Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - google redirect


  • This topic is locked This topic is locked
19 replies to this topic

#1 Topdog549

Topdog549

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 29 April 2010 - 12:19 PM

Hello,
I have been infected with Antivirus (ave.exe) and some type of google redirect. One in 10 or so google search links will re-direct me to what seems to be a random site. I did manage to clean up the avg problem with malewarebytes but still have the google re-direct problem. I have since, not been able to load malewarebytes.. installs fine, updates, won't run. Shows up in the task manager for 5 seconds and then shuts itself down. Tried a bunch of varations on re-naming and installing and still no luck. I have followed the info in your prep guide but ran into a problem with gmer... it shuts itself down about 3 mins into the scan. (it ran a full scan the first time I tried but it wouldn't save when the scan completed... I copied but couldn't open anything to paste it into) Had to re-boot and wouldn't run a second scan. I do however have the logs from DDS (I had to rename DDS.SCR to .BAT to get it to run as well). Sorry, I do not have a GMER log to attach.

Here is the DDS Log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 9:28:54.75 on Thu 04/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1263.718 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.bat

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.canoe.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/126p/html/gtdownlr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 MSSQL$RIT;MSSQL$RIT;c:\program files\microsoft sql server\mssql$rit\binn\sqlservr.exe -srit --> c:\program files\microsoft sql server\mssql$rit\binn\sqlservr.exe -sRIT [?]
R2 SQLAgent$RIT;SQLAgent$RIT;c:\program files\microsoft sql server\mssql$rit\binn\sqlagent.exe -i rit --> c:\program files\microsoft sql server\mssql$rit\binn\sqlagent.EXE -i RIT [?]
S2 gupdate1c9936dc95d878;Google Update Service (gupdate1c9936dc95d878);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-04-29 13:25:21 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-29 12:32:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 12:32:12 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 12:32:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 20:42:13 0 d-----w- c:\program files\FileASSASSIN
2010-04-28 20:37:18 0 d-s---w- C:\ComboFix
2010-04-28 16:10:11 98816 ----a-w- c:\windows\sed.exe
2010-04-28 16:10:11 77312 ----a-w- c:\windows\MBR.exe
2010-04-28 16:10:11 256512 ----a-w- c:\windows\PEV.exe
2010-04-28 16:10:11 161792 ----a-w- c:\windows\SWREG.exe
2010-04-28 13:55:02 0 ----a-w- C:\G
2010-04-21 18:32:37 0 d-----w- C:\Justins bleep

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-09 19:33:58 9656 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2004-03-11 19:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-12-04 15:41:06 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-04 15:41:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120420091205\index.dat

============= FINISH: 9:30:18.01 ===============


Thanks in advance for all your help!
Best regards

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 03 May 2010 - 10:45 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %appdata%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    sfcfiles.dll
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    beep.sys
    iaStor.sys
    nvstor.sys
    atapi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    iastorv.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 Topdog549

Topdog549
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 03 May 2010 - 11:35 AM

Hi Syler!

First.. thanks in advance for all your help!

The 2 OTL reports you requested are as follows..

OTL Extras logfile created on: 5/3/2010 12:23:44 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.52 Gb Total Space | 4.04 Gb Free Space | 5.50% Space Free | Partition Type: NTFS
Drive D: | 3.16 Gb Total Space | 0.88 Gb Free Space | 27.80% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOP-DOG
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1193:TCP" = 1193:TCP:LocalSubNet:Enabled:SQL Listening (AppName Here)
"1434:UDP" = 1434:UDP:LocalSubNet:Enabled:SQL Communication Links

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1193:TCP" = 1193:TCP:LocalSubNet:Enabled:SQL Listening RedBeam Inventory Tracking
"1434:UDP" = 1434:UDP:LocalSubNet:Enabled:SQL Communication Links

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
"C:\Program Files\WinMX\WinMX.exe" = C:\Program Files\WinMX\WinMX.exe:*:Enabled:WinMX Application -- (Frontcode Technologies)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\MoRUN.net\StickerLite\sticker.exe" = C:\Program Files\MoRUN.net\StickerLite\sticker.exe:*:Enabled:MoRUN.net Sticker Lite -- (MoRUN.net)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{31FC13DC-D976-4708-822D-2CA3ED3BE573}" = RedBeam Inventory Tracking
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}" = Apple Mobile Device Support
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{4C8EA3DB-0851-4676-8A67-C4BB71BD743F}" = Garmin BlueChart Americas v9.5
"{503AA035-41E2-4858-B31F-1E49AC66C309}" = Norton Security Center
"{5783F2D7-4001-0409-0002-0060B0CE6BBA}" = AutoCAD 2006 - English
"{620797B0-A022-4B57-A95E-CD7DD0325011}" = MoRUN.net Sticker Lite
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.5
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{BDFE199D-E889-4BB6-BECB-C4BDF5700849}" = Documents To Go
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}" = MSN Messenger 7.5
"{EF6C4600-306D-4F6A-A119-C2A877D25B4A}" = iTunes
"{F209D77C-4B5D-483E-8349-0A97FADDFE83}" = MyInfothek
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Toolbar" = AOL Toolbar
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"Basic Inventory Control" = Basic Inventory Control
"BitTorrent" = BitTorrent 4.22.1
"CANONBJ_Deinstall_CNMCP5y.DLL" = Canon PIXMA iP1500
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = SoftV92 Data Fax Modem with SmartCP
"Cole2k Media - Codec Pack" = Cole2k Media - Codec Pack (Advanced)
"Corel Applications" = Corel Applications
"DoInventory Plus" = DoInventory Plus
"ERUNT_is1" = ERUNT 1.1j
"FileASSASSIN" = FileASSASSIN
"GSpot" = GSpot Codec Information Appliance
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InCD!UninstallKey" = InCD
"InterActual Player" = InterActual Player
"Internet Video Camera" = Linksys Viewer & Recorder Utility
"LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2005b" = Microsoft Money 2005
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Adapters and Drivers
"Quick Notes Plus_is1" = Quick Notes Plus 5.0
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD_is1" = XviD MPEG-4 Video Codec

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-429370048-1306581299-238951944-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"MXpie Patch" = MXpie Patch for WinMX Network/WPNP 3.3.3.4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/29/2010 1:25:45 PM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 4/30/2010 6:43:36 AM | Computer Name = TOP-DOG | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 5/3/2010 8:45:48 AM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 5/3/2010 8:55:41 AM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 5/3/2010 9:18:05 AM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 5/3/2010 9:25:14 AM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 5/3/2010 9:27:44 AM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 5/3/2010 9:46:11 AM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 5/3/2010 9:52:47 AM | Computer Name = TOP-DOG | Source = Google Update | ID = 1
Description =

Error - 5/3/2010 10:14:03 AM | Computer Name = TOP-DOG | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 5/3/2010 9:55:03 AM | Computer Name = TOP-DOG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/3/2010 9:55:49 AM | Computer Name = TOP-DOG | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 5/3/2010 9:55:49 AM | Computer Name = TOP-DOG | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/3/2010 9:55:49 AM | Computer Name = TOP-DOG | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 5/3/2010 9:55:49 AM | Computer Name = TOP-DOG | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/3/2010 9:55:49 AM | Computer Name = TOP-DOG | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 5/3/2010 10:10:11 AM | Computer Name = TOP-DOG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/3/2010 10:10:17 AM | Computer Name = TOP-DOG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/3/2010 10:10:17 AM | Computer Name = TOP-DOG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/3/2010 10:11:51 AM | Computer Name = TOP-DOG | Source = Service Control Manager | ID = 7031
Description = The Remote Procedure Call (RPC) service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.


< End of report >



OTL logfile created on: 5/3/2010 12:23:44 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.52 Gb Total Space | 4.04 Gb Free Space | 5.50% Space Free | Partition Type: NTFS
Drive D: | 3.16 Gb Total Space | 0.88 Gb Free Space | 27.80% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOP-DOG
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/03 12:21:53 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2008/04/13 20:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/05 20:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
PRC - [2004/08/05 20:23:08 | 000,382,080 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
PRC - [2002/12/17 16:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe
PRC - [2002/12/17 16:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE


========== Modules (SafeList) ==========

MOD - [2010/05/03 12:21:53 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2006/09/13 17:32:12 | 000,077,944 | ---- | M] (Autodesk) [Disabled | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2005/05/09 13:55:07 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2004/08/05 20:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)
SRV - [2004/04/06 21:35:10 | 000,929,904 | ---- | M] (Ahead Software AG) [Disabled | Stopped] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)
SRV - [2002/12/17 16:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe -- (MSSQL$RIT)
SRV - [2002/12/17 16:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE -- (SQLAgent$RIT)


========== Driver Services (SafeList) ==========

DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2005/05/09 14:08:07 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/10/27 17:57:38 | 002,284,864 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 01:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/17 18:56:22 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/06/17 18:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 18:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/04/06 21:40:10 | 000,025,600 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\incdpass.sys -- (InCDPass)
DRV - [2004/04/06 21:39:20 | 000,089,472 | ---- | M] (Ahead Software AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\incdfs.sys -- (InCDfs)
DRV - [2003/12/05 05:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/18 01:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 01:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 01:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 01:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 01:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 00:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 00:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 00:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 00:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 00:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 00:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 00:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 00:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 00:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 00:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 16:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-429370048-1306581299-238951944-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
IE - HKU\S-1-5-21-429370048-1306581299-238951944-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-429370048-1306581299-238951944-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-429370048-1306581299-238951944-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



O1 HOSTS File: ([2010/04/28 10:32:01 | 000,000,141 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKU\S-1-5-21-429370048-1306581299-238951944-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} http://inst.c-wss.com/126p/html/gtdownlr.cab (Automatic Driver Installation Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMesse...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.151.129.1 209.151.129.142 207.181.101.4
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\desktop.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\desktop.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/25 16:16:51 | 000,000,000 | ---D | M] - C:\Auto Trader ads -- [ NTFS ]
O32 - AutoRun File - [2005/03/23 14:13:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/03/23 14:12:31 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "PrismXL"
MsConfig - Services: "InCDsrv"
MsConfig - Services: "Fax"
MsConfig - Services: "ERSvc"
MsConfig - Services: "Bonjour Service"
MsConfig - Services: "Autodesk Licensing Service"
MsConfig - StartUpReg: InCD - hkey= - key= - C:\Program Files\Ahead\InCD\InCD.exe (Ahead Software AG)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - C:\Program Files\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: PowerBar - hkey= - key= - C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe (Cyberlink, Corp.)
MsConfig - StartUpReg: QNPlus - hkey= - key= - C:\Program Files\Conceptworld\QNPlus\QNPlus.exe (Conceptworld Corporation)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: RealTray - hkey= - key= - C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: RemoteControl - hkey= - key= - C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe File not found
MsConfig - StartUpReg: updateMgr - hkey= - key= - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (70663829905735680)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/03 12:21:52 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/03 09:48:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/03 09:48:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/30 06:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 08:34:10 | 000,000,000 | ---D | C] -- C:\rsit
[2010/04/29 08:28:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/28 16:42:13 | 000,000,000 | ---D | C] -- C:\Program Files\FileASSASSIN
[2010/04/28 16:37:18 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/28 12:36:52 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/28 12:10:11 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/28 12:10:11 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/28 12:10:11 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/28 12:10:11 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/28 12:09:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/21 14:32:37 | 000,000,000 | ---D | C] -- C:\Justins bleep
[2010/04/06 08:22:45 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Thawbrkr.dll
[2010/04/06 08:22:45 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\thawbrkr.dll
[2010/04/06 08:22:43 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_iscii.dll
[2010/04/06 08:22:43 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\c_iscii.dll
[2010/04/06 08:22:42 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdusa.dll
[2010/04/06 08:22:42 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdusa.dll
[2010/04/06 08:22:35 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ftlx041e.dll
[2010/04/06 08:22:35 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftlx041e.dll
[2010/04/05 16:34:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/03 12:21:53 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/03 10:14:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/03 10:13:53 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/03 10:13:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/03 10:13:17 | 1324,142,592 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/03 10:12:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/05/03 10:12:30 | 006,397,952 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/05/03 09:48:11 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/03 09:23:54 | 011,010,048 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.bak
[2010/05/03 09:22:35 | 000,012,288 | ---- | M] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/29 09:25:21 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/04/29 08:28:19 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/04/29 08:28:09 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/04/28 16:42:13 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk
[2010/04/28 15:51:51 | 000,000,605 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Malwarebytes' Anti-Malware.lnk
[2010/04/28 15:51:22 | 000,000,438 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut (2) to Installed downloads.lnk
[2010/04/28 12:22:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/28 10:32:01 | 000,000,141 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/28 09:55:02 | 000,000,000 | ---- | M] () -- C:\G
[2010/04/28 09:25:20 | 000,000,600 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/04/27 08:30:14 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003UA.job
[2010/04/27 08:30:04 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003Core.job
[2010/04/27 08:29:49 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/27 08:29:29 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 14:06:09 | 000,000,709 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/26 11:12:38 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Welding parts.doc
[2010/04/23 07:55:00 | 000,391,995 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100428-103201.backup
[2010/04/22 12:00:01 | 000,008,880 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\vVE7hj8
[2010/04/22 12:00:01 | 000,008,880 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\vVE7hj8
[2010/04/22 09:17:20 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Trailer frame weights.xls
[2010/04/20 21:58:41 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
[2010/04/19 09:47:57 | 000,009,706 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\0757hIHSDv3
[2010/04/19 09:47:57 | 000,009,706 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0757hIHSDv3
[2010/04/18 08:58:46 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/04/14 03:03:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/12 14:10:49 | 000,000,613 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to invoice.lnk
[2010/04/08 17:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/08 17:14:40 | 000,000,240 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Del WebCam.url
[2010/04/06 09:13:25 | 000,245,248 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/06 08:46:52 | 000,011,704 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
[2010/04/06 08:46:51 | 000,011,704 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\K6sEH5Ir2Is
[2010/04/06 08:25:12 | 000,115,992 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/06 08:24:43 | 000,382,424 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/05 16:34:42 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 7.0.lnk
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/03 10:13:17 | 1324,142,592 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/03 09:48:11 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/03 09:22:36 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.tmp.LOG
[2010/05/03 09:22:35 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.tmp.LOG
[2010/04/29 09:25:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/04/29 08:28:19 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/04/29 08:28:09 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/04/28 16:42:13 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk
[2010/04/28 15:51:51 | 000,000,605 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Malwarebytes' Anti-Malware.lnk
[2010/04/28 15:51:22 | 000,000,438 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut (2) to Installed downloads.lnk
[2010/04/28 12:10:11 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/28 12:10:11 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/28 12:10:11 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/28 12:10:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/28 12:10:11 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/28 09:55:02 | 000,000,000 | ---- | C] () -- C:\G
[2010/04/22 11:56:49 | 000,008,880 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\vVE7hj8
[2010/04/22 11:56:49 | 000,008,880 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\vVE7hj8
[2010/04/19 08:21:43 | 000,009,706 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\0757hIHSDv3
[2010/04/19 08:21:43 | 000,009,706 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0757hIHSDv3
[2010/04/18 08:58:46 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/04/12 14:10:49 | 000,000,613 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to invoice.lnk
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_864.nls
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_864.nls
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_720.nls
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_720.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_708.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_708.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_28596.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28596.NLS
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10004.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10004.nls
[2010/04/06 08:22:39 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_862.nls
[2010/04/06 08:22:39 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_862.nls
[2010/04/06 08:22:39 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10005.nls
[2010/04/06 08:22:39 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10005.nls
[2010/04/06 08:22:36 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10021.nls
[2010/04/06 08:22:36 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10021.nls
[2010/04/06 08:04:09 | 000,011,704 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\K6sEH5Ir2Is
[2010/04/06 08:04:09 | 000,011,704 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
[2008/03/28 12:56:18 | 000,000,144 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2007/10/15 14:13:04 | 000,000,600 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/04/14 12:55:41 | 000,424,960 | ---- | C] () -- C:\WINDOWS\System32\C4dll.dll
[2006/05/27 13:52:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/02/15 10:12:53 | 000,000,019 | ---- | C] () -- C:\WINDOWS\HSClient.INI
[2005/11/19 18:33:48 | 000,448,512 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2005/11/15 01:56:50 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2005/11/15 01:52:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2005/11/15 01:51:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2005/11/15 01:51:52 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2005/11/15 01:51:40 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\ff_realaac.dll
[2005/11/15 01:51:36 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2005/11/15 01:51:20 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2005/11/15 01:51:12 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2005/11/15 01:51:04 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2005/11/15 01:50:56 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2005/11/15 01:50:54 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2005/11/15 01:50:52 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2005/11/15 01:50:50 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2005/11/15 01:50:20 | 000,371,200 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2005/11/15 01:48:20 | 002,674,688 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2005/11/14 16:09:16 | 000,062,976 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2005/11/14 16:09:06 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2005/11/14 16:08:58 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2005/11/14 16:07:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2005/11/14 16:07:06 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2005/11/14 16:07:02 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2005/11/14 10:48:42 | 000,112,688 | ---- | C] () -- C:\WINDOWS\System32\shw32.dll
[2005/11/14 00:40:17 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/11/14 00:10:39 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS5y.DLL
[2005/11/13 18:48:08 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/11/05 09:31:14 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2005/10/11 18:05:25 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/05/09 14:13:49 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/09 14:11:59 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/05/09 12:46:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/03/24 00:07:42 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/03/23 12:53:24 | 000,001,420 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/03/23 12:53:24 | 000,000,481 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/12/20 07:08:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 07:03:26 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2002/11/21 10:21:32 | 000,161,280 | R--- | C] () -- C:\WINDOWS\System32\TALBC.DLL
[2002/05/17 18:18:30 | 000,124,928 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll
[1999/01/22 06:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Custom Scans ==========


< %appdata%\*.* >
[2005/03/23 06:03:30 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\desktop.ini
[2010/02/09 15:33:58 | 000,009,656 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat

< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/04 10:57:35 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2009/12/04 10:57:35 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 09:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2004/08/04 01:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: BEEP.SYS >
[2004/08/04 15:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\ERDNT\cache\beep.sys
[2004/08/04 15:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 15:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 15:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: PROQUOTA.EXE >
[2004/08/04 15:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
[2008/04/13 20:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\ServicePackFiles\i386\proquota.exe
[2008/04/13 20:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe

< MD5 for: SCECLI.DLL >
[2004/08/04 15:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SFCFILES.DLL >
[2004/08/04 15:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\$NtServicePackUninstall$\sfcfiles.dll
[2008/04/13 20:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\ERDNT\cache\sfcfiles.dll
[2008/04/13 20:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll
[2008/04/13 20:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\system32\sfcfiles.dll
< End of report >



Thanks

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 03 May 2010 - 12:18 PM

Hi Topdog549,

I would like you to try running Gmer again, this time though untick all the boxes on the right side of Gmer
except for sections, tick that one then run a scan and post the log in your next reply.


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-21-429370048-1306581299-238951944-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O4 - HKU\S-1-5-21-429370048-1306581299-238951944-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found
    O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
    O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
    MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
    MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe File not found
    [2010/04/22 12:00:01 | 000,008,880 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\vVE7hj8
    [2010/04/22 12:00:01 | 000,008,880 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\vVE7hj8
    [2010/04/19 09:47:57 | 000,009,706 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\0757hIHSDv3
    [2010/04/19 09:47:57 | 000,009,706 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0757hIHSDv3
    [2010/04/06 08:46:52 | 000,011,704 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
    [2010/04/06 08:46:51 | 000,011,704 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\K6sEH5Ir2Is
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.


Then please post back here with the following logs:
  • Gmer log
  • OTL results
  • New OTL log

Thanks

unite.jpg


#5 Topdog549

Topdog549
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 03 May 2010 - 01:20 PM

Hi Syler,

Logs are as follows..


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-03 13:40:10
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxddipow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[472] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[472] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[472] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[472] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[472] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[472] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\winlogon.exe[636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\winlogon.exe[636] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\winlogon.exe[636] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\winlogon.exe[636] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\winlogon.exe[636] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\winlogon.exe[636] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\winlogon.exe[636] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\services.exe[688] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\services.exe[688] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\services.exe[688] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\services.exe[688] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\services.exe[688] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\services.exe[688] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\lsass.exe[700] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\lsass.exe[700] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\lsass.exe[700] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\lsass.exe[700] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\lsass.exe[700] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[768] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[868] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[868] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[868] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[868] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[868] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[956] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[956] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[956] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[956] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[956] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[1160] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[1332] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[1332] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[1332] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[1332] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[1332] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\Explorer.EXE[1516] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\Explorer.EXE[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\Explorer.EXE[1516] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\Explorer.EXE[1516] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\Explorer.EXE[1516] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\Explorer.EXE[1516] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\Explorer.EXE[1516] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\Explorer.EXE[1516] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\spoolsv.exe[1668] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\spoolsv.exe[1668] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\spoolsv.exe[1668] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\spoolsv.exe[1668] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\spoolsv.exe[1668] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\spoolsv.exe[1668] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE[1692] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[1868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[1868] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1960] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe[1976] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2000] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\hkcmd.exe[2216] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10023DF4
.text C:\WINDOWS\system32\hkcmd.exe[2216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10023C3C
.text C:\WINDOWS\system32\hkcmd.exe[2216] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10023E78
.text C:\WINDOWS\system32\hkcmd.exe[2216] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10023AF0
.text C:\WINDOWS\system32\hkcmd.exe[2216] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10023264
.text C:\WINDOWS\system32\hkcmd.exe[2216] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100227F8
.text C:\WINDOWS\system32\hkcmd.exe[2216] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1002278C
.text C:\WINDOWS\system32\hkcmd.exe[2216] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10023A9C
.text C:\Program Files\QuickTime\qttask.exe[2240] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\QuickTime\qttask.exe[2240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\QuickTime\qttask.exe[2240] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\QuickTime\qttask.exe[2240] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\QuickTime\qttask.exe[2240] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\QuickTime\qttask.exe[2240] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\QuickTime\qttask.exe[2240] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\QuickTime\qttask.exe[2240] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\ctfmon.exe[2260] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\ctfmon.exe[2260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\ctfmon.exe[2260] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\ctfmon.exe[2260] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\ctfmon.exe[2260] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\ctfmon.exe[2260] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\ctfmon.exe[2260] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\ctfmon.exe[2260] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe[2780] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2960] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\System32\svchost.exe[3148] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\System32\svchost.exe[3148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\System32\svchost.exe[3148] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\System32\svchost.exe[3148] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\System32\svchost.exe[3148] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\System32\svchost.exe[3148] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\System32\svchost.exe[3148] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\System32\svchost.exe[3148] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\System32\svchost.exe[3420] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\System32\svchost.exe[3420] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\System32\svchost.exe[3420] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\System32\svchost.exe[3420] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\System32\svchost.exe[3420] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\System32\svchost.exe[3420] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Outlook Express\msimn.exe[3524] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Outlook Express\msimn.exe[3524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Outlook Express\msimn.exe[3524] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Outlook Express\msimn.exe[3524] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Outlook Express\msimn.exe[3524] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Outlook Express\msimn.exe[3524] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Outlook Express\msimn.exe[3524] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Outlook Express\msimn.exe[3524] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C

---- EOF - GMER 1.0.15 ----



All processes killed
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-429370048-1306581299-238951944-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-429370048-1306581299-238951944-1003\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\NeroFilterCheck\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\SunJavaUpdateSched\ deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\vVE7hj8 moved successfully.
C:\Documents and Settings\All Users\Application Data\vVE7hj8 moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\0757hIHSDv3 moved successfully.
C:\Documents and Settings\All Users\Application Data\0757hIHSDv3 moved successfully.
C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\K6sEH5Ir2Is moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 732908 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes

User: Owner
->Temp folder emptied: 458425 bytes
->Temporary Internet Files folder emptied: 69033276 bytes
->Google Chrome cache emptied: 557424 bytes
->Flash cache emptied: 87337 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66200 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 47761265 bytes

Total Files Cleaned = 116.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: Owner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05032010_134157

Files\Folders moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QLW9YGRN\iframe[2].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\N6KV1SIH\topic313513[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...



NEW OTL LOG


OTL logfile created on: 5/3/2010 2:04:58 PM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.52 Gb Total Space | 4.29 Gb Free Space | 5.84% Space Free | Partition Type: NTFS
Drive D: | 3.16 Gb Total Space | 0.88 Gb Free Space | 27.80% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOP-DOG
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/03 12:21:53 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/05 20:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
PRC - [2004/08/05 20:23:08 | 000,382,080 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
PRC - [2002/12/17 16:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe
PRC - [2002/12/17 16:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE


========== Modules (SafeList) ==========

MOD - [2010/05/03 12:21:53 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2006/09/13 17:32:12 | 000,077,944 | ---- | M] (Autodesk) [Disabled | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2005/05/09 13:55:07 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2004/08/05 20:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)
SRV - [2004/04/06 21:35:10 | 000,929,904 | ---- | M] (Ahead Software AG) [Disabled | Stopped] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)
SRV - [2002/12/17 16:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe -- (MSSQL$RIT)
SRV - [2002/12/17 16:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE -- (SQLAgent$RIT)


========== Driver Services (SafeList) ==========

DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2005/05/09 14:08:07 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/10/27 17:57:38 | 002,284,864 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 01:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/17 18:56:22 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/06/17 18:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 18:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/04/06 21:40:10 | 000,025,600 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\incdpass.sys -- (InCDPass)
DRV - [2004/04/06 21:39:20 | 000,089,472 | ---- | M] (Ahead Software AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\incdfs.sys -- (InCDfs)
DRV - [2003/12/05 05:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/18 01:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 01:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 01:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 01:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 01:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 00:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 00:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 00:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 00:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 00:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 00:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 00:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 00:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 00:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 00:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 16:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



O1 HOSTS File: ([2010/04/28 10:32:01 | 000,000,141 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKCU\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} http://inst.c-wss.com/126p/html/gtdownlr.cab (Automatic Driver Installation Control)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMesse...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.151.129.1 209.151.129.142 207.181.101.4
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\desktop.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\desktop.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/25 16:16:51 | 000,000,000 | ---D | M] - C:\Auto Trader ads -- [ NTFS ]
O32 - AutoRun File - [2005/03/23 14:13:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/03 13:41:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/03 12:21:52 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/03 09:48:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/03 09:48:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/30 06:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 08:34:10 | 000,000,000 | ---D | C] -- C:\rsit
[2010/04/29 08:28:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/28 16:42:13 | 000,000,000 | ---D | C] -- C:\Program Files\FileASSASSIN
[2010/04/28 16:37:18 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/28 12:36:52 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/28 12:10:11 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/28 12:10:11 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/28 12:10:11 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/28 12:10:11 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/28 12:09:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/21 14:32:37 | 000,000,000 | ---D | C] -- C:\Justins bleep
[2010/04/06 08:22:45 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Thawbrkr.dll
[2010/04/06 08:22:45 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\thawbrkr.dll
[2010/04/06 08:22:43 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_iscii.dll
[2010/04/06 08:22:43 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\c_iscii.dll
[2010/04/06 08:22:42 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdusa.dll
[2010/04/06 08:22:42 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdusa.dll
[2010/04/06 08:22:35 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ftlx041e.dll
[2010/04/06 08:22:35 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftlx041e.dll
[2010/04/05 16:34:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2010/05/03 13:59:49 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/03 13:59:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/03 13:59:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/03 13:59:13 | 1324,142,592 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/03 13:58:32 | 006,553,600 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/05/03 12:21:53 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/03 10:12:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/05/03 09:48:11 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/03 09:23:54 | 011,010,048 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.bak
[2010/05/03 09:22:35 | 000,012,288 | ---- | M] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/29 09:25:21 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/04/29 08:28:19 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/04/29 08:28:09 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/04/28 16:42:13 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk
[2010/04/28 15:51:51 | 000,000,605 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Malwarebytes' Anti-Malware.lnk
[2010/04/28 15:51:22 | 000,000,438 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut (2) to Installed downloads.lnk
[2010/04/28 12:22:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/28 10:32:01 | 000,000,141 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/28 09:55:02 | 000,000,000 | ---- | M] () -- C:\G
[2010/04/28 09:25:20 | 000,000,600 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/04/27 08:30:14 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003UA.job
[2010/04/27 08:30:04 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003Core.job
[2010/04/27 08:29:49 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/27 08:29:29 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 14:06:09 | 000,000,709 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/26 11:12:38 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Welding parts.doc
[2010/04/23 07:55:00 | 000,391,995 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100428-103201.backup
[2010/04/22 09:17:20 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Trailer frame weights.xls
[2010/04/20 21:58:41 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
[2010/04/18 08:58:46 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/04/14 03:03:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/12 14:10:49 | 000,000,613 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to invoice.lnk
[2010/04/08 17:34:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/08 17:14:40 | 000,000,240 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Del WebCam.url
[2010/04/06 09:13:25 | 000,245,248 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/06 08:25:12 | 000,115,992 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/06 08:24:43 | 000,382,424 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/05 16:34:42 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 7.0.lnk

========== Files Created - No Company Name ==========

[2010/05/03 10:13:17 | 1324,142,592 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/03 09:48:11 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/03 09:22:36 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.tmp.LOG
[2010/05/03 09:22:35 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.tmp.LOG
[2010/04/29 09:25:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/04/29 08:28:19 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/04/29 08:28:09 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/04/28 16:42:13 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk
[2010/04/28 15:51:51 | 000,000,605 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to Malwarebytes' Anti-Malware.lnk
[2010/04/28 15:51:22 | 000,000,438 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut (2) to Installed downloads.lnk
[2010/04/28 12:10:11 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/28 12:10:11 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/28 12:10:11 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/28 12:10:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/28 12:10:11 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/28 09:55:02 | 000,000,000 | ---- | C] () -- C:\G
[2010/04/18 08:58:46 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/04/12 14:10:49 | 000,000,613 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to invoice.lnk
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_864.nls
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_864.nls
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_720.nls
[2010/04/06 08:22:41 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_720.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_708.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_708.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_28596.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28596.NLS
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10004.nls
[2010/04/06 08:22:41 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10004.nls
[2010/04/06 08:22:39 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_862.nls
[2010/04/06 08:22:39 | 000,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_862.nls
[2010/04/06 08:22:39 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10005.nls
[2010/04/06 08:22:39 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10005.nls
[2010/04/06 08:22:36 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10021.nls
[2010/04/06 08:22:36 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10021.nls
[2008/03/28 12:56:18 | 000,000,144 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2007/10/15 14:13:04 | 000,000,600 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/04/14 12:55:41 | 000,424,960 | ---- | C] () -- C:\WINDOWS\System32\C4dll.dll
[2006/05/27 13:52:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/02/15 10:12:53 | 000,000,019 | ---- | C] () -- C:\WINDOWS\HSClient.INI
[2005/11/19 18:33:48 | 000,448,512 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2005/11/15 01:56:50 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2005/11/15 01:52:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2005/11/15 01:51:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2005/11/15 01:51:52 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2005/11/15 01:51:40 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\ff_realaac.dll
[2005/11/15 01:51:36 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2005/11/15 01:51:20 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2005/11/15 01:51:12 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2005/11/15 01:51:04 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2005/11/15 01:50:56 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2005/11/15 01:50:54 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2005/11/15 01:50:52 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2005/11/15 01:50:50 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2005/11/15 01:50:20 | 000,371,200 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2005/11/15 01:48:20 | 002,674,688 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2005/11/14 16:09:16 | 000,062,976 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2005/11/14 16:09:06 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2005/11/14 16:08:58 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2005/11/14 16:07:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2005/11/14 16:07:06 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2005/11/14 16:07:02 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2005/11/14 10:48:42 | 000,112,688 | ---- | C] () -- C:\WINDOWS\System32\shw32.dll
[2005/11/14 00:40:17 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/11/14 00:10:39 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS5y.DLL
[2005/11/13 18:48:08 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/11/05 09:31:14 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2005/10/11 18:05:25 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/05/09 14:13:49 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/09 14:11:59 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/05/09 12:46:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/03/24 00:07:42 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/03/23 12:53:24 | 000,001,420 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/03/23 12:53:24 | 000,000,481 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/12/20 07:08:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 07:03:26 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2002/11/21 10:21:32 | 000,161,280 | R--- | C] () -- C:\WINDOWS\System32\TALBC.DLL
[2002/05/17 18:18:30 | 000,124,928 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll
[1999/01/22 06:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
< End of report >


Thanks



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 03 May 2010 - 01:31 PM

Can you tell me if you are still having the problems described in your first post, like google redirects and problems running mbam?

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.



unite.jpg


#7 Topdog549

Topdog549
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 03 May 2010 - 01:57 PM

Hi Syler,

MBAM will still not stay running. It starts up for a few seconds and shuts itself down (or something shuts it down)

As for the re-directs, hard to say for sure but all seems well there. Google only re-directed randomly and at it's own will(you never knew when it was coming) but it seemed like every 10 clicks or so. I just did a random search and clicked the first 30 - 40 results and all went exactly where they should have.

Here is the MBR log..

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


Thanks

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 03 May 2010 - 04:43 PM

Hi Topdog549,
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:

  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

unite.jpg


#9 Topdog549

Topdog549
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 04 May 2010 - 06:03 AM

Hi Syler,

Here is the RootRepeal log..

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/04 06:48
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB11F7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB023A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\owner\local settings\temp\~df6339.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\~df8a36.tmp
Status: Allocation size mismatch (API: 24576, Raw: 0)

==EOF==


Thanks

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 04 May 2010 - 08:27 AM

Hi Topdog549,

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


unite.jpg


#11 Topdog549

Topdog549
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 04 May 2010 - 09:16 AM

Hi Syler,

Thanks again for all your help so far...


Here is the ComboFix Log

ComboFix 10-05-03.06 - Owner 05/04/2010 9:50.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1263.893 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\xxo.tmp
c:\documents and settings\Owner\Local Settings\temp\xxo.tmp

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-03 19:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-03 19:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-03 18:40 . 2010-05-03 18:40 -------- d--h--w- c:\windows\PIF
2010-05-03 17:41 . 2010-05-03 17:41 -------- d-----w- C:\_OTL
2010-04-30 10:55 . 2010-05-03 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 17:26 . 2010-04-29 17:26 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-04-29 12:34 . 2010-04-29 12:34 -------- d-----w- C:\rsit
2010-04-29 12:28 . 2010-04-29 12:28 -------- d-----w- c:\program files\ERUNT
2010-04-28 20:42 . 2010-04-28 20:42 -------- d-----w- c:\program files\FileASSASSIN
2010-04-21 18:32 . 2010-04-21 18:33 -------- d-----w- C:\Justins bleep
2010-04-19 12:54 . 2010-04-19 12:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-06 12:22 . 2004-08-04 19:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-04-06 12:22 . 2004-08-04 19:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-04-06 12:22 . 2004-08-04 19:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-04-06 12:22 . 2004-08-04 19:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-04-06 12:22 . 2004-08-04 19:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-04-06 12:22 . 2004-08-04 19:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-04-06 12:22 . 2004-08-04 19:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-04-06 12:22 . 2004-08-04 19:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 11:16 . 2005-10-11 16:53 9874 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-05-03 13:27 . 2008-12-04 19:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-03 13:26 . 2008-12-04 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-30 10:55 . 2009-11-23 15:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-30 10:55 . 2009-11-23 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-29 11:57 . 2006-12-14 19:12 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-29 11:57 . 2005-05-09 18:04 -------- d-----w- c:\program files\Microsoft Works
2010-04-29 11:57 . 2007-08-27 19:17 -------- d-----w- c:\program files\Documents To Go
2010-04-29 11:57 . 2005-05-09 18:10 -------- d-----w- c:\program files\AOL Toolbar
2010-04-23 12:29 . 2007-08-25 17:05 -------- d-----w- c:\program files\DoInventory
2010-04-18 12:58 . 2005-05-09 18:11 -------- d-----w- c:\program files\Google
2010-04-06 13:12 . 2007-08-27 19:05 -------- d-----w- c:\program files\palmOne
2010-04-06 13:11 . 2005-05-09 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-04-06 13:11 . 2005-05-09 18:16 -------- d-----w- c:\program files\Napster
2010-04-06 12:25 . 2005-11-13 23:02 115992 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2005-03-23 16:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2005-03-23 16:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-03 05:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2005-03-23 16:52 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2005-03-23 16:52 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-03-23 16:52 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-03-23 16:52 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2004-03-11 19:27 . 2005-11-14 02:36 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=c:\docume~1\Owner\LOCALS~1\Temp\xxo.tmp 2yAPFDOFNF

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-04-06 17:36 1298542 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-10-12 22:13 7086080 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
2004-04-21 16:26 86016 ------w- c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QNPlus]
2005-09-14 15:40 692224 ----a-w- c:\program files\Conceptworld\QNPlus\QNPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-05-09 18:08 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 23:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-08-18 15:49 307200 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"InCDsrv"=2 (0x2)
"Fax"=2 (0x2)
"ERSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MoRUN.net\\StickerLite\\sticker.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 MSSQL$RIT;MSSQL$RIT;c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe -sRIT --> c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe -sRIT [?]
R2 SQLAgent$RIT;SQLAgent$RIT;c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE -i RIT --> c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE -i RIT [?]
S2 gupdate1c9936dc95d878;Google Update Service (gupdate1c9936dc95d878);c:\program files\Google\Update\GoogleUpdate.exe [2/20/2009 11:08 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 15:08]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 15:08]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 18:36]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 18:36]

2005-05-09 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-05-09 00:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.canoe.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 10:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
.
**************************************************************************
.
Completion time: 2010-05-04 10:08:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 14:08
ComboFix2.txt 2010-04-28 16:27
ComboFix3.txt 2009-11-26 14:44

Pre-Run: 5,234,626,560 bytes free
Post-Run: 5,200,666,624 bytes free

- - End Of File - - 0A6578ABDDFABBE4F1BC35936BDFA6AC


Regards

#12 Topdog549

Topdog549
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 04 May 2010 - 11:34 AM

Hi again Syler,
It just occured to me that I should check to see if we solved anything with the latest ComboFix run.

Turns out that mbam will now run! Also checked again on the google re-directs and they definately seem to be gone as well.

What is the ComboFix log telling us?

Here is the Malewarebytes log that I just ran, looks good to me..

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4065

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/4/2010 12:27:56 PM
mbam-log-2010-05-04 (12-27-56).txt

Scan type: Quick scan
Objects scanned: 126579
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Regards



#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 04 May 2010 - 04:29 PM

Hi again,

Im glad to hear mbam is working now, combofix still shows a bit of malware though. Can you tell me if you have
a working AntiVirus installed?


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • Combofix.txt
  • ESET report

Thanks

unite.jpg


#14 Topdog549

Topdog549
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 05 May 2010 - 08:48 AM

Hi Syler,

No working antivirus installed.. I would be glad to entertain any suggestions you have however. I've never been a big fan of the typical commercially available antivirus products.

Ran TFC

Ran Combo fix, had a "couldn't find the location of "something"" error on startup.. didn't write it down, assumed it would be in the log. It wasn't

Ran ESET Scanner

Here are the logs


ComboFix 10-05-04.06 - Owner 05/05/2010 7:10.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1263.892 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\kernel32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-04 21:21 . 2010-05-04 21:21 -------- d-----w- c:\documents and settings\Owner\Application Data\com.AccuWeather.air.stratus.6AF67E59E785A9A644FCA43BED05A7731922EF40.1
2010-05-04 21:21 . 2010-05-04 21:21 -------- d-----w- c:\program files\AccuWeather.com Stratus
2010-05-04 21:21 . 2010-05-04 21:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-03 19:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-03 19:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-03 18:40 . 2010-05-03 18:40 -------- d--h--w- c:\windows\PIF
2010-05-03 17:41 . 2010-05-03 17:41 -------- d-----w- C:\_OTL
2010-04-30 10:55 . 2010-05-03 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 17:26 . 2010-04-29 17:26 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-04-29 12:34 . 2010-04-29 12:34 -------- d-----w- C:\rsit
2010-04-21 18:32 . 2010-04-21 18:33 -------- d-----w- C:\Justins bleep
2010-04-19 12:54 . 2010-04-19 12:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-06 12:22 . 2004-08-04 19:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-04-06 12:22 . 2004-08-04 19:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-04-06 12:22 . 2004-08-04 19:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-04-06 12:22 . 2004-08-04 19:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-04-06 12:22 . 2004-08-04 19:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-04-06 12:22 . 2004-08-04 19:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-04-06 12:22 . 2004-08-04 19:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-04-06 12:22 . 2004-08-04 19:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 11:16 . 2005-10-11 16:53 9874 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-05-03 13:27 . 2008-12-04 19:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-03 13:26 . 2008-12-04 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-30 10:55 . 2009-11-23 15:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-30 10:55 . 2009-11-23 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-29 11:57 . 2006-12-14 19:12 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-29 11:57 . 2005-05-09 18:04 -------- d-----w- c:\program files\Microsoft Works
2010-04-29 11:57 . 2007-08-27 19:17 -------- d-----w- c:\program files\Documents To Go
2010-04-29 11:57 . 2005-05-09 18:10 -------- d-----w- c:\program files\AOL Toolbar
2010-04-23 12:29 . 2007-08-25 17:05 -------- d-----w- c:\program files\DoInventory
2010-04-18 12:58 . 2005-05-09 18:11 -------- d-----w- c:\program files\Google
2010-04-06 13:12 . 2007-08-27 19:05 -------- d-----w- c:\program files\palmOne
2010-04-06 13:11 . 2005-05-09 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-04-06 13:11 . 2005-05-09 18:16 -------- d-----w- c:\program files\Napster
2010-04-06 12:25 . 2005-11-13 23:02 115992 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2005-03-23 16:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2005-03-23 16:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-03 05:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2005-03-23 16:52 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2005-03-23 16:52 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-03-23 16:52 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-03-23 16:52 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2004-03-11 19:27 . 2005-11-14 02:36 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
AccuWeather.lnk - c:\program files\AccuWeather.com Stratus\AccuWeather.com Stratus.exe [2010-5-4 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-04-06 17:36 1298542 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-10-12 22:13 7086080 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
2004-04-21 16:26 86016 ------w- c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QNPlus]
2005-09-14 15:40 692224 ----a-w- c:\program files\Conceptworld\QNPlus\QNPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-05-09 18:08 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 23:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-08-18 15:49 307200 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"InCDsrv"=2 (0x2)
"Fax"=2 (0x2)
"ERSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MoRUN.net\\StickerLite\\sticker.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 MSSQL$RIT;MSSQL$RIT;c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe -sRIT --> c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe -sRIT [?]
R2 SQLAgent$RIT;SQLAgent$RIT;c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE -i RIT --> c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE -i RIT [?]
S2 gupdate1c9936dc95d878;Google Update Service (gupdate1c9936dc95d878);c:\program files\Google\Update\GoogleUpdate.exe [2/20/2009 11:08 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 15:08]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 15:08]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 18:36]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429370048-1306581299-238951944-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 18:36]

2005-05-09 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-05-09 00:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.canoe.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\installed downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 07:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlservr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Microsoft SQL Server\MSSQL$RIT\Binn\sqlagent.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
.
**************************************************************************
.
Completion time: 2010-05-05 07:26:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 11:26
ComboFix2.txt 2010-05-04 14:08
ComboFix3.txt 2010-04-28 16:27
ComboFix4.txt 2009-11-26 14:44

Pre-Run: 5,173,780,480 bytes free
Post-Run: 5,129,961,472 bytes free

- - End Of File - - 4D0A18211C309771A74CA8E02AE84EB6


C:\Qoobox\Quarantine\C\DOCUME~1\Owner\LOCALS~1\temp\xxo.tmp.vir a variant of Win32/Daonol.CC trojan cleaned by deleting - quarantined
C:\Torrent Downloads\Basic_Inventory+KeygenPir\Basic_Inventory.rar probably a variant of Win32/TrojanDownloader.Agent trojan deleted - quarantined
C:\Torrent Downloads\Basic_Inventory+KeygenPir\Basic_Inventory\basicinventorycontrolv5.0.117keygenacme.zip probably a variant of Win32/TrojanDownloader.Agent trojan deleted - quarantined
C:\Torrent Downloads\Basic_Inventory+KeygenPir\Basic_Inventory\basicinventorycontrolv5.0.117keygenacme\BIC-Keygen.exe probably a variant of Win32/TrojanDownloader.Agent trojan cleaned by deleting - quarantined



Regards

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 05 May 2010 - 11:45 AM

Ok first of all we need to get an AV installed because the last two combofix logs have picked up new infection
and we need to stop you from picking up more malware.

As for which AV if you wanted to go for a commercial one, then my personal favourite is Kaspersky, however I
personally believe that free AV's are really not that far behind, if at all, and with layered protection and good
surfing practices you can avoid getting infected. Below are some options of free AV's if you want to go that
way.


Install an AntiVirus
I don't see an updated Anti Virus Program running on your machine, It is essential that you have an Anti Virus installed
and keep it updated. Without an updated Anti Virus running you are leaving your self wide open to infection every time you
go on the internet.

These are some suggestion for a good free (non-commercial home use) Anti Virus:

Avast!
Antivir
AVG

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.



I also want you to note, ESET shows that you have been downloading cracks/keygens, if you download
anything though p2p then their is a good chance you will get infected, but with downloading cracks/keygens
you are more than likely going to end up with the worst infection, some of which can cause havoc and leave
you with no choice but to format, below is some information about cracks/keygens which you may wish to read.


IMPORTANT NOTE: Your scan log results indicate you are using keygens/crack tools.

The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

QUOTE
...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

QUOTE
...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.



Ok once you have got an AV installed, please run a full scan with it and remove any thing it finds, then run these following scans.


Download and Run Rooter SD

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • At the main control page, please click the green button.
  • It will now begin to scan, please be paitent. The scan should not take more than 3 minutes
  • A Notepad file containing the report will open soon. It can also be found at %systemdrive%\Rooter$\Rooter_1.txt
  • Now push the button to close Rooter.
  • Please post the contents of that log file here in your next reply.



We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. A report OTL.txt will open when done, please post it in your reply.
[/list]


Then please post back here with the following logs:
  • Rooter_1.txt
  • OTL.txt

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users