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\jack\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\mplayerc.exe" = C:\Program Files\mplayerc.exe:*:Enabled:Media Player Classic -- (Gabest)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0219FD00-7C39-4CDE-BF53-81F49E6ACF54}" = Readiris Pro 11 Mr.Underground Edition
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{07043840-959A-4B0D-8825-2C533F0DDB19}" = Microsoft Math
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{09041881-2C94-4A67-8E55-8483C019C7D2}" = Microsoft Student with Encarta Premium 2009
"{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}" = Canon MF Toolbox 4.9.1.1.mf03
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server {ko_KR}
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{239A8D60-270B-42e8-82D3-60D70A2942E0}" = Canon MF4100 Series
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{258E7BCB-F415-4517-AB13-0A20DDDECAAB}" = DeLorme Street Atlas USA 2007 Plus
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2892E1B7-E24D-4CCB-B8A7-B63D4B66F89F}" = BurnRecovery
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EA2333A-A8B2-449A-93C3-1771F1A3E5B9}" = MainConcept MPEG Pro 3.1
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{43645D1A-34C9-459E-9FF3-82181C856137}" = Citation
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{50F81341-82CC-458C-A66D-ADC42D25D727}" = Topo USA 5.0
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{75F3A4B2-F6E8-434D-A2EF-DBBC016C6CB2}" = Learning Essentials for Microsoft Office
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0010-0401-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Arabic) 12
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0401-0000-0000000FF1CE}" = Microsoft Office Access MUI (Arabic) 2007
"{90120000-0015-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0401-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Arabic) 2007
"{90120000-0016-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0017-0401-0000-0000000FF1CE}" = Microsoft Office SharePoint Designer MUI (Arabic) 2007
"{90120000-0017-0401-0000-0000000FF1CE}_OMUI.ar-sa_{665DB297-FBC5-46C1-AE27-10355A47442E}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-0018-0401-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Arabic) 2007
"{90120000-0018-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0401-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Arabic) 2007
"{90120000-0019-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0401-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Arabic) 2007
"{90120000-001A-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0401-0000-0000000FF1CE}" = Microsoft Office Word MUI (Arabic) 2007
"{90120000-001B-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0401-0000-0000000FF1CE}" = Microsoft Office Proof (Arabic) 2007
"{90120000-001F-0401-0000-0000000FF1CE}_OMUI.ar-sa_{14809F99-C601-4D4A-9391-F1E8FAA964C5}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_OMUI.ar-sa_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PRJPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_WebDesigner_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_OMUI.ar-sa_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_PRJPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_WebDesigner_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PRJPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_WebDesigner_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0026-0000-0000-0000000FF1CE}" = Microsoft Expression Web
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{9037FDA8-8383-4B6F-859D-D49C3C625225}" = Microsoft Expression Web Service Pack 1 (SP1)
"{90120000-0026-0409-0000-0000000FF1CE}" = Microsoft Expression Web MUI (English)
"{90120000-0026-0409-0000-0000000FF1CE}_WebDesigner_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-002C-0401-0000-0000000FF1CE}" = Microsoft Office Proofing (Arabic) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
"{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{9E73617F-2F38-4864-BD61-BB2DDFE43323}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-0044-0401-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Arabic) 2007
"{90120000-0044-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPRO_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0401-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Arabic) 2007
"{90120000-006E-0401-0000-0000000FF1CE}_OMUI.ar-sa_{C1547C6B-A758-4270-964E-4EE8D323C99D}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_OMUI.ar-sa_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PRJPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_WebDesigner_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0401-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Arabic) 2007
"{90120000-00A1-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}_PRJPRO_{27A9D316-D332-433B-8EB1-1D93EE49F26D}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}_OMUI.ar-sa_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0100-0401-0000-0000000FF1CE}" = Microsoft Office O MUI (Arabic) 2007
"{90120000-0100-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0101-0401-0000-0000000FF1CE}" = Microsoft Office X MUI (Arabic) 2007
"{90120000-0101-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0401-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (Arabic) 2007
"{90120000-0114-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_PRJPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_WebDesigner_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91249DB1-5E37-355D-94D6-F957031D8955}" = Google Talk Plugin
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{ADBC173E-6F6B-4F6E-8FF5-168D92B7A789}" = Turkish Dictionary
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D10CB652-9332-4242-B7A9-2D61570144F7}" = USB 2.0 Card Reader
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D4EEC21C-04F0-4CF4-8078-82C11E38EF11}" = REALTEK RTL8187SE Wireless LAN Driver
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DD929BD3-5D41-4407-BE04-119B4A631869}" = Canon MF Toolbox 4.9.1.1.mf03
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" =
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{ED9C5D25-55DF-48D8-9328-2AC0D75DE5D8}" = System Control Manager
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F9000000-0001-0000-0000-074957833700}" = ABBYY FineReader 9.0 Professional Edition
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"{Microsoft Student 2007_54A0E938-8390-489F-8F1A-563673334DFE}" = Microsoft Student 2007 for Learning Essentials
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.2 Professional
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"avast5" = avast! Free Antivirus
"DRAE" = DRAE
"Encyclopaedia Britannica 2008 Ultimate Reference Suite" = Encyclopaedia Britannica 2008 Ultimate Reference Suite
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FileZilla Client" = FileZilla Client 3.2.7
"FLV Flash Video Source Filter_is1" = FLV Flash Video Source Filter
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"iDailyDiary_is1" = iDailyDiary 3.41
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{2EA2333A-A8B2-449A-93C3-1771F1A3E5B9}" = MainConcept MPEG Pro 3.1
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0 Demo
"InstallShield_{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5 SE
"LameACM" = Lame ACM MP3 Codec
"MainConcept MPEG Pro HD Plug-In with DVCPRO HD addon" = MainConcept MPEG Pro HD Plug-In with DVCPRO HD addon
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MDict" = MDict
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mind Power™ Math - Algebra 1" = Mind Power™ Math - Algebra 1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OMUI.ar-sa" = Microsoft Office Language Pack 2007 - Arabic العربية
"PhotoRescue Pro" = PhotoRescue Pro 4.5
"PRJPRO" = Microsoft Office Project Professional 2007
"RealAlt_is1" = Real Alternative 1.9.0
"SWiSHzone.com FLV Filter" = SWiSHzone.com FLV Filter
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The Rosetta Stone" = The Rosetta Stone
"Tweak UI 2.10" = Tweak UI
"VISPRO" = Microsoft Office Visio Professional 2007
"WallpaperToy" = Wallpaper Changer for Windows XP
"WebDesigner" = Microsoft Expression Web
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.1.2 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2222491866-3494719633-2910611971-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Collins-Robert French Dictionary" = Collins-Robert French Dictionary
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/13/2010 4:59:27 PM | Computer Name = JACK-MINILAPTOP | Source = ESENT | ID = 455
Description = wuaueng.dll (3200) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 4/13/2010 5:19:54 PM | Computer Name = JACK-MINILAPTOP | Source = ESENT | ID = 489
Description = wuauclt (1716) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/13/2010 5:19:54 PM | Computer Name = JACK-MINILAPTOP | Source = ESENT | ID = 455
Description = wuaueng.dll (1716) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 4/13/2010 5:20:12 PM | Computer Name = JACK-MINILAPTOP | Source = ESENT | ID = 489
Description = wuauclt (1716) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/13/2010 5:20:14 PM | Computer Name = JACK-MINILAPTOP | Source = ESENT | ID = 455
Description = wuaueng.dll (1716) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 4/14/2010 11:12:57 AM | Computer Name = JACK-MINILAPTOP | Source = Windows Search Service | ID = 3006
Description = Performance monitoring cannot be initialized for the gatherer service,
because the counters are not loaded or the shared memory object cannot be opened.
This only affects availability of the perfmon counters. Restart the computer.

Error - 4/14/2010 11:12:59 AM | Computer Name = JACK-MINILAPTOP | Source = Windows Search Service | ID = 3007
Description = Performance monitoring cannot be initialized for the gatherer object,
because the counters are not loaded or the shared memory object cannot be opened.
This only affects availability of the perfmon counters. Restart the computer. Context:
Application, SystemIndex Catalog

Error - 4/18/2010 9:33:40 AM | Computer Name = JACK-MINILAPTOP | Source = Application Error | ID = 1000
Description = Faulting application idd.exe, version 0.0.0.0, faulting module kernel32.dll,
version 5.1.2600.5781, fault address 0x00012afb.

Error - 4/18/2010 9:35:07 AM | Computer Name = JACK-MINILAPTOP | Source = Application Error | ID = 1000
Description = Faulting application idd.exe, version 0.0.0.0, faulting module kernel32.dll,
version 5.1.2600.5781, fault address 0x00012afb.

Error - 4/18/2010 9:35:12 AM | Computer Name = JACK-MINILAPTOP | Source = Application Error | ID = 1000
Description = Faulting application idd.exe, version 0.0.0.0, faulting module idd.exe,
version 0.0.0.0, fault address 0x00003280.

[ OSession Events ]
Error - 2/4/2009 1:59:24 AM | Computer Name = JACK-MINILAPTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 230
seconds with 60 seconds of active time. This session ended with a crash.

Error - 7/4/2009 4:47:15 PM | Computer Name = JACK-MINILAPTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 468
seconds with 240 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/17/2010 8:15:38 PM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The GEARAspiWDM service failed to start due to the following error:
%%2

Error - 4/18/2010 9:24:40 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The i2omgmt service failed to start due to the following error: %%2

Error - 4/18/2010 9:24:41 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The CD-Burning Filter Driver service failed to start due to the following
error: %%2

Error - 4/18/2010 9:24:43 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The IPv6 Windows Firewall Driver service failed to start due to the
following error: %%2

Error - 4/18/2010 9:24:44 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The IP Traffic Filter Driver service failed to start due to the following
error: %%2

Error - 4/18/2010 9:24:45 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The IP in IP Tunnel Driver service failed to start due to the following
error: %%2

Error - 4/18/2010 9:25:09 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The IP Network Address Translator service failed to start due to the
following error: %%2

Error - 4/18/2010 9:25:35 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The IR Enumerator Service service failed to start due to the following
error: %%2

Error - 4/18/2010 9:25:48 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The Microsoft Streaming Service Proxy service failed to start due
to the following error: %%2

Error - 4/18/2010 9:25:51 AM | Computer Name = JACK-MINILAPTOP | Source = Service Control Manager | ID = 7000
Description = The Microsoft Streaming Clock Proxy service failed to start due to
the following error: %%2


< End of report >
================================END LOGS==========================

Thanks again. Other scans will follow in later reply.






#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 18 April 2010 - 10:58 AM

Okay, I'll wait for the GMER scan results. If you have trouble running it, try checking only the Sections option.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 mattolejack

mattolejack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 19 April 2010 - 10:06 AM

Here is the GMER log. This was run in safe mode since I was having trouble getting it to finish otherwise.

==========================GMER LOG==========================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-19 08:01:41
Windows 5.1.2600 Service Pack 3
Running: rvpchp6i.exe; Driver: C:\DOCUME~1\jack\LOCALS~1\Temp\fwlcruoc.sys


---- System - GMER 1.0.15 ----

SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwClose [0xF7846028]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwCreateKey [0xF7845FE0]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF783A5DC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF7846120]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwOpenFile [0xF7839B40]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwOpenKey [0xF7845FA4]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF783A5FC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwQueryValueKey [0xF7846076]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\jack\Desktop\rvpchp6i.exe[724] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1796] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F36828

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Rdbss \Device\FsWrap 86CDB300
Device \FileSystem\Srv \Device\LanmanServer 8643E698
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8645D4C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8645D4C8
Device \FileSystem\Npfs \Device\NamedPipe 865D1B50
Device \FileSystem\Msfs \Device\Mailslot 865CF4C8
Device \FileSystem\Fastfat \Fat F6C4CD20
Device \FileSystem\Fastfat \Fat 8613B470

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 865D2FB0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 865D2FB0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 865D2FB0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 865D2FB0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 865D2FB0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej40 0xF0 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej41 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej42 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej43 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej44 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ljej40 0x90 0x16 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg42@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg42@ljej40 0xE5 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg42@ljej41 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg42@ljej42 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg42@ljej43 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg42@ljej44 0x20 0x17 0xA1 0xA8 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%

---- EOF - GMER 1.0.15 ----


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 19 April 2010 - 11:51 AM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 mattolejack

mattolejack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 19 April 2010 - 10:39 PM

Well, here is the result from the combofix run. (txt attached)

what's the diagnosis, doctor?

Attached Files



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 20 April 2010 - 06:54 AM

Hello again,
We need to replace a file. Please let me know if you have your XP CD at hand. If you don't have one, maybe you can borrow one from a friend or family member.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 mattolejack

mattolejack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 25 April 2010 - 11:19 PM

Yes I have various XP CD's

What is the file I should replace?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 26 April 2010 - 05:04 AM

First lets try it the lazy way and see if Windows will do the job for us smile.gif

Click Start > Run, type sfc /scannow in the runbox and press enter.

Let the scan run unhindered and enter your CD when asked.


After succesfully doing this, please download a new copy of combofix and run it. Please post me the log (do not attach it, just paste it directly into the reply box).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 mattolejack

mattolejack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 26 April 2010 - 12:10 PM

Hello Elise.

So I ran the command you suggested, twice. It worked both times, meaning the WINDOWS FILE PROTECTION box came up, and it said PLEASE WAIT WHILE WE VERIFY ALL FILES, or whatever. The progress bar completed, and it never asked me for anymore input until it was finished.

Afterwards, I downloaded a new copy of Combofix and ran it. After updating itself and rebooting, Combofix ran successfully.

Here is the log file.

PS- where it says "file missing, CDROM.SYS"; is that because I use a Cdrom emulator (alcohol 120), which combofix disables before the reboot?

==========================================BEGIN COMBOFIX LOG================

ComboFix 10-04-26.01 - jack 04/26/2010 9:51.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.463 [GMT -7:00]
Running from: c:\documents and settings\jack\Desktop\combofix.com
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys

.
((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.

2010-04-26 16:58 . 2008-04-14 07:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-26 16:58 . 2008-04-14 07:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-26 16:44 . 2010-04-26 16:44 -------- d-----w- c:\windows\LastGood
2010-04-26 15:11 . 2008-04-14 12:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-04-26 15:10 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-04-26 15:10 . 2008-04-14 12:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-04-26 15:10 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-04-26 15:10 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-04-26 15:10 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-04-26 15:10 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-04-26 15:10 . 2008-04-14 05:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-04-26 15:10 . 2008-04-14 05:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-04-26 15:10 . 2008-04-14 12:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-04-26 15:10 . 2008-04-14 05:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-04-26 15:10 . 2001-08-17 19:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-04-26 15:08 . 2001-08-17 19:13 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys
2010-04-26 15:08 . 2001-08-17 19:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2010-04-26 15:08 . 2001-08-17 20:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2010-04-26 15:08 . 2001-08-17 20:28 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-04-26 15:08 . 2008-04-14 12:00 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2010-04-26 15:08 . 2008-04-14 12:00 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2010-04-26 15:08 . 2001-08-17 20:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2010-04-26 15:08 . 2001-08-17 19:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-04-26 15:08 . 2001-08-17 20:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2010-04-26 15:08 . 2008-04-14 07:10 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2010-04-26 15:08 . 2008-04-14 07:06 42240 -c--a-w- c:\windows\system32\dllcache\viaagp.sys
2010-04-26 15:08 . 2008-04-14 12:42 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2010-04-26 15:08 . 2001-08-17 20:28 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2010-04-26 15:06 . 2001-08-18 05:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-04-26 15:06 . 2001-08-18 05:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-04-26 15:06 . 2001-08-18 05:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-04-26 15:06 . 2001-08-17 20:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-04-26 15:06 . 2001-08-18 05:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-04-26 15:06 . 2001-08-18 05:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-04-26 15:06 . 2001-08-18 05:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-04-26 15:06 . 2001-08-18 05:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-04-26 15:06 . 2001-08-17 20:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-04-26 15:06 . 2008-04-14 07:06 44672 -c--a-w- c:\windows\system32\dllcache\uagp35.sys
2010-04-26 15:06 . 2001-08-17 20:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-04-26 15:05 . 2001-08-17 19:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2010-04-26 15:05 . 2001-08-18 05:36 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2010-04-26 15:05 . 2001-08-17 19:51 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys
2010-04-26 15:05 . 2001-08-17 21:56 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2010-04-26 15:05 . 2001-08-17 19:51 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys
2010-04-26 15:05 . 2001-08-17 21:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2010-04-26 15:05 . 2001-08-17 19:12 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2010-04-26 15:05 . 2001-08-18 05:35 42496 -c--a-w- c:\windows\system32\dllcache\tp4res.dll
2010-04-26 15:05 . 2008-04-14 12:42 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2010-04-26 15:05 . 2001-08-18 05:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2010-04-26 15:05 . 2001-08-17 20:51 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2010-04-26 15:03 . 2001-08-17 19:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-04-26 15:03 . 2001-08-17 21:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-04-26 15:03 . 2001-08-17 21:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-04-26 15:03 . 2001-08-17 21:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2010-04-26 15:03 . 2001-08-17 21:07 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2010-04-26 15:03 . 2001-08-17 21:07 28384 -c--a-w- c:\windows\system32\dllcache\sym_hi.sys
2010-04-26 15:03 . 2001-08-18 05:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-04-26 15:03 . 2001-08-17 20:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2010-04-26 15:03 . 2001-08-17 21:02 3968 -c--a-w- c:\windows\system32\dllcache\swusbflt.sys
2010-04-26 15:03 . 2001-08-18 05:36 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2010-04-26 15:03 . 2001-08-18 05:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2010-04-26 15:02 . 2001-08-18 05:36 53760 -c--a-w- c:\windows\system32\dllcache\sw_wheel.dll
2010-04-26 15:02 . 2001-08-18 05:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2010-04-26 15:02 . 2001-08-18 05:36 155648 -c--a-w- c:\windows\system32\dllcache\stlnprop.dll
2010-04-26 15:02 . 2001-08-18 05:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2010-04-26 15:02 . 2001-08-17 19:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2010-04-26 15:02 . 2001-08-17 20:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2010-04-26 15:02 . 2001-08-17 19:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-04-26 15:02 . 2001-08-18 05:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-04-26 15:02 . 2001-08-18 05:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-04-26 15:02 . 2001-08-17 20:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-04-26 15:02 . 2001-08-18 05:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-04-26 15:01 . 2001-08-17 21:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-04-26 15:01 . 2001-08-17 20:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-04-26 15:01 . 2001-08-17 19:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-04-26 15:01 . 2001-08-18 05:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-04-26 15:01 . 2001-08-17 19:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-04-26 15:01 . 2008-04-14 07:10 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2010-04-26 15:01 . 2001-08-17 20:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-04-26 15:01 . 2008-04-14 12:00 143422 -c--a-w- c:\windows\system32\dllcache\softkey.dll
2010-04-26 15:01 . 2001-08-17 20:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-04-26 15:01 . 2001-08-17 19:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2010-04-26 15:01 . 2001-08-17 21:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2010-04-26 15:01 . 2001-08-17 19:12 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2010-04-26 14:59 . 2001-08-17 21:56 157696 -c--a-w- c:\windows\system32\dllcache\sisv256.dll
2010-04-26 14:59 . 2001-08-17 19:50 50432 -c--a-w- c:\windows\system32\dllcache\sisv.sys
2010-04-26 14:59 . 2008-04-14 05:05 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2010-04-26 14:59 . 2001-08-18 05:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2010-04-26 14:59 . 2001-08-17 19:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2010-04-26 14:59 . 2008-04-14 07:06 40960 -c--a-w- c:\windows\system32\dllcache\sisagp.sys
2010-04-26 14:59 . 2001-08-17 21:56 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll
2010-04-26 14:59 . 2001-08-17 19:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-04-26 14:59 . 2001-08-17 21:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2010-04-26 14:59 . 2001-08-17 19:50 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2010-04-26 14:59 . 2008-04-14 12:42 3901 -c--a-w- c:\windows\system32\dllcache\siint5.dll
2010-04-26 14:59 . 2001-07-21 21:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-04-26 14:59 . 2001-07-21 21:29 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2010-04-26 14:58 . 2001-08-17 19:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2010-04-26 14:58 . 2001-08-18 05:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-04-26 14:58 . 2001-08-17 19:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-04-26 14:58 . 2001-08-17 20:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-04-26 14:58 . 2001-08-17 20:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-26 14:58 . 2001-08-17 20:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-04-26 14:58 . 2008-04-14 07:15 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2010-04-26 14:58 . 2001-08-17 20:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2010-04-26 14:58 . 2001-08-17 20:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-04-26 14:58 . 2001-08-17 20:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-04-26 14:58 . 2001-08-17 20:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-04-26 14:57 . 2001-08-17 20:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-04-26 14:57 . 2008-04-14 07:10 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-04-26 14:57 . 2001-08-18 05:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-04-26 14:57 . 2001-08-17 19:50 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-04-26 14:57 . 2001-08-17 21:56 245632 -c--a-w- c:\windows\system32\dllcache\s3savmx.dll
2010-04-26 14:57 . 2001-08-17 19:50 77824 -c--a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-04-26 14:57 . 2001-08-17 21:56 198400 -c--a-w- c:\windows\system32\dllcache\s3sav4.dll
2010-04-26 14:57 . 2001-08-17 19:50 61504 -c--a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2010-04-26 14:57 . 2001-08-17 21:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-04-26 14:57 . 2001-08-17 21:56 210496 -c--a-w- c:\windows\system32\dllcache\s3mvirge.dll
2010-04-26 14:57 . 2001-08-18 05:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2010-04-26 14:57 . 2001-08-17 19:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2010-04-26 14:55 . 2008-04-14 07:16 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2010-04-26 14:55 . 2001-08-18 05:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-04-26 14:55 . 2008-04-14 06:53 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2010-04-26 14:55 . 2001-08-17 20:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-04-26 14:55 . 2001-08-17 20:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 02:32 . 2010-04-20 02:32 20 ----a-w- c:\documents and settings\NetworkService\Application Data\kcmdte.dat
2010-04-20 02:32 . 2010-03-14 00:09 120 ----a-w- c:\windows\Qzirihutafuzac.dat
2010-04-19 15:54 . 2010-03-14 00:09 0 ----a-w- c:\windows\Xqehupunep.bin
2010-04-18 13:25 . 2010-04-18 13:25 34688 ----a-w- c:\windows\system32\drivers\SET195.tmp
2010-04-18 00:14 . 2010-04-18 00:13 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\kcmdte.dat
2010-04-14 15:22 . 2008-06-11 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 01:36 . 2009-03-27 15:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 01:35 . 2009-03-27 15:02 -------- d-----w- c:\documents and settings\jack\Application Data\SUPERAntiSpyware.com
2010-04-13 16:16 . 2010-03-24 06:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 23:53 . 2008-08-17 21:51 -------- d-----w- c:\program files\Google
2010-04-02 23:41 . 2009-12-02 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-31 14:55 . 2010-02-18 04:11 -------- d-----w- c:\program files\Internet Telcel Banda Ancha
2010-03-30 15:53 . 2009-12-02 01:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-27 22:17 . 2009-01-07 21:52 -------- d-----w- c:\program files\Alwil Software
2010-03-27 21:47 . 2008-08-16 06:40 -------- d-----w- c:\documents and settings\jack\Application Data\Skype
2010-03-27 21:40 . 2008-08-16 06:40 -------- d-----w- c:\documents and settings\jack\Application Data\skypePM
2010-03-27 15:22 . 2010-03-27 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-24 06:23 . 2010-03-17 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-03-24 06:12 . 2010-03-24 06:12 -------- d-----w- c:\documents and settings\jack\Application Data\Malwarebytes
2010-03-24 06:12 . 2010-03-24 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 15:26 . 2010-03-17 15:26 20 ----a-w- c:\documents and settings\LocalService\Application Data\rbuwzv.dat
2010-03-17 15:18 . 2010-03-14 00:04 28 ----a-w- c:\windows\system32\config\systemprofile\Application Data\rbuwzv.dat
2010-03-15 19:45 . 2010-03-15 19:45 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\zeovbl.dat
2010-03-10 06:15 . 2008-06-11 01:46 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 10:24 . 2009-01-07 21:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2009-01-07 21:52 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2009-01-07 21:53 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 10:08 . 2009-01-07 21:53 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2009-01-07 21:53 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2009-01-07 21:53 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 10:08 . 2009-01-07 21:53 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-25 06:24 . 2008-06-11 01:46 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-06-11 01:46 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 18:03 . 2008-08-16 22:46 106824 ----a-w- c:\documents and settings\jack\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 04:33 . 2008-06-11 01:46 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-06-11 01:46 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2004-02-16 12:59 . 2008-08-17 21:53 1110016 ----a-w- c:\program files\mplayerc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rcwinHyper"="c:\program files\Le Robert\Le Robert & Collins\rcwinHyper.exe" [2008-08-26 155648]
"iDailyDiary"="c:\progra~1\IDAILY~1\iDD.exe" [2007-05-27 1245184]
"Google Update"="c:\documents and settings\jack\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\jack\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2008-9-9 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
mpnoimon REG_SZ c:\windows\system32\fingexec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\jack\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\jack\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mplayerc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [9/14/2008 12:02 PM 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/7/2009 2:53 PM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [12/6/2007 1:03 PM 660768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/7/2009 2:53 PM 19024]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [6/11/2008 4:18 PM 156160]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [9/14/2008 12:02 PM 160640]
S0 gpqdyp;gpqdyp; [x]
S2 gupdate1c9886e1b28005a;Google Update Service (gupdate1c9886e1b28005a);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2009 8:18 AM 133104]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [6/11/2008 4:19 PM 159744]
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 15:18]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 15:18]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2222491866-3494719633-2910611971-1005Core.job
- c:\documents and settings\jack\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 15:20]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2222491866-3494719633-2910611971-1005UA.job
- c:\documents and settings\jack\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 15:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\jack\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jack\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {A493C116-1DCB-48C4-95FE-6DA719C86767} - c:\documents and settings\jack\Local Settings\Application Data\{A493C116-1DCB-48C4-95FE-6DA719C86767}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 09:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-26 10:02:18
ComboFix-quarantined-files.txt 2010-04-26 17:02
ComboFix2.txt 2010-04-20 03:25

Pre-Run: 15,663,964,160 bytes free
Post-Run: 15,630,368,768 bytes free

- - End Of File - - C5F0B36AF731AE92A146A16D442152E0

Edited by mattolejack, 26 April 2010 - 12:13 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 26 April 2010 - 12:39 PM

Hi again,

I think I will never comprehend the finer workings of the System File Scanner, but suffice it to say that Combofix found a replacement copy for cdrom.sys this time :D

The only thing I see at the moment is a bad Firefox add-on that can cause redirects, so lets see if we can fix that next.

Please read and follow all these instructions very carefully.
  1. Please download GooredFix and save it to your Desktop.
  2. Double-click GooredFix.exe to run it.
  3. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 mattolejack

mattolejack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA San Francisco
  • Local time:04:50 PM

Posted 26 April 2010 - 12:59 PM

From the last log, don't you think

c:\documents and settings\NetworkService\Application Data\kcmdte.dat

and

2010-04-20 02:32 . 2010-03-14 00:09 120 ----a-w- c:\windows\Qzirihutafuzac.dat

looked suspicious??

Anyway, here's GooredFix's log:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 10:55 on 26/04/2010 (jack)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{A493C116-1DCB-48C4-95FE-6DA719C86767} -> Success!
Deleting C:\Documents and Settings\jack\Local Settings\Application Data\{A493C116-1DCB-48C4-95FE-6DA719C86767} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:23 08/04/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [03:44 17/04/2010]

C:\Documents and Settings\jack\Application Data\Mozilla\Firefox\Profiles\spd3y3vw.default\extensions\
foxmarks@kei.com [14:39 21/04/2010]
{3d7eb24f-2740-49df-8937-200b1cc08f8a} [15:02 30/03/2010]
{aff87fa2-a58e-4edd-b852-0a20203c1e17} [15:13 06/02/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [18:24 27/01/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:06 15/08/2009]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [18:26 06/03/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:43 17/04/2010]

-=E.O.F=-

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 26 April 2010 - 01:12 PM

QUOTE
From the last log, don't you think

c:\documents and settings\NetworkService\Application Data\kcmdte.dat

and

2010-04-20 02:32 . 2010-03-14 00:09 120 ----a-w- c:\windows\Qzirihutafuzac.dat

looked suspicious??
You are right about that, but I want to see what MBAM takes out first smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users