Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware causing Firefox redirect


  • This topic is locked This topic is locked
12 replies to this topic

#1 Gemma.C

Gemma.C

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 04 May 2010 - 06:26 AM

Hi

I believe I am infected with some sort of malware as Firefox keeps opening new tabs for random websites. Also, when I click on google search results I am redirected to these same websites. I don't use Internet Explorer so am not sure if the same happens here.

I have run Norton Antivirus, Avast, Adaware, SuperAntiSpyware, Anti-Malware and Spybot S&D and the infection isn't found.

I am including the DDS logs. I have been unable to attach the GMER log, as my computer either restarts or freezes when I run it (have tried about 5 times). I have also tried in safe mode with no success. Is there something else I can try, or are the other logs sufficient at this time ? I have disabled the CD emulator.

If anyone could help, I would greatly appreciate it.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Alan at 17:07:53.75 on Tue 04/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1113 [GMT 8:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Norton\NUA.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Alan\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bigpond.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [NortonUpdateAgent] c:\documents and settings\all users\application data\norton\NUA.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [CAPON] c:\windows\system32\spool\drivers\w32x86\3\CAPONN.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\canonl~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.4\transfer utility\CameraMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: wager.org.au
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {6CB1C77B-B89E-4DC7-AC63-B6CF28D074E9} = 61.9.242.33,61.9.226.33
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alan\applic~1\mozilla\firefox\profiles\s7vr2ia0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/homepage/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-11 64160]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 61440]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-19 1029456]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 RapidPort;RapidPort;c:\windows\system32\drivers\CAPLPTN.SYS [2008-8-28 22912]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-15 779496]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-8-25 36864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100503.038\NAVENG.SYS [2010-5-4 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100503.038\NAVEX15.SYS [2010-5-4 1324720]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-27 1245064]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]

=============== Created Last 30 ================

2010-05-04 09:07:20 0 ----a-w- c:\documents and settings\alan\defogger_reenable
2010-05-04 08:55:10 6469 ----a-w- c:\documents and settings\alan\address book
2010-05-04 01:42:41 0 d-----w- c:\windows\system32\NtmsData
2010-05-03 16:26:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-03 15:40:36 0 d-----w- c:\program files\CCleaner
2010-05-03 15:18:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-03 15:17:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-03 15:17:52 0 d-----w- c:\docume~1\alan\applic~1\SUPERAntiSpyware.com
2010-05-03 15:17:31 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-03 08:56:32 0 d-----w- c:\program files\Trend Micro
2010-04-28 23:40:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-04-28 13:26:42 0 d-----w- c:\docume~1\alan\applic~1\Malwarebytes
2010-04-28 13:26:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 13:26:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 13:26:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 13:26:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-27 10:02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-26 14:32:46 0 d-----w- c:\docume~1\alan\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-04-13 12:49:13 754 ----a-w- c:\windows\WORDPAD.INI
2010-04-12 12:48:42 0 d-----w- c:\docume~1\alluse~1\applic~1\GoodSync
2010-04-12 12:48:41 0 d-----w- c:\docume~1\alan\applic~1\GoodSync
2010-04-12 12:48:36 0 d-----w- c:\program files\Siber Systems
2010-04-07 12:55:27 0 d-----w- c:\program files\QUANTO

==================== Find3M ====================

2010-04-01 13:43:07 249856 ------w- c:\windows\Setup1.exe
2010-04-01 13:43:04 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 12:54:53 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 begin_of_the_skype_highlighting              49 2146304      end_of_the_skype_highlighting ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 17:09:10.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 PM

Posted 04 May 2010 - 12:04 PM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



+++++++++++++++++++++++++++++++



1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\windows\Setup1.exe
    c:\windows\ST6UNST.EXE
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.




2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Gemma.C

Gemma.C
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 06 May 2010 - 08:26 AM

Hiya, thanks for your fast reply ! Combofix definitely fixed something - am hoping that was the problem ?!

Logs below smile.gif

VirSCAN.org Scanned Report :
Scanned time : 2010/05/05 03:10:46 (EST)
Scanner results: Scanners did not find malware!
File Name : Setup1.exe
File Size : 249856 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : c6264b17629f6f9f0bd2ba7671ceff69
SHA1 : 67a6b419740c1d6b780789bffcfcc83129e36d1b
Online report : http://virscan.org/report/2cae462f734bd871...e22d8a682d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100504020432 2010-05-04 4.86 -
AhnLab V3 2010.05.04.07 2010.05.04 2010-05-04 1.95 -
AntiVir 8.2.1.224 7.10.7.37 2010-05-04 0.27 -
Antiy 2.0.18 20100429.4301541 2010-04-29 0.02 -
Arcavir 2009 201005040104 2010-05-04 0.07 -
Authentium 5.1.1 201005041421 2010-05-04 1.83 -
AVAST! 4.7.4 100504-1 2010-05-04 0.02 -
AVG 8.5.793 271.1.1/2853 2010-05-04 0.25 -
BitDefender 7.81008.5745334 7.31501 2010-05-04 3.67 -
ClamAV 0.95.3 10911 2010-05-04 0.05 -
Comodo 3.13.579 4758 2010-05-04 0.90 -
CP Secure 1.3.0.5 2010.05.04 2010-05-04 0.07 -
Dr.Web 5.0.2.3300 2010.05.04 2010-05-04 6.96 -
F-Prot 4.4.4.56 20100504 2010-05-04 1.81 -
F-Secure 7.02.73807 2010.05.04.10 2010-05-04 0.22 -
Fortinet 4.0.14 11.770 2010-05-03 0.27 -
GData 21.90/21.29 20100504 2010-05-04 7.30 -
ViRobot 20100503 2010.05.03 2010-05-03 0.43 -
Ikarus T3.1.01.80 2010.05.04.75779 2010-05-04 5.85 -
JiangMin 13.0.900 2010.05.04 2010-05-04 1.21 -
Kaspersky 5.5.10 2010.05.04 2010-05-04 0.13 -
KingSoft 2009.2.5.15 2010.5.4.14 2010-05-04 0.66 -
McAfee 5400.1158 5971 2010-05-03 0.02 -
Microsoft 1.5703 2010.05.04 2010-05-04 6.74 -
Norman 6.04.12 6.04.00 2010-05-03 6.01 begin_of_the_skype_highlighting              00 2010-05-03 6.01      end_of_the_skype_highlighting -
Panda 9.05.01 2010.05.03 2010-05-03 2.56 -
Trend Micro 9.120-1004 7.146.09 2010-05-04 0.04 -
Quick Heal 10.00 2010.05.03 2010-05-03 1.60 -
Rising 20.0 22.46.01.01 2010-05-04 1.23 -
Sophos 3.06.0 4.52 2010-05-04 3.69 -
Sunbelt 3.9.2421.2 6259 2010-05-04 5.83 -
Symantec 1.3.0.24 20100504.004 2010-05-04 0.06 -
nProtect 20100503.01 8108502 2010-05-03 7.62 -
The Hacker 6.5.2.0 v00275 2010-05-03 0.48 -
VBA32 3.12.12.4 20100504.0938 2010-05-04 2.65 -
VirusBuster 4.5.11.10 10.126.14/2004417 2010-05-04 2.44 -



VirSCAN.org Scanned Report :
Scanned time : 2010/05/05 03:13:30 (EST)
Scanner results: Scanners did not find malware!
File Name : ST6UNST.EXE
File Size : 73216 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ea4e2ba0d35eeadee23b0c1397c71367
SHA1 : e715ddf7c568a745e7990534f06460556e20b3ed
Online report : http://virscan.org/report/a3281d61e83c6533...3ba83012bb.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100504020432 2010-05-04 5.10 -
AhnLab V3 2010.05.04.07 2010.05.04 2010-05-04 1.16 -
AntiVir 8.2.1.224 7.10.7.37 2010-05-04 0.25 -
Antiy 2.0.18 20100429.4301541 2010-04-29 0.02 -
Arcavir 2009 201005040104 2010-05-04 0.04 -
Authentium 5.1.1 201005041421 2010-05-04 1.41 -
AVAST! 4.7.4 100504-1 2010-05-04 0.01 -
AVG 8.5.793 271.1.1/2853 2010-05-04 0.25 -
BitDefender 7.81008.5745334 7.31501 2010-05-04 3.64 -
ClamAV 0.95.3 10911 2010-05-04 0.02 -
Comodo 3.13.579 4758 2010-05-04 0.89 -
CP Secure 1.3.0.5 2010.05.04 2010-05-04 0.06 -
Dr.Web 5.0.2.3300 2010.05.04 2010-05-04 9.04 -
F-Prot 4.4.4.56 20100504 2010-05-04 1.39 -
F-Secure 7.02.73807 2010.05.04.10 2010-05-04 0.17 -
Fortinet 4.0.14 11.770 2010-05-03 0.29 -
GData 21.90/21.29 20100504 2010-05-04 6.93 -
ViRobot 20100503 2010.05.03 2010-05-03 1.00 -
Ikarus T3.1.01.80 2010.05.04.75779 2010-05-04 5.94 -
JiangMin 13.0.900 2010.05.04 2010-05-04 1.26 -
Kaspersky 5.5.10 2010.05.04 2010-05-04 0.13 -
KingSoft 2009.2.5.15 2010.5.4.14 2010-05-04 0.67 -
McAfee 5400.1158 5971 2010-05-03 0.02 -
Microsoft 1.5703 2010.05.04 2010-05-04 7.29 -
Norman 6.04.12 6.04.00 2010-05-03 6.01 -
Panda 9.05.01 2010.05.03 2010-05-03 1.77 -
Trend Micro 9.120-1004 7.146.09 2010-05-04 0.04 -
Quick Heal 10.00 2010.05.03 2010-05-03 1.55 -
Rising 20.0 22.46.01.01 2010-05-04 1.21 -
Sophos 3.06.0 4.52 2010-05-04 3.62 -
Sunbelt 3.9.2421.2 6259 2010-05-04 6.80 -
Symantec 1.3.0.24 20100504.004 2010-05-04 0.05 -
nProtect 20100503.01 8108502 2010-05-03 7.65 -
The Hacker 6.5.2.0 v00275 2010-05-03 0.38 -
VBA32 3.12.12.4 20100504.0938 2010-05-04 2.46 -
VirusBuster 4.5.11.10 10.126.14/2004417 2010-05-04 2.43 -

ComboFix 10-05-05.0A - Alan 06/05/2010 21:11:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1569 [GMT 8:00]
Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\winsys.exe

----- BITS: Possible infected sites -----

hxxp://buy-download.norton.com
hxxp://liveupdate.symantec.com
hxxp://definitions.symantec.com
Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-04 09:32 . 2010-05-04 09:32 63488 ----a-w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 01:42 . 2010-05-04 09:06 -------- d-----w- c:\windows\system32\NtmsData
2010-05-03 16:55 . 2010-05-03 16:55 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-03 16:26 . 2010-05-03 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-03 16:26 . 2010-05-03 16:26 -------- d-----w- c:\program files\Alwil Software
2010-05-03 15:40 . 2010-05-03 15:40 -------- d-----w- c:\program files\CCleaner
2010-05-03 15:20 . 2010-05-03 15:20 52224 ----a-w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-03 15:20 . 2010-05-04 09:32 117760 ----a-w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-03 15:18 . 2010-05-03 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-03 15:17 . 2010-05-03 15:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-03 15:17 . 2010-05-03 15:17 -------- d-----w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com
2010-05-03 15:17 . 2010-05-03 15:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-03 08:56 . 2010-05-03 08:56 -------- d-----w- c:\program files\Trend Micro
2010-04-30 16:09 . 2010-04-30 16:09 69470184 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{N360S_NUC_prod_1.19_4.1.0.32}\symcdefs.exe
2010-04-29 12:24 . 2010-04-29 12:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-29 12:24 . 2010-04-29 12:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-28 23:40 . 2010-04-12 05:39 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-28 23:40 . 2010-05-01 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-28 13:26 . 2010-04-28 13:26 -------- d-----w- c:\documents and settings\Alan\Application Data\Malwarebytes
2010-04-28 13:26 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 13:26 . 2010-05-03 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 13:26 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 13:26 . 2010-04-28 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-27 10:02 . 2010-05-04 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-26 14:34 . 2010-04-26 14:34 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-26 14:32 . 2010-04-26 14:32 -------- d-----w- c:\documents and settings\Alan\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-04-13 22:24 . 2010-04-13 22:24 44507400 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{N360S_NUC_prod_1.19_4.1.0.32}\N360-UPGRADE-ESD-NoDefs-17-6-0-32-EN.exe
2010-04-12 12:48 . 2010-04-12 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\GoodSync
2010-04-12 12:48 . 2010-05-04 04:19 -------- d-----w- c:\documents and settings\Alan\Application Data\GoodSync
2010-04-12 12:48 . 2010-04-12 12:48 -------- d-----w- c:\program files\Siber Systems
2010-04-07 12:55 . 2010-04-07 12:55 -------- d-----w- c:\program files\QUANTO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 13:10 . 2008-08-27 12:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-06 12:55 . 2009-07-20 13:57 -------- d-----w- c:\documents and settings\Alan\Application Data\Skype
2010-05-06 10:52 . 2009-07-20 04:42 -------- d-----w- c:\documents and settings\Alan\Application Data\skypePM
2010-05-06 07:58 . 2008-12-03 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-04 09:06 . 2008-10-26 09:34 -------- d-----w- c:\documents and settings\Alan\Application Data\U3
2010-05-04 08:48 . 2008-12-23 02:45 -------- d-----w- c:\program files\uTorrent
2010-05-04 08:48 . 2008-12-23 02:45 -------- d-----w- c:\documents and settings\Alan\Application Data\uTorrent
2010-04-28 14:49 . 2008-12-24 05:13 -------- d-----w- c:\documents and settings\Alan\Application Data\DVD Flick
2010-04-26 14:34 . 2008-10-05 09:36 38784 ------w- c:\documents and settings\Alan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-20 23:49 . 2008-08-27 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-14 13:12 . 2008-08-27 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-08 01:20 . 2008-08-27 12:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-08 00:22 . 2008-09-08 02:09 -------- d-----w- c:\program files\Google
2010-04-03 08:04 . 2009-04-11 23:59 -------- d-----w- c:\documents and settings\Alan\Application Data\dvdcss
2010-04-01 13:43 . 2010-04-01 13:43 -------- d-----w- c:\program files\PS
2010-04-01 13:43 . 2010-04-01 13:43 249856 ------w- c:\windows\Setup1.exe
2010-04-01 13:43 . 2010-04-01 13:43 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-01 00:49 . 2008-10-07 13:34 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 00:44 . 2010-04-01 00:44 503808 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2656db45-n\msvcp71.dll
2010-04-01 00:44 . 2010-04-01 00:44 499712 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2656db45-n\jmc.dll
2010-04-01 00:44 . 2010-04-01 00:44 348160 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2656db45-n\msvcr71.dll
2010-04-01 00:44 . 2010-04-01 00:44 61440 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-438f73be-n\decora-sse.dll
2010-04-01 00:44 . 2010-04-01 00:44 12800 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-438f73be-n\decora-d3d.dll
2010-04-01 00:43 . 2008-10-07 13:34 -------- d-----w- c:\program files\Java
2010-03-29 07:22 . 2010-03-29 07:22 -------- d-----w- c:\program files\Common Files\Skype
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-22 08:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 09:17 . 2010-03-08 09:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-03-31 14:47 . 2008-08-27 12:24 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-03 39408]
"NortonUpdateAgent"="c:\documents and settings\All Users\Application Data\Norton\NUA.exe" [2010-04-12 1808752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"CAPON"="c:\windows\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2001-02-05 22528]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-03 524632]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon LBP-810 Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAPPSWK.EXE [2002-9-5 113664]
ImageMixer 3 SE Camera Monitor Ver.4.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe [2009-5-18 253952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Alan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Alan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 05:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-28 16:43 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 02:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 09:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-01-06 17:36 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-03 06:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/02/2009 7:54 PM 64160]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 1:47 PM 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 1:47 PM 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/04/2010 5:30 PM 61440]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [19/01/2009 5:34 AM 1029456]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [19/02/2008 3:37 AM 149352]
R2 RapidPort;RapidPort;c:\windows\system32\drivers\CAPLPTN.SYS [28/08/2008 5:25 PM 22912]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 1:47 PM 779496]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 7:31 PM 92008]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [25/08/2008 1:54 PM 36864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/08/2009 10:12 AM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/01/2010 2:54 PM 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [13/01/2008 10:32 AM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 12:54]

2010-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-03 04:04]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:54]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:54]

2010-05-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-09 14:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: wager.org.au
TCP: {6CB1C77B-B89E-4DC7-AC63-B6CF28D074E9} = 61.9.242.33,61.9.226.33
FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\s7vr2ia0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/homepage/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 21:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-05-06 21:19:31
ComboFix-quarantined-files.txt 2010-05-06 13:19

Pre-Run: 196,849,528,832 bytes free
Post-Run: 196,989,116,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6794369F0A36D370CF551C61BA2136A4


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 PM

Posted 06 May 2010 - 09:21 AM

Hi,

Using 2 Anti virus program at the same time is not advisable, Please uninstall Avast if you haven't uninstall it yet. Then run the Avast uninstall utility to remove all the remnants.


P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



+++++++++++++++++++++++++


1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
mRun: [WinSys2] c:\windows\system32\winsys2.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




2. Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Gemma.C

Gemma.C
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 07 May 2010 - 07:53 PM

Hi - I think things may be looking better ?! (My browser hasn't been redirected for a few days, although I haven't been using it very much !).

I ran the Combofix, and the log is pasted below.

I have tried to run GMER twice, and have left it running at night. But in the morning, the computer has restarted, and I get the "Windows has recovered from a fatal error" message. I've pasted the error report below - does that mean anything ?

C:\DOCUME~1\Alan\LOCALS~1\Temp\WER2ce9.dir00\Mini050810-01.dmp
C:\DOCUME~1\Alan\LOCALS~1\Temp\WER2ce9.dir00\sysdata.xml

Thanks again !


ComboFix 10-05-05.0A - Alan 06/05/2010 22:59:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1373 [GMT 8:00]
Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alan\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winsys2.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-04 09:32 . 2010-05-04 09:32 63488 ----a-w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 01:42 . 2010-05-04 09:06 -------- d-----w- c:\windows\system32\NtmsData
2010-05-03 16:55 . 2010-05-03 16:55 6153352 begin_of_the_skype_highlighting              55 6153352      end_of_the_skype_highlighting ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-03 16:26 . 2010-05-03 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-03 16:26 . 2010-05-03 16:26 -------- d-----w- c:\program files\Alwil Software
2010-05-03 15:40 . 2010-05-03 15:40 -------- d-----w- c:\program files\CCleaner
2010-05-03 15:20 . 2010-05-03 15:20 52224 ----a-w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-03 15:20 . 2010-05-04 09:32 117760 ----a-w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-03 15:18 . 2010-05-03 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-03 15:17 . 2010-05-03 15:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-03 15:17 . 2010-05-03 15:17 -------- d-----w- c:\documents and settings\Alan\Application Data\SUPERAntiSpyware.com
2010-05-03 15:17 . 2010-05-03 15:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-03 08:56 . 2010-05-03 08:56 -------- d-----w- c:\program files\Trend Micro
2010-04-30 16:09 . 2010-04-30 16:09 69470184 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{N360S_NUC_prod_1.19_4.1.0.32}\symcdefs.exe
2010-04-29 12:24 . 2010-04-29 12:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-29 12:24 . 2010-04-29 12:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-28 23:40 . 2010-04-12 05:39 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-28 23:40 . 2010-05-01 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-28 13:26 . 2010-04-28 13:26 -------- d-----w- c:\documents and settings\Alan\Application Data\Malwarebytes
2010-04-28 13:26 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 13:26 . 2010-05-03 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 13:26 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 13:26 . 2010-04-28 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-27 10:02 . 2010-05-04 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-26 14:34 . 2010-04-26 14:34 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-26 14:32 . 2010-04-26 14:32 -------- d-----w- c:\documents and settings\Alan\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-04-13 22:24 . 2010-04-13 22:24 44507400 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{N360S_NUC_prod_1.19_4.1.0.32}\N360-UPGRADE-ESD-NoDefs-17-6-0-32-EN.exe
2010-04-12 12:48 . 2010-04-12 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\GoodSync
2010-04-12 12:48 . 2010-05-06 14:53 -------- d-----w- c:\documents and settings\Alan\Application Data\GoodSync
2010-04-12 12:48 . 2010-04-12 12:48 -------- d-----w- c:\program files\Siber Systems
2010-04-07 12:55 . 2010-04-07 12:55 -------- d-----w- c:\program files\QUANTO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 13:10 . 2008-08-27 12:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-06 12:55 . 2009-07-20 13:57 -------- d-----w- c:\documents and settings\Alan\Application Data\Skype
2010-05-06 10:52 . 2009-07-20 04:42 -------- d-----w- c:\documents and settings\Alan\Application Data\skypePM
2010-05-06 07:58 . 2008-12-03 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-04 09:06 . 2008-10-26 09:34 -------- d-----w- c:\documents and settings\Alan\Application Data\U3
2010-05-04 08:48 . 2008-12-23 02:45 -------- d-----w- c:\program files\uTorrent
2010-05-04 08:48 . 2008-12-23 02:45 -------- d-----w- c:\documents and settings\Alan\Application Data\uTorrent
2010-04-28 14:49 . 2008-12-24 05:13 -------- d-----w- c:\documents and settings\Alan\Application Data\DVD Flick
2010-04-26 14:34 . 2008-10-05 09:36 38784 ------w- c:\documents and settings\Alan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-20 23:49 . 2008-08-27 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-14 13:12 . 2008-08-27 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-08 01:20 . 2008-08-27 12:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-08 00:22 . 2008-09-08 02:09 -------- d-----w- c:\program files\Google
2010-04-03 08:04 . 2009-04-11 23:59 -------- d-----w- c:\documents and settings\Alan\Application Data\dvdcss
2010-04-01 13:43 . 2010-04-01 13:43 -------- d-----w- c:\program files\PS
2010-04-01 13:43 . 2010-04-01 13:43 249856 ------w- c:\windows\Setup1.exe
2010-04-01 13:43 . 2010-04-01 13:43 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-01 00:49 . 2008-10-07 13:34 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 00:44 . 2010-04-01 00:44 503808 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2656db45-n\msvcp71.dll
2010-04-01 00:44 . 2010-04-01 00:44 499712 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2656db45-n\jmc.dll
2010-04-01 00:44 . 2010-04-01 00:44 348160 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2656db45-n\msvcr71.dll
2010-04-01 00:44 . 2010-04-01 00:44 61440 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-438f73be-n\decora-sse.dll
2010-04-01 00:44 . 2010-04-01 00:44 12800 ----a-w- c:\documents and settings\Alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-438f73be-n\decora-d3d.dll
2010-04-01 00:43 . 2008-10-07 13:34 -------- d-----w- c:\program files\Java
2010-03-29 07:22 . 2010-03-29 07:22 -------- d-----w- c:\program files\Common Files\Skype
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-22 08:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 09:17 . 2010-03-08 09:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-03-31 14:47 . 2008-08-27 12:24 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-03 39408]
"NortonUpdateAgent"="c:\documents and settings\All Users\Application Data\Norton\NUA.exe" [2010-04-12 1808752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"CAPON"="c:\windows\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2001-02-05 22528]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-03 524632]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon LBP-810 Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAPPSWK.EXE [2002-9-5 113664]
ImageMixer 3 SE Camera Monitor Ver.4.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe [2009-5-18 253952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Alan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Alan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 05:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-28 16:43 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 02:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 09:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-01-06 17:36 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-03 06:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/02/2009 7:54 PM 64160]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 1:47 PM 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 1:47 PM 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/04/2010 5:30 PM 61440]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [19/01/2009 5:34 AM 1029456]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [19/02/2008 3:37 AM 149352]
R2 RapidPort;RapidPort;c:\windows\system32\drivers\CAPLPTN.SYS [28/08/2008 5:25 PM 22912]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 1:47 PM 779496]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 7:31 PM 92008]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [25/08/2008 1:54 PM 36864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/08/2009 10:12 AM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/01/2010 2:54 PM 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [13/01/2008 10:32 AM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 12:54]

2010-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-03 04:04]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:54]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 06:54]

2010-05-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-09 14:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: wager.org.au
TCP: {6CB1C77B-B89E-4DC7-AC63-B6CF28D074E9} = 61.9.242.33,61.9.226.33
FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\s7vr2ia0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/homepage/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-05-06 23:03:35
ComboFix-quarantined-files.txt 2010-05-06 15:03
ComboFix2.txt 2010-05-06 13:19

Pre-Run: 196,936,515,584 bytes free
Post-Run: 196,924,575,744 bytes free

- - End Of File - - 1B1C300C0212FF1F006D78504288F135



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 PM

Posted 07 May 2010 - 08:07 PM

Hi,

Yes the log is better now.


1. When the computer crashes after restart the system makes dump files (Minixxxxx.dmp where x represent a number). I need to see the file to find the cause of the crash.
Use Windows Advanced Search to find the file, to do that:
  • Click the Start button then click Search and the Search window will open.
  • Click All Files or Folders.
  • Type mini*.dmp at the box where it say's "All or part of the file name".
  • Look through your hard drive.
  • Under the More options Tab, put a check at the Following:
Search system folders
Search hidden files and folders
Search subfolders
  • Then click search to search.
  • Zip the file and attach it to your reply. To attach the file:
        * When you press the ADDREPLY, under the reply window press Browse... show the path to the zip-file on your computer:
        * Highlight the zip-file and click Open then press the green UPLOAD button.




2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Gemma.C

Gemma.C
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 11 May 2010 - 11:22 AM

Hi, thanks for your help so far !

I have attached the zipped file you asked for, and have also included the Kaspersky log (seems there is another infection !).

I zipped the file using WinRAR - I hope that is okay and that the file is readable. Let me know if I need to do it another way.

Thanks again.


KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0:
scan report
Tuesday, May 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build
2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, May 10, 2010 23:34:12
Records in database: 4092647


Scan settings
scan using the following database extended
Scan archivesyes
Scan e-mail databasesno

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Objects scanned 102719
Threats found 1
Infected objects found 2
Suspicious objects found 0
Scan duration 08:30:59

File name ThreatT hreats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.virInfected:
Rootkit.Win32.TDSS.ap1

C:\System Volume
Information\_restore{EBDC24B1-3197-434E-844B-45D46372F894}\RP600\A0063354.sysInfected:
Rootkit.Win32.TDSS.ap1

Selected area has been scanned.

Attached Files



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 PM

Posted 12 May 2010 - 04:40 AM

Hi,

Kaspersky found a quarantine file and a system restore entry and we will deal with them later.

Rootkit may still be present base on your dump file.


++++++++++++++++++++++++


1. Scan with Vba32Arkit.
  • Save Vba32Arkit.zip to your desktop.
  • Extract the zip file to a folder named Vba.
  • Open the Vba folder and double click Vba32Arkit.exe to run the tool.
  • Press the Start button and let Vba32Arkit to make a FULL SCAN of your system.
  • After scanning press the File button -> Logging State -> Click start to save the logfile.
  • When prompted to view generated log file, select No and then exit the tool.
  • Attach the log file when you reply.



2. Download OTL to your Desktop.
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan/Fixes box. Do not include the word "Code"

    CODE

    /md5start
    pwtdypob.sys
    /md5stop


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Gemma.C

Gemma.C
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 14 May 2010 - 08:41 PM

Hi again smile.gif

Attached is the zipped log file from vba and below are the two log files from OTL. I tried to follow all the instructions for the scans - let me know if I did something wrong !

The redirects have definitely disappeared - haven't had one since last week. Thanks so much for that. Hopefully the rest can be sorted out easily too. I really do appreciate all your help !


OTL logfile created on: 13/05/2010 5:46:39 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Alan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 182.45 Gb Free Space | 61.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.92 Gb Total Space | 1.37 Gb Free Space | 71.11% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STELLA
Current User Name: Alan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/13 17:42:39 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alan\Desktop\OTL.exe
PRC - [2010/03/15 13:47:22 | 001,303,784 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/03/15 13:47:22 | 000,779,496 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/03/03 20:54:44 | 000,524,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/03 20:54:43 | 001,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/12/12 15:10:47 | 001,038,336 | ---- | M] () -- C:\Program Files\WinRAR\WinRAR.exe
PRC - [2009/11/13 19:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/03/24 10:00:00 | 001,983,816 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2008/12/03 14:32:13 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/10/20 22:18:26 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2008/10/17 14:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
PRC - [2008/09/18 22:14:32 | 000,253,952 | ---- | M] (PIXELA CORPORATION) -- C:\Program Files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe
PRC - [2008/08/27 20:06:09 | 001,245,064 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2008/08/04 11:20:16 | 003,220,856 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
PRC - [2008/04/14 20:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/22 06:02:53 | 000,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2008/02/22 06:02:34 | 000,308,600 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2002/09/05 16:00:00 | 000,113,664 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
PRC - [2001/02/05 16:00:00 | 000,028,160 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\CAPRPCSK.EXE


========== Modules (SafeList) ==========

MOD - [2010/05/13 17:42:39 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alan\Desktop\OTL.exe
MOD - [2010/02/25 16:25:58 | 000,496,872 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2008/04/14 20:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/15 13:47:22 | 000,779,496 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/03/03 20:54:43 | 001,029,456 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/11/22 10:10:11 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/13 19:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/10/20 22:18:26 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2008/10/17 14:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice)
SRV - [2008/10/17 14:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2008/10/17 14:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/10/17 14:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/08/27 20:06:09 | 001,245,064 | ---- | M] () [On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2008/08/04 11:20:16 | 003,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2008/02/22 06:02:53 | 000,238,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2007/08/22 16:21:30 | 000,055,640 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/01/06 21:25:12 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2005/11/24 16:03:22 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2005/11/24 15:57:44 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/11/24 15:47:30 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 16:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100512.040\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 16:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100512.040\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/27 17:30:10 | 000,061,440 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/15 13:47:30 | 000,116,328 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/03/15 13:47:30 | 000,058,984 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/20 11:02:58 | 000,268,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\SymcData\ipsdefs\20100510.001\SymIDSco.sys -- (SYMIDSCO)
DRV - [2009/10/06 11:52:50 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/10/06 11:52:34 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/10/06 11:52:34 | 000,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/10/06 11:52:34 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/08/26 16:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/26 16:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/04/22 20:55:30 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/02/19 10:31:42 | 000,031,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/02/19 10:31:42 | 000,031,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/02/19 10:31:16 | 000,184,496 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/02/19 10:31:16 | 000,096,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
DRV - [2009/02/19 10:31:16 | 000,038,576 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/02/19 10:31:16 | 000,037,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/02/19 10:31:16 | 000,022,320 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2009/02/19 10:31:16 | 000,013,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
DRV - [2009/01/09 12:29:18 | 000,124,464 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/09/05 13:31:42 | 000,447,024 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/07/30 17:42:12 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2008/04/14 20:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/01 09:51:16 | 000,317,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2008/02/01 09:51:16 | 000,279,088 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2008/02/01 09:51:16 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2007/11/01 14:38:56 | 004,620,288 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/11/01 08:56:00 | 000,036,864 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l151x86.sys -- (AtcL001)
DRV - [2007/08/09 08:39:56 | 000,036,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CO_Mon.sys -- (CO_Mon)
DRV - [2007/06/29 00:43:00 | 006,807,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/08/13 18:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2001/02/05 16:00:00 | 000,022,912 | ---- | M] (CANON INC.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CAPLPTN.SYS -- (RapidPort)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com.au/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.bigpond.com/homepage/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Firefox\extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2010/01/12 22:13:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/16 20:11:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/08 13:24:15 | 000,000,000 | ---D | M]

[2008/11/03 22:23:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alan\Application Data\Mozilla\Extensions
[2008/11/03 22:23:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alan\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/05/12 10:28:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alan\Application Data\Mozilla\Firefox\Profiles\s7vr2ia0.default\extensions
[2009/09/02 12:37:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Alan\Application Data\Mozilla\Firefox\Profiles\s7vr2ia0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/12 10:28:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/29 15:23:07 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/05/08 13:24:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/03/31 22:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2009/11/22 16:47:56 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [CAPON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPONN.EXE (CANON INC.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [osCheck] C:\Program Files\Norton 360\osCheck.exe (Symantec Corporation)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE (CANON INC.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor Ver.4.lnk = C:\Program Files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe (PIXELA CORPORATION)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: wager.org.au ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 61.9.242.33 61.9.226.33
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Program Files\PS\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Program Files\PS\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Alan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/25 13:07:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/13 17:42:33 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Alan\Desktop\OTL.exe
[2010/05/13 17:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alan\Desktop\vba
[2010/05/12 00:58:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alan\Desktop\New Folder
[2010/05/10 10:54:07 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2010/05/10 10:05:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/08 13:24:15 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/08 13:24:15 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/08 13:24:15 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/08 13:24:15 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/06 21:04:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/06 21:03:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/06 21:03:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/06 21:03:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/06 21:03:09 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/06 21:02:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/06 21:02:23 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/04 09:42:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/05/04 00:26:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/04 00:26:19 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/03 23:40:36 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/03 23:18:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/03 23:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alan\Application Data\SUPERAntiSpyware.com
[2010/05/03 23:17:52 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/03 23:17:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/03 16:56:32 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/29 20:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/04/29 20:24:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2010/04/29 07:40:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/04/28 21:26:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alan\Application Data\Malwarebytes
[2010/04/28 21:26:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/28 21:26:24 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 21:26:24 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/28 21:26:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/27 18:02:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2010/04/26 22:34:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/26 22:32:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alan\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/26 13:57:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/26 13:57:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/18 16:47:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/13 19:40:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alan\My Documents\Superior Interactive
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/13 17:44:07 | 000,134,533 | ---- | M] () -- C:\Documents and Settings\Alan\My Documents\Vba32ArkitLog.html
[2010/05/13 17:44:07 | 000,018,412 | ---- | M] () -- C:\Documents and Settings\Alan\My Documents\Vba32ArkitLog.zip
[2010/05/13 17:42:39 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alan\Desktop\OTL.exe
[2010/05/13 17:35:51 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/05/13 17:30:14 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/13 17:29:18 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/05/13 17:28:56 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/13 17:28:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/13 17:28:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/13 15:15:14 | 004,980,736 | -H-- | M] () -- C:\Documents and Settings\Alan\NTUSER.DAT
[2010/05/13 15:10:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/12 20:54:33 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/12 11:30:52 | 000,047,104 | ---- | M] () -- C:\Documents and Settings\Alan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/11 20:18:43 | 000,003,148 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\report.html
[2010/05/10 10:09:15 | 000,017,639 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\Mini050810-01.zip
[2010/05/10 09:12:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/06 23:02:32 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/06 21:05:12 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/06 20:55:22 | 003,683,412 | R--- | M] () -- C:\Documents and Settings\Alan\Desktop\ComboFix.exe
[2010/05/05 12:24:16 | 000,011,569 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\Sing & Kl.docx
[2010/05/04 17:12:14 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\gmer.zip
[2010/05/04 17:07:20 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Alan\defogger_reenable
[2010/05/04 16:55:10 | 000,006,469 | ---- | M] () -- C:\Documents and Settings\Alan\address book
[2010/05/04 12:30:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/04 09:02:47 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/04 08:52:51 | 000,000,498 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/04 08:52:51 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/03 23:18:03 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/03 16:56:32 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\HijackThis.lnk
[2010/05/02 19:25:51 | 000,519,600 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\EPA_Guide.pdf
[2010/05/01 21:10:50 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/04/29 21:48:05 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Alan\Local Settings\Application Data\housecall.guid.cache
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 21:26:28 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/26 22:36:35 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 13:53:15 | 000,012,844 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\45GGW
[2010/04/26 13:53:15 | 000,012,844 | -HS- | M] () -- C:\Documents and Settings\Alan\Local Settings\Application Data\45GGW
[2010/04/22 12:58:36 | 002,499,072 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\alan cadby(D.Black).doc
[2010/04/18 16:56:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Alan\ntuser.ini
[2010/04/14 21:11:45 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/14 11:21:01 | 000,473,854 | ---- | M] () -- C:\Documents and Settings\Alan\Desktop\SmartForm(WACOT).pdf
[2010/04/13 23:49:15 | 002,643,966 | -H-- | M] () -- C:\Documents and Settings\Alan\Local Settings\Application Data\IconCache.db
[2010/04/13 20:49:13 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/13 17:44:07 | 000,134,533 | ---- | C] () -- C:\Documents and Settings\Alan\My Documents\Vba32ArkitLog.html
[2010/05/13 17:44:07 | 000,018,412 | ---- | C] () -- C:\Documents and Settings\Alan\My Documents\Vba32ArkitLog.zip
[2010/05/11 20:18:43 | 000,003,148 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\report.html
[2010/05/10 10:09:15 | 000,017,639 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\Mini050810-01.zip
[2010/05/06 21:05:10 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/06 21:04:58 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/06 21:03:09 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/06 21:03:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/06 21:03:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/06 21:03:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/06 21:03:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/06 20:55:05 | 003,683,412 | R--- | C] () -- C:\Documents and Settings\Alan\Desktop\ComboFix.exe
[2010/05/04 19:12:36 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\gmer.exe
[2010/05/04 17:12:14 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\gmer.zip
[2010/05/04 17:07:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Alan\defogger_reenable
[2010/05/04 16:55:10 | 000,006,469 | ---- | C] () -- C:\Documents and Settings\Alan\address book
[2010/05/03 23:18:03 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/03 16:56:32 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\HijackThis.lnk
[2010/05/02 19:25:48 | 000,519,600 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\EPA_Guide.pdf
[2010/05/01 19:26:58 | 000,011,569 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\Sing & Kl.docx
[2010/04/29 21:48:05 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Alan\Local Settings\Application Data\housecall.guid.cache
[2010/04/28 21:26:28 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/27 18:02:05 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/26 22:34:42 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/04/26 13:51:14 | 000,012,844 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\45GGW
[2010/04/26 13:51:14 | 000,012,844 | -HS- | C] () -- C:\Documents and Settings\Alan\Local Settings\Application Data\45GGW
[2010/04/22 12:40:02 | 002,499,072 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\alan cadby(D.Black).doc
[2010/04/14 11:21:01 | 000,473,854 | ---- | C] () -- C:\Documents and Settings\Alan\Desktop\SmartForm(WACOT).pdf
[2010/04/13 20:49:13 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/12/31 15:47:33 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\PixText.dll
[2008/08/25 14:45:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/08/25 14:42:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2008/08/25 14:10:58 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\smdll.dll
[2008/08/25 14:10:55 | 000,262,144 | R--- | C] () -- C:\WINDOWS\System32\HookMAp.dll
[2008/08/25 14:10:55 | 000,032,768 | R--- | C] () -- C:\WINDOWS\System32\Auxiliary.dll
[2008/08/25 14:10:54 | 000,266,240 | R--- | C] () -- C:\WINDOWS\System32\HookShield.dll
[2008/08/25 14:10:54 | 000,009,728 | R--- | C] () -- C:\WINDOWS\System32\sysinfoX64.sys
[2008/08/25 14:10:54 | 000,008,192 | R--- | C] () -- C:\WINDOWS\System32\sysinfo.sys
[2008/08/25 13:14:22 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/08/25 13:14:21 | 000,010,740 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/08/25 13:14:11 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/06/29 00:43:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/06/29 00:43:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/06/29 00:43:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/06/29 00:43:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/06/29 00:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2000/02/09 14:08:38 | 000,231,424 | ---- | C] () -- C:\WINDOWS\System32\Maxfun.dll

========== Custom Scans ==========


< >

< End of report >




OTL Extras logfile created on: 13/05/2010 5:46:39 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Alan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 182.45 Gb Free Space | 61.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.92 Gb Total Space | 1.37 Gb Free Space | 71.11% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STELLA
Current User Name: Alan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Outlook Express\msimn.exe" = C:\Program Files\Outlook Express\msimn.exe:*:Enabled:Outlook Express -- (Microsoft Corporation)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0BDD3FAD-61CD-4BF3-B9C4-4CEFD43F53F8}" = Norton 360 HTMLHelp
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP550_series" = Canon MP550 series MP Drivers
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{21829177-4DED-4209-AD08-490B3AC9C01A}" = Norton 360
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23E41DDC-ACF2-4EEA-9F4E-EC9AD0A65871}" = SymNet
"{244E21B9-164C-4EC1-AED8-9BD64161E66D}" = ArcSoft VideoImpression 2
"{24DF7221-644B-4C3A-A478-459502D40522}" = Backup
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 20
"{2D617065-1C52-4240-B5BC-C0AE12157777}" = Norton 360
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45690715-80A6-4445-B61D-ADEC5888E8CD}" = Symantec Technical Support Controls
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{55A6283C-638A-4EE0-B491-51118554BDA2}" = Norton Confidential Core
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6869591A-7DD8-46D2-837F-57CBF7358955}" = Nokia Connectivity Cable Driver
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{6E19F210-3813-4002-B561-94D66AA182B6}" = Atheros Communications Inc.® L1 Gigabit Ethernet Driver
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7766EE25-8A7A-4051-97CA-75B5F9C63DB8}" = Polar WebLink 2.4.9
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit
"{7AFDF9AE-66B2-4A1F-8249-32EF14B97150}" = ArcSoft PhotoImpression 5
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{83E222CC-223F-BE8C-0C77-0CEBDC2F9B57}" = Acrobat.com
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}" = Nokia PC Suite
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9E520B22-546E-4AD3-8958-7D1EB8587AB1}" = Music Transfer Utility Ver.1
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 3.4
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AE6ECFF9-FD33-48A3-B4AC-89263CC393A8}" = ImageMixer 3 SE Ver.4 Video Tools
"{B24E05CC-46FF-4787-BBB8-5CD516AFB118}" = ccCommon
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B26B00DA-2E5D-4CF2-83C5-911198C0F009}" = GoodSync
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CAE4E520-4695-4A96-8661-B62FA5FB669E}" = ImageMixer 3 SE Ver.4 Transfer Utility
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFB17307-B244-4EAD-AE8E-CDAF440477C2}" = OpenMG Secure Module 4.4.00
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}" = Symantec Real Time Storage Protection Component
"{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari
"{DDBB28C8-B2AA-45A1-8DCE-059A798509FB}" = MobileMe Control Panel
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"Boots F2CD Picture Suite" = Boots F2CD Picture Suite
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon Advanced Printing Technology" = Canon CAPT printers
"Canon ScanGear Toolbox CS" = Canon ScanGear Toolbox CS 2.2
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CSCLIB" = Canon Camera Support Core Library
"DVD Flick_is1" = DVD Flick
"DVD Shrink_is1" = DVD Shrink 3.2
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"InstallShield_{CFB17307-B244-4EAD-AE8E-CDAF440477C2}" = OpenMG Secure Module 4.4.00
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MiKTeX 2.8" = MiKTeX 2.8
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"Mp3tag" = Mp3tag v2.44
"MusicBrainz Picard" = MusicBrainz Picard 0.11
"MyCamera" = Canon Utilities MyCamera
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Drivers" = NVIDIA Drivers
"OpenMG HotFix4.4-05-12-06-01" = OpenMG Limited Patch 4.4-06-13-19-01
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"QUANTO 1.2.4" = QUANTO 1.2.4
"R for Windows 2.10.1_is1" = R for Windows 2.10.1
"Rapport_msi" = Rapport
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Spell Checker For OE 2.1" = Spell Checker For OE 2.1
"ST6UNST #1" = PS - Power and Sample Size Calculation
"SymSetup.{2D617065-1C52-4240-B5BC-C0AE12157777}" = Norton 360 (Symantec Corporation)
"TomTom HOME" = TomTom HOME 2.7.3.1894
"VLC media player" = VLC media player 0.9.8a
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinShell_is1" = WinShell
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/05/2010 6:14:28 PM | Computer Name = STELLA | Source = ESENT | ID = 455
Description = wuaueng.dll (3172) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/05/2010 6:14:38 PM | Computer Name = STELLA | Source = ESENT | ID = 489
Description = wuauclt (3172) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 7/05/2010 6:14:38 PM | Computer Name = STELLA | Source = ESENT | ID = 455
Description = wuaueng.dll (3172) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/05/2010 6:14:58 PM | Computer Name = STELLA | Source = ESENT | ID = 489
Description = wuauclt (5248) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 7/05/2010 6:14:58 PM | Computer Name = STELLA | Source = ESENT | ID = 455
Description = wuaueng.dll (5248) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/05/2010 6:15:08 PM | Computer Name = STELLA | Source = ESENT | ID = 489
Description = wuauclt (5248) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 7/05/2010 6:15:08 PM | Computer Name = STELLA | Source = ESENT | ID = 455
Description = wuaueng.dll (5248) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 8/05/2010 1:25:12 AM | Computer Name = STELLA | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6504.5000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/05/2010 1:59:29 AM | Computer Name = STELLA | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.200.2, faulting module
java.dll, version 6.0.200.2, fault address 0x00005875.

Error - 12/05/2010 10:15:05 AM | Computer Name = STELLA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3743, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 27/04/2010 1:01:23 AM | Computer Name = STELLA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 978
seconds with 900 seconds of active time. This session ended with a crash.

Error - 27/04/2010 1:01:47 AM | Computer Name = STELLA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/05/2010 7:35:37 AM | Computer Name = STELLA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 318
seconds with 240 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/05/2010 9:59:05 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 9:59:35 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:00:05 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:00:35 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:01:05 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:01:35 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:02:05 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:02:35 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:03:05 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 12/05/2010 10:03:35 AM | Computer Name = STELLA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.


< End of report >

Attached Files



#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 PM

Posted 14 May 2010 - 10:02 PM

Hi,

The logs are clean, that driver on your dump file is actually from GMER. One last scan and if the result is clean then you're god to go. smile.gif


We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Open on your desktop.
  3. Click the tab.
  4. Click the button.
  5. Check all seven boxes:
  6. Push Ok
  7. Check the box for your main system drive (Usually C:), and press Ok.
  8. Allow RootRepeal to run a scan of your system. This may take some time.
  9. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Gemma.C

Gemma.C
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 16 May 2010 - 05:17 AM

Hopefully this is the last scan smile.gif


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/16 17:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6261000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE10000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB47AE000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89c3a8c0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x89c3a9a0

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x891193c8

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6382d82

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a2b6f48

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb638348e

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb65b7020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89c3a610

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89d4c478

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89c3a290

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb63835da

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6386d54

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6386d86

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89119268

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89c3a700

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x89c3a7e0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89c3afb0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89c3a530

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb638353e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6382ec6

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89d52f08

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89c3a370

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb63830b8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x89c3ad88

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb63831ea

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6386e5e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6386dc8

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6386dfa

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6386e2c

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x89d4fc40

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6382d30

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb638363a

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89c3ae58

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89c3ac30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6386cec

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89c3a450

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6382cd4

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6382c30

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6382c78

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89d59a30

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89119338

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6388384

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb63883d2

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6383962

#: 477 Function Name: NtUserPrintWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb638842c

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb63838d6

==EOF==

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 PM

Posted 16 May 2010 - 06:16 AM

Hi,

Looks good, time for housekeeping.


Uninstall:
1. ComboFix
  • Click Start > Run > copy/paste the following bolded text into the Run box and click OK:
    ComboFix /Uninstall

2. Java™ 6 Update 7 (Old Java version)
  • Go to Control Panel > Add Remove Programs > locate and remove Java™ 6 Update 7.



Delete:
1. GMER
2. DDS
3. Vba32Arkit.zip
4. Vba folder
5. Rootrepeal



Clean-up with OTL:
  • Run OTL
  • Click on the CleanUp! button.


Others:
  1. Please run defogger and click Enable button to enable your CD Emulation drivers. Reboot if ask.
  2. You can now delete defogger.


===========================================


Your Log is Clean, please change all your offline and online passwords.

Take the time to read below to secure your machine and take the necessary steps to keep it Clean smile.gif
How to prevent Malware: by miekiemoes
How to increase PC speed: by miekiemoes

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware


Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.



Thank you,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 PM

Posted 18 May 2010 - 09:54 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users