Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Updates Released For Critical Vulnerabilities in Adobe Acrobat and Reader

Featured Deal: Get 98% off The Complete JavaScript & jQuery Programming Bundle Deal

Google Re-Direct / Possible rootkit/keylogger infection

Started by ImBobV , May 04 2010 08:38 PM

This topic is locked

16 replies to this topic

#1 ImBobV

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 04 May 2010 - 08:38 PM

Working on my daughter's 4 yearold Dell M140 laptop. Performed perfectly until about 3 weeks ago. She first received an email from her college's ISS department that she needed to bring her computer to them as it had been identified as transmitting data consistent with a virus or keylogger. It was running AVG 9.0 at the time, updated daily, with daily scans. All clean. Never any popups or redirects. She uses Firefox.

They removed AVG and installed Microsoft Security Essentials. Said they found a few things, and returned it to her. 2 days later they emailed her again and removed her from the school network. Since her school is a couple hours away, I took her my laptop to finish the last 2 weeks of school, and have hers now. The school said she has some type of rootkit infection that is beyond the scope of service they provide.

My neighborhood "PC guy" installed Symantec Endpoint which found some nasties: a BUNCH of Trojan.Mebroot files, Packed.Mystic!Gen5 (Ave.exe), and some bloodhound exploits. He pronounced it clean and gave it back.

Since then, I've been very afraid to do much. The only obvious problem is that Google searches are being redirected to random sites, so I know it's not completely clean. Endpoint, MBAM, Microsoft Security and the ESET Online scanner all scan clean... Not sure what to think, but I'm obviously very concerned about the keylogger aspect that the ISS folks mentioned.

Help! and THANKS in advance!

(DDS attachment and Gmer attachment included below.)

DDS.txt log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by AmandaV at 18:46:24.79 on Tue 05/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.279 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AmandaV\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.washburn.edu/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Walgreens PhotoShow Media Manager] c:\progra~1\walgre~1\walgre~1\data\xtras\mssysmgr.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\amandav\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_20.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {60631456-D6A5-4B38-AC62-B564E758A507} = 4.4.4.4,8.8.8.8
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amandav\applic~1\mozilla\firefox\profiles\gea8qnir.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.washburn.edu
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-7 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-7 108392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2010-2-4 151552]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-10-7 2440632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-13 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100502.005\NAVENG.SYS [2010-5-2 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100502.005\NAVEX15.SYS [2010-5-2 1324720]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-7 23888]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2010-2-4 19584]
S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\drivers\SmartpenBus.sys [2008-8-24 38528]
S3 SmartpenCom;Smartpen Communications;c:\windows\system32\drivers\SmartpenCom.sys [2008-8-24 35328]

=============== Created Last 30 ================

2010-05-04 23:41:24 0 ----a-w- c:\documents and settings\amandav\defogger_reenable
2010-05-02 00:30:39 0 d-----w- c:\program files\iPod
2010-05-02 00:30:13 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-02 00:30:12 0 d-----w- c:\program files\iTunes
2010-05-02 00:20:46 0 d-----w- c:\program files\Bonjour
2010-05-01 01:09:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 23:33:03 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-28 23:33:03 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-28 23:33:02 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-28 23:33:02 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-28 23:26:18 0 d-----w- c:\program files\Symantec
2010-04-28 23:24:21 0 d-----w- c:\program files\common files\Symantec Shared
2010-04-28 23:24:20 0 d-----w- c:\program files\Symantec AntiVirus
2010-04-28 23:24:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-04-28 01:24:43 0 d-----w- c:\windows\system32\LogFiles
2010-04-27 16:10:50 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-26 22:33:41 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-26 19:35:07 0 d-----w- c:\program files\CCleaner
2010-04-26 19:24:28 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-04-26 19:24:28 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-04-22 18:29:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 16:01:55 0 d-----w- c:\docume~1\amandav\applic~1\Malwarebytes
2010-04-22 16:01:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-22 16:01:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-22 16:01:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 16:01:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 00:42:49 1409 ----a-w- c:\windows\system32\tmp0D085.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmpA2F75.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmp7AF75.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmp5FF75.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmp26085.FOT
2010-04-15 15:56:36 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-12 03:41:42 0 d-----w- c:\windows\pss
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

==================== Find3M ====================

2010-04-27 21:14:50 40198 ----a-w- c:\docume~1\amandav\applic~1\wklnhst.dat
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2009-03-30 21:22:06 104 --sh--r- c:\windows\system32\2EACE13AF4.sys
2009-03-30 21:22:10 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:47:14.00 ===============

Attached Files

Attach.txt 13.37KB 3 downloads
ark.txt 37.17KB 1 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 schrauber

Mr.Mechanic

Malware Response Team
24,794 posts
OFFLINE

Gender:Male
Location:Munich,Germany
Local time:07:20 AM

Posted 07 May 2010 - 01:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

regards,
schrauber

Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware

#3 ImBobV

Topic Starter

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 07 May 2010 - 02:08 PM

I'm still here!
I will re-run fresh DDS and Gmer tonight, although I doubt they have changed since I turned the laptop off immediately after posting them above.

Thanks - looking forward to sorting this out.

#4 ImBobV

Topic Starter

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 07 May 2010 - 10:08 PM

dds.txt : (attach,txt is attached below)
I was unclear whether you wanted gmer.log pasted or attached, do I did both.

DDS (Ver_10-03-17.01) - NTFSx86
Run by AmandaV at 20:13:04.23 on Fri 05/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.457 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\AmandaV\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.washburn.edu/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Walgreens PhotoShow Media Manager] c:\progra~1\walgre~1\walgre~1\data\xtras\mssysmgr.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\amandav\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_20.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {60631456-D6A5-4B38-AC62-B564E758A507} = 4.4.4.4,8.8.8.8
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amandav\applic~1\mozilla\firefox\profiles\gea8qnir.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.washburn.edu
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-7 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-7 108392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2010-2-4 151552]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-10-7 2440632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-13 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100502.005\NAVENG.SYS [2010-5-2 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100502.005\NAVEX15.SYS [2010-5-2 1324720]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-7 23888]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2010-2-4 19584]
S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\drivers\SmartpenBus.sys [2008-8-24 38528]
S3 SmartpenCom;Smartpen Communications;c:\windows\system32\drivers\SmartpenCom.sys [2008-8-24 35328]

=============== Created Last 30 ================

2010-05-04 23:41:24 0 ----a-w- c:\documents and settings\amandav\defogger_reenable
2010-05-02 00:30:39 0 d-----w- c:\program files\iPod
2010-05-02 00:30:13 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-02 00:30:12 0 d-----w- c:\program files\iTunes
2010-05-02 00:20:46 0 d-----w- c:\program files\Bonjour
2010-05-01 01:09:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 23:33:03 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-28 23:33:03 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-28 23:33:02 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-28 23:33:02 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-28 23:26:18 0 d-----w- c:\program files\Symantec
2010-04-28 23:24:21 0 d-----w- c:\program files\common files\Symantec Shared
2010-04-28 23:24:20 0 d-----w- c:\program files\Symantec AntiVirus
2010-04-28 23:24:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-04-28 01:24:43 0 d-----w- c:\windows\system32\LogFiles
2010-04-27 16:10:50 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-26 22:33:41 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-26 19:35:07 0 d-----w- c:\program files\CCleaner
2010-04-26 19:24:28 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-04-26 19:24:28 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-04-22 18:29:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 16:01:55 0 d-----w- c:\docume~1\amandav\applic~1\Malwarebytes
2010-04-22 16:01:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-22 16:01:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-22 16:01:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 16:01:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 00:42:49 1409 ----a-w- c:\windows\system32\tmp0D085.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmpA2F75.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmp7AF75.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmp5FF75.FOT
2010-04-21 00:42:48 1409 ----a-w- c:\windows\system32\tmp26085.FOT
2010-04-15 15:56:36 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-12 03:41:42 0 d-----w- c:\windows\pss
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

==================== Find3M ====================

2010-04-27 21:14:50 40198 ----a-w- c:\docume~1\amandav\applic~1\wklnhst.dat
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2009-03-30 21:22:06 104 --sh--r- c:\windows\system32\2EACE13AF4.sys
2009-03-30 21:22:10 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 20:13:52.09 ===============

gmer.log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-07 21:57:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\AmandaV\LOCALS~1\Temp\pwtdrpob.sys

---- System - GMER 1.0.15 ----

SSDT 86F1B1A0 ZwAlertResumeThread
SSDT 86E442B0 ZwAlertThread
SSDT 86D3E818 ZwAllocateVirtualMemory
SSDT 86D15EF0 ZwCreateMutant
SSDT 86D559F0 ZwCreateThread
SSDT 86DD9638 ZwFreeVirtualMemory
SSDT 86DD9F00 ZwImpersonateAnonymousToken
SSDT 86DD6F00 ZwImpersonateThread
SSDT 86D54AE8 ZwMapViewOfSection
SSDT 86F173A8 ZwOpenEvent
SSDT 86D60108 ZwOpenProcessToken
SSDT 86E494C8 ZwOpenThreadToken
SSDT 86E60F70 ZwResumeThread
SSDT 86D12368 ZwSetContextThread
SSDT 86D18BD0 ZwSetInformationProcess
SSDT 86EFE2B8 ZwSetInformationThread
SSDT 86EAEED8 ZwSuspendProcess
SSDT 86D279B8 ZwSuspendThread
SSDT 86D64550 ZwTerminateProcess
SSDT 86D1F6A0 ZwTerminateThread
SSDT 86D5F108 ZwUnmapViewOfSection
SSDT 86E640E0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23B0 80501BE8 4 Bytes CALL DAC0A2C0
.text ntkrnlpa.exe!ZwCallbackReturn + 251C 80501D54 4 Bytes CALL AAD6F2A3
.text ntkrnlpa.exe!ZwCallbackReturn + 2760 80501F98 8 Bytes JMP D279B886

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Security Essentials\msseces.exe[252] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F52862
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[252] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F526EE
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[252] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F527E0
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[252] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F52726
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[252] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F5275E
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[308] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E82862
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[308] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00E826EE
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[308] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E827E0
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[308] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00E82726
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[308] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E8275E
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[672] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01002862
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[672] ws2_32.dll!send 71AB4C27 5 Bytes JMP 010026EE
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[672] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010027E0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[672] ws2_32.dll!recv 71AB676F 5 Bytes JMP 01002726
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[672] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0100275E
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1288] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BA2862
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1288] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BA26EE
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1288] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BA27E0
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1288] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BA2726
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1288] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BA275E
.text C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe[1532] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00692862
.text C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe[1532] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006926EE
.text C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe[1532] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 006927E0
.text C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe[1532] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00692726
.text C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe[1532] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0069275E
.text C:\Program Files\Symantec AntiVirus\Smc.exe[1596] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01312862
.text C:\Program Files\Symantec AntiVirus\Smc.exe[1596] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013126EE
.text C:\Program Files\Symantec AntiVirus\Smc.exe[1596] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013127E0
.text C:\Program Files\Symantec AntiVirus\Smc.exe[1596] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01312726
.text C:\Program Files\Symantec AntiVirus\Smc.exe[1596] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0131275E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1676] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00702862
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1676] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007026EE
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1676] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007027E0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1676] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00702726
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1676] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0070275E
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1804] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011A2862
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1804] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011A26EE
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1804] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011A27E0
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1804] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011A2726
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1804] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011A275E
.text C:\Program Files\Bonjour\mDNSResponder.exe[1816] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 007F2862
.text C:\Program Files\Bonjour\mDNSResponder.exe[1816] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007F26EE
.text C:\Program Files\Bonjour\mDNSResponder.exe[1816] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007F27E0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1816] WS2_32.dll!recv 71AB676F 5 Bytes JMP 007F2726
.text C:\Program Files\Bonjour\mDNSResponder.exe[1816] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 007F275E
.text C:\WINDOWS\eHome\ehRecvr.exe[1840] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A12862
.text C:\WINDOWS\eHome\ehRecvr.exe[1840] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A126EE
.text C:\WINDOWS\eHome\ehRecvr.exe[1840] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A127E0
.text C:\WINDOWS\eHome\ehRecvr.exe[1840] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A12726
.text C:\WINDOWS\eHome\ehRecvr.exe[1840] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A1275E
.text C:\WINDOWS\eHome\ehSched.exe[1900] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BF2862
.text C:\WINDOWS\eHome\ehSched.exe[1900] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BF26EE
.text C:\WINDOWS\eHome\ehSched.exe[1900] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BF27E0
.text C:\WINDOWS\eHome\ehSched.exe[1900] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BF2726
.text C:\WINDOWS\eHome\ehSched.exe[1900] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BF275E
.text C:\Program Files\iTunes\iTunesHelper.exe[2060] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01502862
.text C:\Program Files\iTunes\iTunesHelper.exe[2060] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015026EE
.text C:\Program Files\iTunes\iTunesHelper.exe[2060] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015027E0
.text C:\Program Files\iTunes\iTunesHelper.exe[2060] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01502726
.text C:\Program Files\iTunes\iTunesHelper.exe[2060] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0150275E
.text C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe[2236] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01422862
.text C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe[2236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014226EE
.text C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe[2236] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014227E0
.text C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe[2236] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01422726
.text C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe[2236] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0142275E
.text C:\Program Files\DellSupport\DSAgnt.exe[2340] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FC2862
.text C:\Program Files\DellSupport\DSAgnt.exe[2340] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00FC26EE
.text C:\Program Files\DellSupport\DSAgnt.exe[2340] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FC27E0
.text C:\Program Files\DellSupport\DSAgnt.exe[2340] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00FC2726
.text C:\Program Files\DellSupport\DSAgnt.exe[2340] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FC275E
.text C:\WINDOWS\Explorer.EXE[2588] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01742862
.text C:\WINDOWS\Explorer.EXE[2588] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017426EE
.text C:\WINDOWS\Explorer.EXE[2588] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017427E0
.text C:\WINDOWS\Explorer.EXE[2588] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01742726
.text C:\WINDOWS\Explorer.EXE[2588] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0174275E
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2624] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01902862
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019026EE
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019027E0
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01902726
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0190275E
.text C:\WINDOWS\system32\wdfmgr.exe[3124] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A22862
.text C:\WINDOWS\system32\wdfmgr.exe[3124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A226EE
.text C:\WINDOWS\system32\wdfmgr.exe[3124] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A227E0
.text C:\WINDOWS\system32\wdfmgr.exe[3124] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A22726
.text C:\WINDOWS\system32\wdfmgr.exe[3124] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A2275E
.text C:\Program Files\Symantec AntiVirus\SmcGui.exe[3332] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F72862
.text C:\Program Files\Symantec AntiVirus\SmcGui.exe[3332] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F726EE
.text C:\Program Files\Symantec AntiVirus\SmcGui.exe[3332] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F727E0
.text C:\Program Files\Symantec AntiVirus\SmcGui.exe[3332] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F72726
.text C:\Program Files\Symantec AntiVirus\SmcGui.exe[3332] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F7275E
.text C:\WINDOWS\ehome\ehtray.exe[3464] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01312862
.text C:\WINDOWS\ehome\ehtray.exe[3464] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013126EE
.text C:\WINDOWS\ehome\ehtray.exe[3464] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013127E0
.text C:\WINDOWS\ehome\ehtray.exe[3464] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01312726
.text C:\WINDOWS\ehome\ehtray.exe[3464] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0131275E
.text C:\WINDOWS\system32\hkcmd.exe[3488] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA2862
.text C:\WINDOWS\system32\hkcmd.exe[3488] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA26EE
.text C:\WINDOWS\system32\hkcmd.exe[3488] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA27E0
.text C:\WINDOWS\system32\hkcmd.exe[3488] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EA2726
.text C:\WINDOWS\system32\hkcmd.exe[3488] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EA275E
.text C:\WINDOWS\system32\igfxpers.exe[3496] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA2862
.text C:\WINDOWS\system32\igfxpers.exe[3496] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA26EE
.text C:\WINDOWS\system32\igfxpers.exe[3496] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA27E0
.text C:\WINDOWS\system32\igfxpers.exe[3496] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EA2726
.text C:\WINDOWS\system32\igfxpers.exe[3496] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EA275E
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3504] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012B2862
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012B26EE
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3504] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012B27E0
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3504] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012B2726
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3504] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012B275E
.text C:\WINDOWS\system32\igfxsrvc.exe[3628] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F22862
.text C:\WINDOWS\system32\igfxsrvc.exe[3628] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F226EE
.text C:\WINDOWS\system32\igfxsrvc.exe[3628] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F227E0
.text C:\WINDOWS\system32\igfxsrvc.exe[3628] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F22726
.text C:\WINDOWS\system32\igfxsrvc.exe[3628] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F2275E
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3652] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F62862
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3652] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F626EE
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3652] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F627E0
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3652] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F62726
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3652] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F6275E
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3680] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E62862
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3680] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E626EE
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3680] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E627E0
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3680] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E62726
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3680] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E6275E
.text C:\WINDOWS\eHome\ehmsas.exe[3740] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DC2862
.text C:\WINDOWS\eHome\ehmsas.exe[3740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DC26EE
.text C:\WINDOWS\eHome\ehmsas.exe[3740] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DC27E0
.text C:\WINDOWS\eHome\ehmsas.exe[3740] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DC2726
.text C:\WINDOWS\eHome\ehmsas.exe[3740] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DC275E
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3788] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03722862
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3788] WS2_32.dll!send 71AB4C27 5 Bytes JMP 037226EE
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3788] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 037227E0
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3788] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03722726
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3788] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0372275E
.text C:\WINDOWS\ehome\mcrdsvc.exe[3952] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D32862
.text C:\WINDOWS\ehome\mcrdsvc.exe[3952] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D326EE
.text C:\WINDOWS\ehome\mcrdsvc.exe[3952] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D327E0
.text C:\WINDOWS\ehome\mcrdsvc.exe[3952] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D32726
.text C:\WINDOWS\ehome\mcrdsvc.exe[3952] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D3275E
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[4048] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D22862
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[4048] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D226EE
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[4048] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D227E0
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[4048] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D22726
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[4048] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D2275E
.text C:\WINDOWS\system32\dllhost.exe[4192] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F22862
.text C:\WINDOWS\system32\dllhost.exe[4192] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F226EE
.text C:\WINDOWS\system32\dllhost.exe[4192] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F227E0
.text C:\WINDOWS\system32\dllhost.exe[4192] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F22726
.text C:\WINDOWS\system32\dllhost.exe[4192] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F2275E
.text C:\Program Files\iPod\bin\iPodService.exe[4532] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CA2862
.text C:\Program Files\iPod\bin\iPodService.exe[4532] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CA26EE
.text C:\Program Files\iPod\bin\iPodService.exe[4532] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CA27E0
.text C:\Program Files\iPod\bin\iPodService.exe[4532] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CA2726
.text C:\Program Files\iPod\bin\iPodService.exe[4532] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CA275E
.text C:\WINDOWS\System32\alg.exe[4636] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C22862
.text C:\WINDOWS\System32\alg.exe[4636] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C226EE
.text C:\WINDOWS\System32\alg.exe[4636] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C227E0
.text C:\WINDOWS\System32\alg.exe[4636] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C22726
.text C:\WINDOWS\System32\alg.exe[4636] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2275E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4688] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA2862
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4688] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA26EE
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4688] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA27E0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4688] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EA2726
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4688] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EA275E
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4960] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01152862
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4960] ws2_32.dll!send 71AB4C27 5 Bytes JMP 011526EE
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4960] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011527E0
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4960] ws2_32.dll!recv 71AB676F 5 Bytes JMP 01152726
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4960] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0115275E
.text C:\WINDOWS\system32\wuauclt.exe[5732] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02872862
.text C:\WINDOWS\system32\wuauclt.exe[5732] WS2_32.dll!send 71AB4C27 5 Bytes JMP 028726EE
.text C:\WINDOWS\system32\wuauclt.exe[5732] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 028727E0
.text C:\WINDOWS\system32\wuauclt.exe[5732] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02872726
.text C:\WINDOWS\system32\wuauclt.exe[5732] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0287275E

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86DE3BE8
Device \Driver\atapi \Device\Ide\IdePort0 86DE3BE8
Device \Driver\atapi \Device\Ide\IdePort1 86DE3BE8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86DE3BE8
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device A7FFCD20
Device A80009F2

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files

gmer.log 35.7KB 2 downloads
Attach.txt 11.37KB 4 downloads

#5 schrauber

Mr.Mechanic

Malware Response Team
24,794 posts
OFFLINE

Gender:Male
Location:Munich,Germany
Local time:07:20 AM

Posted 08 May 2010 - 07:30 AM

Hello, ImBobV
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the

button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:

Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards,
schrauber

Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware

#6 ImBobV

Topic Starter

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 08 May 2010 - 12:35 PM

Hi Tom, I'm Bob (obviously)...

FWIW, I had a slight hiccup disabling Endpoint. When I right-click, "Disable Endpoint Protection" is greyed out. I ended up going into Services, and stopping the Endpoint service before I ran ComboFix. Hopefully that was OK.

Combofix did stop at one point and show a message that rootkit activity was detected, and rebooted.

Here's the combofix.txt file:

ComboFix 10-05-07.07 - AmandaV 05/08/2010 9:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.496 [GMT -5:00]
Running from: c:\documents and settings\AmandaV\Desktop\shrauber.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-02 00:30 . 2010-05-02 00:30 -------- d-----w- c:\program files\iPod
2010-05-02 00:30 . 2010-05-02 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-02 00:30 . 2010-05-02 00:31 -------- d-----w- c:\program files\iTunes
2010-05-02 00:20 . 2010-05-02 00:20 -------- d-----w- c:\program files\Bonjour
2010-05-02 00:16 . 2010-05-02 00:16 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-02 00:09 . 2010-05-02 00:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-01 01:10 . 2010-05-01 01:10 503808 ----a-w- c:\documents and settings\AmandaV\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6cc7c563-n\msvcp71.dll
2010-05-01 01:10 . 2010-05-01 01:10 499712 ----a-w- c:\documents and settings\AmandaV\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6cc7c563-n\jmc.dll
2010-05-01 01:10 . 2010-05-01 01:10 348160 ----a-w- c:\documents and settings\AmandaV\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6cc7c563-n\msvcr71.dll
2010-05-01 01:10 . 2010-05-01 01:10 61440 ----a-w- c:\documents and settings\AmandaV\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7007f20d-n\decora-sse.dll
2010-05-01 01:10 . 2010-05-01 01:10 12800 ----a-w- c:\documents and settings\AmandaV\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7007f20d-n\decora-d3d.dll
2010-05-01 01:09 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 11:11 . 2010-04-29 11:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-04-28 23:36 . 2010-04-28 23:36 -------- d-----w- c:\documents and settings\AmandaV\Local Settings\Application Data\Symantec
2010-04-28 23:33 . 2010-04-28 23:33 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-28 23:33 . 2010-04-28 23:33 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-28 23:26 . 2010-04-28 23:33 -------- d-----w- c:\program files\Symantec
2010-04-28 23:24 . 2009-10-07 20:47 27464 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{D689B418-235A-4290-A0A5-A75E490E0351}\program files\Symantec\SEP\res\1033\SSHelperRes.dll
2010-04-28 01:24 . 2010-04-28 01:24 -------- d-----w- c:\windows\system32\LogFiles
2010-04-27 16:10 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-26 22:33 . 2010-04-26 22:34 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-26 19:35 . 2010-04-26 19:35 -------- d-----w- c:\program files\CCleaner
2010-04-26 19:24 . 2009-11-11 12:26 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-04-26 19:24 . 2009-11-11 12:26 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-04-22 18:29 . 2010-02-24 15:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 16:20 . 2010-04-22 16:20 -------- d-----w- c:\documents and settings\AmandaV\Local Settings\Application Data\PCHealth
2010-04-22 16:15 . 2010-04-22 16:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-04-22 16:01 . 2010-04-22 16:01 -------- d-----w- c:\documents and settings\AmandaV\Application Data\Malwarebytes
2010-04-22 16:01 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-22 16:01 . 2010-04-22 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-22 16:01 . 2010-04-30 01:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-22 16:01 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-15 15:56 . 2010-04-15 15:56 3584 ----a-r- c:\documents and settings\AmandaV\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-15 15:56 . 2010-04-15 15:56 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 00:40 . 2006-08-14 19:57 -------- d-----w- c:\documents and settings\AmandaV\Application Data\Apple Computer
2010-05-02 00:30 . 2007-07-07 21:07 -------- d-----w- c:\program files\Common Files\Apple
2010-05-02 00:25 . 2007-05-06 18:19 -------- d-----w- c:\program files\QuickTime
2010-05-02 00:12 . 2008-07-16 03:32 -------- d-----w- c:\program files\Safari
2010-05-01 23:59 . 2007-07-07 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-01 23:02 . 2006-02-20 03:37 -------- d-----w- c:\program files\Java
2010-05-01 01:10 . 2006-02-20 03:37 -------- d-----w- c:\program files\Common Files\Java
2010-04-30 01:54 . 2010-04-30 01:54 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 12:27 . 2010-04-28 23:24 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-28 23:36 . 2010-04-28 23:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-28 23:36 . 2010-04-28 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-28 23:33 . 2010-04-28 23:33 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-28 23:33 . 2010-04-28 23:33 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-27 21:14 . 2006-04-03 22:38 40198 ----a-w- c:\documents and settings\AmandaV\Application Data\wklnhst.dat
2010-04-26 19:33 . 2006-02-20 03:41 -------- d-----w- c:\program files\Intel
2010-04-15 16:26 . 2008-11-06 16:22 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-15 16:25 . 2008-11-06 16:23 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-15 16:18 . 2006-02-20 04:00 -------- d-----w- c:\program files\Google
2010-04-15 16:13 . 2006-02-20 03:47 -------- d-----w- c:\program files\MUSICMATCH
2010-04-15 15:55 . 2008-08-24 22:58 -------- d-----w- c:\program files\MSECache
2010-04-15 15:36 . 2009-09-30 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-25 21:39 . 2006-02-20 03:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 15:18 . 2008-05-25 03:51 -------- d-----w- c:\program files\AVG
2010-03-11 12:38 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-08-16 10:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-02-20 03:16 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2005-08-16 10:18 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 16:05 . 2010-02-13 16:05 10134 -c--a-r- c:\documents and settings\AmandaV\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2010-02-12 04:33 . 2005-08-16 10:18 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-08-16 10:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-03-30 21:22 . 2006-09-12 04:04 104 --sh--r- c:\windows\system32\2EACE13AF4.sys
2009-03-30 21:22 . 2006-04-30 16:59 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 237568]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 393216]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-20 169472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2009-05-11 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-07 115560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\AmandaV\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-13 333088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-2-19 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-19 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9491:TCP"= 9491:TCP:Services
"9492:TCP"= 9492:TCP:Services

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [2/4/2010 7:51 PM 151552]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/13/2009 9:41 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/28/2010 6:46 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/7/2009 3:47 PM 23888]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2/4/2010 7:51 PM 19584]
S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\drivers\SmartpenBus.sys [8/24/2008 11:15 PM 38528]
S3 SmartpenCom;Smartpen Communications;c:\windows\system32\drivers\SmartpenCom.sys [8/24/2008 11:15 PM 35328]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.washburn.edu/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {60631456-D6A5-4B38-AC62-B564E758A507} = 4.4.4.4,8.8.8.8
FF - ProfilePath - c:\documents and settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.washburn.edu
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-Symantec Antvirus
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 10:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-08 10:06:41
ComboFix-quarantined-files.txt 2010-05-08 15:06

Pre-Run: 24,842,821,632 bytes free
Post-Run: 25,092,599,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - E50EBDADCF7A769D4955A3DDB07C0E61

#7 schrauber

Mr.Mechanic

Malware Response Team
24,794 posts
OFFLINE

Gender:Male
Location:Munich,Germany
Local time:07:20 AM

Posted 08 May 2010 - 11:21 PM

How is it running now?

Please update your version of Malwarebytes and run a quick scan, post back with the content of the logfile.

regards,
schrauber

Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware

#8 ImBobV

Topic Starter

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 09 May 2010 - 01:57 PM

Seems to be running well. Searches are going to the correct destination.

Endpoint Full Scan came back clean except for tracking cookies.
MBAM Update and scan look good too:

What do we need to do next?

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4082

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/9/2010 11:52:41 AM
mbam-log-2010-05-09 (11-52-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 226043
Time elapsed: 1 hour(s), 29 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 schrauber

Mr.Mechanic

Malware Response Team
24,794 posts
OFFLINE

Gender:Male
Location:Munich,Germany
Local time:07:20 AM

Posted 11 May 2010 - 02:26 PM

Good

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemdrive%\*.sys /90 /md5
Push the Quick Scan button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware

#10 ImBobV

Topic Starter

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 12 May 2010 - 03:55 PM

Here are the latest scans. Computer is still running good with no problems noted.

Eset took quite a while to run - ~4 hours:

Esetlog.txt

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=81fff73c696f58439cd1524959574260
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-12 03:56:23
# local_time=2010-05-11 10:56:23 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 4121402 4121402 0 0
# compatibility_mode=5891 16776869 100 100 0 13754697 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=95935
# found=0
# cleaned=0
# scan_time=13667

-----------------------------------------------------------------------------------------------------------------------

OTL log:
OTL logfile created on: 5/11/2010 11:03:50 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\AmandaV\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 464.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.59 Gb Total Space | 23.27 Gb Free Space | 46.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AMANDA
Current User Name: AmandaV
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/11 23:01:48 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/10/07 15:47:30 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/10/07 15:47:30 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/10/07 15:47:28 | 002,440,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2009/10/07 15:47:28 | 001,803,592 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe
PRC - [2009/10/07 15:47:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2009/05/21 10:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/05/11 17:05:14 | 000,413,696 | ---- | M] () -- C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
PRC - [2009/03/30 08:41:56 | 000,151,552 | ---- | M] (Livescribe) -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
PRC - [2008/12/19 14:17:24 | 000,333,088 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
PRC - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/15 11:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/04/20 01:35:00 | 000,237,568 | ---- | M] (Simple Star, Inc.) -- C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe
PRC - [2006/02/19 23:00:15 | 000,554,496 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
PRC - [2006/02/19 23:00:15 | 000,415,744 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
PRC - [2006/02/19 23:00:15 | 000,169,472 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2005/10/05 04:12:00 | 000,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/09/10 00:19:34 | 000,393,216 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/09/08 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/06/10 11:44:02 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/04/07 13:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2003/10/29 03:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe

========== Modules (SafeList) ==========

MOD - [2010/05/11 23:01:48 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (S24EventMonitor)
SRV - File not found [Auto | Stopped] -- -- (RegSrvc)
SRV - File not found [Auto | Stopped] -- -- (EvtEng)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/10/07 15:47:30 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2009/10/07 15:47:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/10/07 15:47:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/10/07 15:47:28 | 002,440,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/10/07 15:47:28 | 001,803,592 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2009/03/30 08:41:56 | 000,151,552 | ---- | M] (Livescribe) [Auto | Running] -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe -- (PenCommService)
SRV - [2009/03/20 19:10:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2004/04/07 13:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)

========== Driver Services (SafeList) ==========

DRV - [2010/05/11 03:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100511.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/11 03:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100511.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/28 18:33:25 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/04/22 09:43:40 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/04/22 09:43:40 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/11/11 07:26:02 | 002,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2009/10/07 15:47:32 | 000,319,920 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/10/07 15:47:32 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/10/07 15:47:32 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/10/07 15:47:24 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/10/07 15:47:24 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/02/26 09:25:56 | 000,019,584 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PulseUsb.sys -- (PulseUsb)
DRV - [2008/04/13 13:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 13:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/11 12:12:44 | 000,035,328 | ---- | M] (Livescribe) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SmartpenCom.sys -- (SmartpenCom)
DRV - [2008/02/11 12:12:40 | 000,038,528 | ---- | M] (Livescribe) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SmartpenBus.sys -- (SmartpenBus)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/11/29 05:36:56 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/10 00:15:32 | 001,032,472 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/08/05 04:32:16 | 000,045,312 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/08/03 11:44:16 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/22 04:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 04:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 04:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/07/14 11:58:14 | 000,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/07/14 10:28:38 | 000,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/07/12 12:00:30 | 000,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2004/08/31 09:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/12 09:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/10 06:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/10 06:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.washburn.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.washburn.edu"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/02 14:25:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/02 14:25:24 | 000,000,000 | ---D | M]

[2008/08/27 23:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Extensions
[2010/05/11 18:14:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions
[2009/08/15 19:48:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/07/07 23:17:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{81a7a680-d724-460d-aa2f-4b0d8d926fe3}
[2008/05/07 23:11:52 | 000,000,000 | ---D | M] (Blue Ice 2) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{a8dd47cf-239f-48c4-8379-e6b4cbafdcfa}
[2009/06/11 12:34:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2009/06/11 12:34:05 | 000,004,207 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\searchplugins\aim-search.xml
[2009/11/09 18:41:31 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\searchplugins\bing.xml
[2010/05/11 18:14:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/30 20:10:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2004/08/10 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (Google)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe ()
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [Walgreens PhotoShow Media Manager] C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\AmandaV\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.124.0.193 24.124.0.194 24.124.0.195
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\WINDOWS\Soap Bubbles.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/16 05:22:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/11 23:01:40 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
[2010/05/11 15:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/08 12:41:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/08 09:49:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/08 09:43:40 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/08 09:43:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/08 09:43:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/08 09:43:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/08 09:43:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/08 09:42:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/04 18:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Desktop\gmer
[2010/05/04 17:06:53 | 000,000,000 | --SD | C] -- C:\Documents and Settings\AmandaV\My Documents\My DVDs
[2010/05/04 16:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\alistoffilesfrom desktop
[2010/05/01 19:30:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/01 19:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/01 19:30:12 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/01 19:20:46 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/30 20:10:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/29 06:11:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/04/28 18:36:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\Symantec
[2010/04/28 18:33:03 | 000,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/28 18:33:02 | 000,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/28 18:26:18 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/04/28 18:24:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/04/28 18:24:20 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec AntiVirus
[2010/04/28 18:24:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2010/04/28 18:19:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Desktop\Symantec
[2010/04/27 21:20:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\dad
[2010/04/27 20:24:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/26 17:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/04/26 14:35:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\AmandaV\Recent
[2010/04/26 14:35:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/22 11:20:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\PCHealth
[2010/04/22 11:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2010/04/22 11:01:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Application Data\Malwarebytes
[2010/04/22 11:01:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/22 11:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/22 11:01:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/22 11:01:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/15 10:56:36 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2010/04/11 22:41:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/01 18:49:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\Picture Motion Browser
[2010/02/16 00:44:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\Philosophy of Love and Sex
[2010/02/13 11:55:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Application Data\Sony Corporation
[2010/02/13 11:08:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2010/02/13 11:01:09 | 000,000,000 | ---D | C] -- C:\Program Files\Sony
[2010/02/13 10:59:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sony Corporation
[2010/02/13 10:55:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Application Data\InstallShield
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/11 23:01:48 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
[2010/05/11 18:05:51 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\esetsmartinstaller_enu.exe
[2010/05/11 17:52:33 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/11 17:48:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/11 17:45:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/11 17:45:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/11 17:45:19 | 1064,763,392 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/11 15:26:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\null
[2010/05/08 21:24:40 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\AmandaV\NTUSER.DAT
[2010/05/08 21:24:40 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\AmandaV\ntuser.ini
[2010/05/08 10:04:12 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/08 09:50:00 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/05/08 09:24:47 | 003,684,271 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\ComboFix.exe
[2010/05/08 09:23:56 | 003,684,271 | R--- | M] () -- C:\Documents and Settings\AmandaV\Desktop\shrauber.exe
[2010/05/04 18:52:11 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.exe
[2010/05/04 18:51:18 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.zip
[2010/05/04 18:45:14 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\dds.scr
[2010/05/04 18:41:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\AmandaV\defogger_reenable
[2010/05/04 18:40:41 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\Defogger.exe
[2010/05/04 17:36:42 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/04 16:01:26 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/02 14:25:29 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/01 19:12:08 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 18:33:25 | 000,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/28 18:33:25 | 000,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/28 18:33:25 | 000,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/28 18:33:25 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/27 21:22:21 | 004,319,574 | -H-- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\IconCache.db
[2010/04/27 21:09:17 | 000,015,574 | -HS- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\q1IN
[2010/04/27 21:09:17 | 000,015,574 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q1IN
[2010/04/27 20:35:39 | 000,015,566 | -HS- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\1108930387
[2010/04/27 20:35:39 | 000,015,566 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1108930387
[2010/04/27 16:14:50 | 000,040,198 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\wklnhst.dat
[2010/04/26 17:33:49 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 14:35:10 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\CCleaner.lnk
[2010/04/24 01:27:20 | 000,012,299 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Hammond.docx
[2010/04/23 09:58:12 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/20 22:33:20 | 000,012,365 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Snagajob.docx
[2010/04/20 19:42:49 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp0D085.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmpA2F75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp7AF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp5FF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp26085.FOT
[2010/04/16 15:42:15 | 000,022,593 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\resumeav.docx
[2010/04/16 14:24:48 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\resumeav.doc
[2010/04/13 22:02:56 | 000,012,078 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\garmin.docx
[2010/04/13 20:05:55 | 000,036,606 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\cover letter nfm.docx
[2010/04/08 15:48:52 | 000,011,960 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\kupass.docx
[2010/04/08 15:38:01 | 000,023,409 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\presletter.docx
[2010/04/07 21:09:53 | 000,027,884 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\alone.JPG
[2010/04/05 14:09:45 | 000,012,414 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\New Members ABC.docx
[2010/04/05 14:00:20 | 000,017,351 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Sigma Tau Delta Initiation Ceremony.docx
[2010/04/01 18:47:29 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmpF433B.FOT
[2010/04/01 18:47:29 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmpCD33B.FOT
[2010/04/01 18:47:29 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmpB043B.FOT
[2010/04/01 18:47:29 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp9343B.FOT
[2010/04/01 18:47:28 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp2403B.FOT
[2010/03/24 16:18:40 | 000,011,801 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\BAM.docx
[2010/03/24 14:31:30 | 000,014,058 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\New Member Addresses.docx
[2010/03/19 10:33:53 | 000,011,724 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Banking.docx
[2010/03/14 10:28:40 | 000,445,938 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 10:28:40 | 000,072,978 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 10:28:39 | 000,528,020 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/18 21:57:59 | 001,463,826 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Hair!.docx
[2010/02/16 18:22:40 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\AmandaV\My Documents\~$holarshijessica.docx
[2010/02/16 17:53:43 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\scholarshijessica.doc
[2010/02/16 17:41:09 | 000,015,485 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\scholarshijessica.docx
[2010/02/13 11:08:53 | 000,001,861 | ---- | M] () -- C:\Documents and Settings\AmandaV\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
[2010/02/13 11:06:52 | 000,001,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PMB Launcher.lnk
[2010/02/13 11:06:51 | 000,001,873 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PMB.lnk
[2010/02/13 11:06:51 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PMB Guide.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/11 18:05:23 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\esetsmartinstaller_enu.exe
[2010/05/08 09:50:00 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/05/08 09:49:56 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/08 09:43:40 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/08 09:43:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/08 09:43:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/08 09:43:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/08 09:43:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/08 09:24:46 | 003,684,271 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\ComboFix.exe
[2010/05/08 09:23:44 | 003,684,271 | R--- | C] () -- C:\Documents and Settings\AmandaV\Desktop\shrauber.exe
[2010/05/04 18:51:17 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.zip
[2010/05/04 18:45:14 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\dds.scr
[2010/05/04 18:41:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\AmandaV\defogger_reenable
[2010/05/04 18:40:41 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\Defogger.exe
[2010/05/04 15:56:33 | 1064,763,392 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/01 19:31:51 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/28 18:33:03 | 000,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/28 18:33:02 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/27 20:35:38 | 000,015,566 | -HS- | C] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\1108930387
[2010/04/27 20:35:38 | 000,015,566 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1108930387
[2010/04/27 20:24:40 | 000,015,574 | -HS- | C] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\q1IN
[2010/04/27 20:24:40 | 000,015,574 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q1IN
[2010/04/26 17:39:31 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/26 17:33:49 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/04/26 14:35:10 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\CCleaner.lnk
[2010/04/24 01:27:20 | 000,012,299 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Hammond.docx
[2010/04/20 22:33:19 | 000,012,365 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Snagajob.docx
[2010/04/20 19:42:49 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp0D085.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmpA2F75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp7AF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp5FF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp26085.FOT
[2010/04/16 15:42:14 | 000,022,593 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\resumeav.docx
[2010/04/13 22:02:56 | 000,012,078 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\garmin.docx
[2010/04/13 20:03:49 | 000,036,606 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\cover letter nfm.docx
[2010/04/08 15:48:51 | 000,011,960 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\kupass.docx
[2010/04/08 15:38:00 | 000,023,409 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\presletter.docx
[2010/04/07 21:09:53 | 000,027,884 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\alone.JPG
[2010/04/05 14:09:44 | 000,012,414 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\New Members ABC.docx
[2010/04/05 14:00:19 | 000,017,351 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Sigma Tau Delta Initiation Ceremony.docx
[2010/04/01 18:53:50 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/01 18:47:29 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmpF433B.FOT
[2010/04/01 18:47:29 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmpCD33B.FOT
[2010/04/01 18:47:29 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmpB043B.FOT
[2010/04/01 18:47:29 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp9343B.FOT
[2010/04/01 18:47:28 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp2403B.FOT
[2010/03/24 16:18:39 | 000,011,801 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\BAM.docx
[2010/03/23 20:20:09 | 000,014,058 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\New Member Addresses.docx
[2010/03/19 10:33:53 | 000,011,724 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Banking.docx
[2010/03/01 23:27:06 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\resumeav.doc
[2010/02/22 20:47:41 | 000,005,854 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Jessicadress.jpeg
[2010/02/18 21:57:58 | 001,463,826 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Hair!.docx
[2010/02/16 18:22:40 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\AmandaV\My Documents\~$holarshijessica.docx
[2010/02/16 17:53:43 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\scholarshijessica.doc
[2010/02/16 17:41:09 | 000,015,485 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\scholarshijessica.docx
[2010/02/13 11:08:53 | 000,001,861 | ---- | C] () -- C:\Documents and Settings\AmandaV\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
[2010/02/13 11:06:52 | 000,001,799 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PMB Launcher.lnk
[2010/02/13 11:06:51 | 000,001,873 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PMB.lnk
[2010/02/13 11:06:51 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PMB Guide.lnk
[2009/03/13 21:41:41 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/02/15 10:09:20 | 000,000,051 | ---- | C] () -- C:\WINDOWS\VistaEmail.ini
[2006/09/13 16:32:44 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/09/13 16:27:37 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/09/13 15:56:25 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/09/11 23:04:01 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\2EACE13AF4.sys
[2006/04/30 11:59:17 | 000,006,580 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/02/19 23:03:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/19 22:58:39 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/02/19 22:56:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/19 22:17:50 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/02/19 22:17:18 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 09:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 05:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/05 15:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2007/12/14 11:43:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/06/11 12:00:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/17 15:46:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/05/01 19:31:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/17 12:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/10 22:01:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/03/13 21:42:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\acccore
[2008/10/31 09:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Image Zone Express
[2006/11/06 20:58:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Leadertech
[2006/11/27 17:10:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Simple Star
[2008/11/06 15:36:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Skinux
[2007/01/15 15:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Template
[2007/01/14 01:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Walgreens
[2010/05/11 17:52:33 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/10 06:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/10 06:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/08/14 15:55:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/08/14 15:55:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 06:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/10 06:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/08/14 15:55:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/08/14 15:55:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/10 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/10 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/10 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 19:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[2009/10/07 15:47:34 | 000,049,480 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\FwsVpn.dll
[2009/10/07 15:47:34 | 000,107,848 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\SymVPN.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/08/16 05:27:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/08/16 05:27:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/08/16 05:27:08 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemdrive%\*.sys /90 /md5 >
[2010/05/11 17:45:19 | 1064,763,392 | -HS- | M] () Unable to obtain MD5 -- C:\hiberfil.sys
[2010/05/11 17:45:17 | 1598,029,824 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys
< End of report >

----------------------------------------------------------------------------------------------------------------------

OTL Extras:

OTL Extras logfile created on: 5/11/2010 11:03:50 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\AmandaV\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 464.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.59 Gb Total Space | 23.27 Gb Free Space | 46.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AMANDA
Current User Name: AmandaV
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AllAlertsDisabled" = 1
"TermService" = 1
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"9491:TCP" = 9491:TCP:*:Enabled:Services
"9492:TCP" = 9492:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"9491:TCP" = 9491:TCP:*:Enabled:Services
"9492:TCP" = 9492:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06040048-3E21-46D6-9A91-D927BA08F41D}" = Microsoft Encarta Encyclopedia Standard 2006
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{17E3A651-12B9-4149-BAE8-E6FB9A5ADC4F}" = Microsoft Works Suite Add-in for Microsoft Word
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 20
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Management Programs
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F29881E-590E-4B71-ABAC-D6083D6B1F46}" = Livescribe™ Desktop
"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{54C8FE84-89C4-40E8-976C-439EB0729BD6}" = CardRd81
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{5D95AD35-368F-47D5-B63A-A082DDF00116}" = Microsoft Digital Image Standard 2006 Editor
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{65248369-7CB9-43A9-82C8-C438AE04DED4}" = 1500
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{691F4068-81BF-49E3-B32E-FE3E16400112}" = Microsoft Digital Image Standard 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{81E06318-EEB9-4D55-8CD5-7AC9148D5E66}" = 1500_Help
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.2
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBA30674-A242-4531-82B5-586B31F90E04}" = 1500Trb
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D689B418-235A-4290-A0A5-A75E490E0351}" = Symantec Endpoint Protection
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Google
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{E5BA0430-919F-46DD-B656-0796F8A5ADFF}" = Microsoft Office Communicator 2007
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"A3CD60F2D5E61002E900E4A19E2CA01EFDF39B9C" = Windows Driver Package - Livescribe (PulseUsb) Image (03/19/2009 2.0.12.1)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adventure Inlay" = Adventure Inlay
"America Online us" = America Online (Choose which version to remove)
"AOL Connectivity Services" = AOL Connectivity Services
"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Bejeweled Deluxe 1.862" = Bejeweled Deluxe 1.862
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESET Online Scanner" = ESET Online Scanner v3
"Google Desktop" = Google Desktop
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureItPrem_v11" = Microsoft Digital Image Standard 2006
"PROPLUSR" = Microsoft Office Professional Plus 2007
"RealPlayer 6.0" = RealPlayer
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"Walgreens PhotoShow Express 4" = Walgreens PhotoShow Express 4
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"Works2006Setup" = Microsoft Works Suite 2006 Setup Launcher

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/4/2010 6:05:45 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:05:49 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:05:52 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:06:04 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:09:49 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/7/2010 9:15:53 PM | Computer Name = AMANDA | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 5/7/2010 9:16:19 PM | Computer Name = AMANDA | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 2.1.6519.0,
P5 mpsigdwn.dll, P6 2.1.6519.0, P7 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P8 NIL, P9 NIL, P10 NIL.

Error - 5/7/2010 9:16:19 PM | Computer Name = AMANDA | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 5/8/2010 1:26:04 PM | Computer Name = AMANDA | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 5/9/2010 1:08:15 PM | Computer Name = AMANDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Unavailable by: Manual
scan. Action: Quarantine failed : Leave Alone failed. Action Description: The
file was deleted successfully.

[ Application Events ]
Error - 5/4/2010 6:05:45 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:05:49 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:05:52 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:06:04 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/4/2010 6:09:49 PM | Computer Name = AMANDA | Source = Application Hang | ID = 1002
Description = Hanging application Mediahub.exe, version 2.4.32.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/7/2010 9:15:53 PM | Computer Name = AMANDA | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 5/7/2010 9:16:19 PM | Computer Name = AMANDA | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 2.1.6519.0,
P5 mpsigdwn.dll, P6 2.1.6519.0, P7 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P8 NIL, P9 NIL, P10 NIL.

Error - 5/7/2010 9:16:19 PM | Computer Name = AMANDA | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 5/8/2010 1:26:04 PM | Computer Name = AMANDA | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 5/9/2010 1:08:15 PM | Computer Name = AMANDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Unavailable by: Manual
scan. Action: Quarantine failed : Leave Alone failed. Action Description: The
file was deleted successfully.

[ OSession Events ]
Error - 1/24/2010 8:51:36 PM | Computer Name = AMANDA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 157
seconds with 60 seconds of active time. This session ended with a crash.

Error - 4/16/2010 4:32:38 PM | Computer Name = AMANDA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6556
seconds with 540 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/29/2010 9:50:09 PM | Computer Name = AMANDA | Source = Service Control Manager | ID = 7000
Description = The EvtEng service failed to start due to the following error: %%2

Error - 4/29/2010 9:50:09 PM | Computer Name = AMANDA | Source = Service Control Manager | ID = 7001
Description = The Spectrum24 Event Monitor service depends on the EvtEng service
which failed to start because of the following error: %%2

Error - 4/29/2010 9:50:09 PM | Computer Name = AMANDA | Source = Service Control Manager | ID = 7000
Description = The RegSrvc service failed to start due to the following error: %%2

Error - 5/4/2010 4:51:51 PM | Computer Name = AMANDA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/4/2010 4:52:08 PM | Computer Name = AMANDA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/4/2010 4:52:15 PM | Computer Name = AMANDA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/4/2010 4:52:27 PM | Computer Name = AMANDA | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 5/4/2010 4:52:27 PM | Computer Name = AMANDA | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/4/2010 4:52:27 PM | Computer Name = AMANDA | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 5/4/2010 4:52:27 PM | Computer Name = AMANDA | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

< End of report >

#11 schrauber

Mr.Mechanic

Malware Response Team
24,794 posts
OFFLINE

Gender:Male
Location:Munich,Germany
Local time:07:20 AM

Posted 13 May 2010 - 10:02 AM

Hi,

Please uninstall the old Java versions through Add Remove Programs, only keep Java 6 update 20.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following
CODE
:OTL
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
[2010/04/27 21:09:17 | 000,015,574 | -HS- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\q1IN
[2010/04/27 21:09:17 | 000,015,574 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q1IN
[2010/04/27 20:35:39 | 000,015,566 | -HS- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\1108930387
[2010/04/27 20:35:39 | 000,015,566 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1108930387
[2010/04/27 20:35:38 | 000,015,566 | -HS- | C] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\1108930387
[2010/04/27 20:35:38 | 000,015,566 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1108930387
[2010/04/27 20:24:40 | 000,015,574 | -HS- | C] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\q1IN
[2010/04/27 20:24:40 | 000,015,574 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q1IN
Then click the Run Fix button at the top
Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

================================Follow up scan=================================

Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards,
schrauber

Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware

#12 ImBobV

Topic Starter

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 13 May 2010 - 03:07 PM

OTL Run Fix Log:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
C:\Documents and Settings\AmandaV\Local Settings\Application Data\q1IN moved successfully.
C:\Documents and Settings\All Users\Application Data\q1IN moved successfully.
C:\Documents and Settings\AmandaV\Local Settings\Application Data\1108930387 moved successfully.
C:\Documents and Settings\All Users\Application Data\1108930387 moved successfully.
File C:\Documents and Settings\AmandaV\Local Settings\Application Data\1108930387 not found.
File C:\Documents and Settings\All Users\Application Data\1108930387 not found.
File C:\Documents and Settings\AmandaV\Local Settings\Application Data\q1IN not found.
File C:\Documents and Settings\All Users\Application Data\q1IN not found.

OTL by OldTimer - Version 3.2.4.1 log created on 05132010_140322

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

OTL Scan Log:

OTL logfile created on: 5/13/2010 2:06:34 PM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\AmandaV\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 466.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.59 Gb Total Space | 23.05 Gb Free Space | 46.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AMANDA
Current User Name: AmandaV
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\AmandaV\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe ()
PRC - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe (Livescribe)
PRC - C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe ()
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe ()
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
PRC - C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\AmandaV\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (S24EventMonitor) -- File not found
SRV - (RegSrvc) -- File not found
SRV - (EvtEng) -- File not found
SRV - (ACDaemon) -- File not found
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec AntiVirus\SNAC.EXE (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)
SRV - (PenCommService) -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe (Livescribe)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)

========== Driver Services (SafeList) ==========

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100512.005\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100512.005\NAVENG.SYS (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (COH_Mon) -- C:\WINDOWS\system32\drivers\COH_Mon.sys (Symantec Corporation)
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (PulseUsb) -- C:\WINDOWS\system32\drivers\PulseUsb.sys (Windows ® Codename Longhorn DDK provider)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (SmartpenCom) -- C:\WINDOWS\system32\drivers\SmartpenCom.sys (Livescribe)
DRV - (SmartpenBus) -- C:\WINDOWS\system32\drivers\SmartpenBus.sys (Livescribe)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.washburn.edu/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.washburn.edu"
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/15 10:21:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/21 09:56:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/02 14:25:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/02 14:25:24 | 000,000,000 | ---D | M]

[2008/08/27 23:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Extensions
[2008/08/27 23:34:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/05/11 18:14:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions
[2009/08/15 19:48:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/07/07 23:17:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{81a7a680-d724-460d-aa2f-4b0d8d926fe3}
[2008/05/07 23:11:52 | 000,000,000 | ---D | M] (Blue Ice 2) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{a8dd47cf-239f-48c4-8379-e6b4cbafdcfa}
[2009/06/11 12:34:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2009/06/11 12:34:05 | 000,004,207 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\searchplugins\aim-search.xml
[2009/11/09 18:41:31 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\searchplugins\bing.xml
[2010/05/11 18:14:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/02 14:25:25 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/12/21 09:57:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/09/22 20:04:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2010/04/30 20:10:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/01 12:58:18 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/04/01 12:58:19 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2006/09/03 13:12:48 | 000,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/09/26 11:40:34 | 000,053,248 | ---- | M] (AOL LLC) -- C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
[2010/04/01 12:58:20 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2010/04/02 08:30:43 | 000,095,672 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/05/01 19:25:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/05/01 19:25:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/05/01 19:25:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/05/01 19:25:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/05/01 19:25:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/05/01 19:25:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/05/01 19:25:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2010/04/01 10:56:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/04/01 10:56:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/04/01 10:56:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/04/01 10:56:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/04/01 10:56:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/04/01 10:56:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/04/01 10:56:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2004/08/10 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (Google)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe ()
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [Walgreens PhotoShow Media Manager] C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\AmandaV\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.124.0.193 24.124.0.194 24.124.0.195
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop BackupWallPaper: C:\WINDOWS\Soap Bubbles.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/13 14:03:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/12 15:45:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/05/11 23:01:40 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
[2010/05/11 15:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/08 12:41:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/08 09:49:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/08 09:43:40 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/08 09:43:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/08 09:43:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/08 09:43:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/08 09:43:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/08 09:42:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/04 18:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Desktop\gmer
[2010/05/04 17:06:53 | 000,000,000 | --SD | C] -- C:\Documents and Settings\AmandaV\My Documents\My DVDs
[2010/05/04 16:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\alistoffilesfrom desktop
[2010/05/01 19:30:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/01 19:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/01 19:30:12 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/01 19:20:46 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/30 20:10:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/30 20:09:57 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/30 20:09:57 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/30 20:09:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/30 20:09:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/29 06:11:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/04/28 18:36:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\Symantec
[2010/04/28 18:33:03 | 000,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/28 18:33:02 | 000,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/28 18:26:24 | 000,511,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\capicom.dll
[2010/04/28 18:26:18 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/04/28 18:24:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/04/28 18:24:20 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec AntiVirus
[2010/04/28 18:24:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2010/04/28 18:19:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Desktop\Symantec
[2010/04/27 21:20:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\dad
[2010/04/27 20:24:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/27 11:10:50 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidserv.dll
[2010/04/26 17:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/04/26 14:35:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\AmandaV\Recent
[2010/04/26 14:35:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/26 14:24:28 | 002,732,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2r32.dll
[2010/04/26 14:24:28 | 000,557,056 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2c32.dll
[2010/04/26 14:14:11 | 004,679,665 | ---- | C] (Intel® Corporation) -- C:\Documents and Settings\AmandaV\Desktop\ICS_Dx32.exe
[2010/04/22 13:29:16 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/04/22 11:20:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\PCHealth
[2010/04/22 11:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2010/04/22 11:01:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Application Data\Malwarebytes
[2010/04/22 11:01:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/22 11:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/22 11:01:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/22 11:01:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/15 10:56:36 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/12 15:49:50 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\null
[2010/05/11 23:18:20 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\AmandaV\NTUSER.DAT
[2010/05/11 23:01:48 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
[2010/05/11 18:05:51 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\esetsmartinstaller_enu.exe
[2010/05/11 17:52:33 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/11 17:48:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/11 17:45:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/11 17:45:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/11 17:45:19 | 1064,763,392 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/08 21:24:40 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\AmandaV\ntuser.ini
[2010/05/08 10:04:12 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/08 09:50:00 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/05/08 09:24:47 | 003,684,271 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\ComboFix.exe
[2010/05/08 09:23:56 | 003,684,271 | R--- | M] () -- C:\Documents and Settings\AmandaV\Desktop\shrauber.exe
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/04 18:52:11 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.exe
[2010/05/04 18:51:18 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.zip
[2010/05/04 18:45:14 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\dds.scr
[2010/05/04 18:41:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\AmandaV\defogger_reenable
[2010/05/04 18:40:41 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\Defogger.exe
[2010/05/04 17:36:42 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/04 16:01:26 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/02 14:25:29 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/01 19:12:08 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 18:33:25 | 000,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/28 18:33:25 | 000,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/28 18:33:25 | 000,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/28 18:33:25 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/27 21:22:21 | 004,319,574 | -H-- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\IconCache.db
[2010/04/27 16:14:50 | 000,040,198 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\wklnhst.dat
[2010/04/26 17:33:49 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 14:35:10 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\CCleaner.lnk
[2010/04/26 14:14:34 | 004,679,665 | ---- | M] (Intel® Corporation) -- C:\Documents and Settings\AmandaV\Desktop\ICS_Dx32.exe
[2010/04/24 01:27:20 | 000,012,299 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Hammond.docx
[2010/04/23 09:58:12 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/20 22:33:20 | 000,012,365 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Snagajob.docx
[2010/04/20 19:42:49 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp0D085.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmpA2F75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp7AF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp5FF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp26085.FOT
[2010/04/16 15:42:15 | 000,022,593 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\resumeav.docx
[2010/04/16 14:24:48 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\resumeav.doc
[2010/04/13 22:02:56 | 000,012,078 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\garmin.docx
[2010/04/13 20:05:55 | 000,036,606 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\cover letter nfm.docx
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/11 18:05:23 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\esetsmartinstaller_enu.exe
[2010/05/08 09:50:00 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/05/08 09:49:56 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/08 09:43:40 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/08 09:43:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/08 09:43:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/08 09:43:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/08 09:43:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/08 09:24:46 | 003,684,271 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\ComboFix.exe
[2010/05/08 09:23:44 | 003,684,271 | R--- | C] () -- C:\Documents and Settings\AmandaV\Desktop\shrauber.exe
[2010/05/04 18:51:17 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.zip
[2010/05/04 18:45:14 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\dds.scr
[2010/05/04 18:41:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\AmandaV\defogger_reenable
[2010/05/04 18:40:41 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\Defogger.exe
[2010/05/04 15:56:33 | 1064,763,392 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/01 19:31:51 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/28 18:33:03 | 000,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/28 18:33:02 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/26 17:39:31 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/26 17:33:49 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/04/26 14:35:10 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\CCleaner.lnk
[2010/04/24 01:27:20 | 000,012,299 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Hammond.docx
[2010/04/20 22:33:19 | 000,012,365 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Snagajob.docx
[2010/04/20 19:42:49 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp0D085.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmpA2F75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp7AF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp5FF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp26085.FOT
[2010/04/16 15:42:14 | 000,022,593 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\resumeav.docx
[2010/04/13 22:02:56 | 000,012,078 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\garmin.docx
[2010/04/13 20:03:49 | 000,036,606 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\cover letter nfm.docx
[2009/03/13 21:41:41 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/02/15 10:09:20 | 000,000,051 | ---- | C] () -- C:\WINDOWS\VistaEmail.ini
[2006/09/13 16:32:44 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/09/13 16:27:37 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/09/13 15:56:25 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/09/11 23:04:01 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\2EACE13AF4.sys
[2006/04/30 11:59:17 | 000,006,580 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/02/19 23:03:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/19 22:58:39 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/02/19 22:56:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/19 22:17:50 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/02/19 22:17:18 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 09:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 05:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/05 15:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
< End of report >

HelpAsst Log:

C:\Documents and Settings\AmandaV\Desktop\HelpAsst_mebroot_fix.exe
Thu 05/13/2010 at 14:11:45.18

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9491:TCP"=-
"9492:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"9491:TCP"=-
"9492:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2987049884-1693655573-162750112-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 05/13/2010 at 15:00:47.10

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06CF61C8
malicious code @ sector 0x06CF61CB !
PE file found in sector at 0x06CF61E1 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

#13 schrauber

Mr.Mechanic

Malware Response Team
24,794 posts
OFFLINE

Gender:Male
Location:Munich,Germany
Local time:07:20 AM

Posted 16 May 2010 - 04:11 PM

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u20-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586.exe and select "Run as an Administrator.")

Please post back with a fresh OTL logfile and tell me how the system is running.

Edited by schrauber, 16 May 2010 - 04:11 PM.

regards,
schrauber

Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware

#14 ImBobV

Topic Starter

Members
9 posts
OFFLINE

Local time:01:20 AM

Posted 17 May 2010 - 06:27 PM

Seems to be running better than it has in a long time!

OTL Log:

OTL logfile created on: 5/17/2010 6:13:53 PM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\AmandaV\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 504.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.59 Gb Total Space | 22.94 Gb Free Space | 46.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AMANDA
Current User Name: AmandaV
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\AmandaV\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe ()
PRC - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe (Livescribe)
PRC - C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe ()
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe ()
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
PRC - C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\AmandaV\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (S24EventMonitor) -- File not found
SRV - (RegSrvc) -- File not found
SRV - (EvtEng) -- File not found
SRV - (ACDaemon) -- File not found
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (SNAC) -- C:\Program Files\Symantec AntiVirus\SNAC.EXE (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)
SRV - (PenCommService) -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe (Livescribe)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)

========== Driver Services (SafeList) ==========

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100517.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100517.002\NAVENG.SYS (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (COH_Mon) -- C:\WINDOWS\system32\drivers\COH_Mon.sys (Symantec Corporation)
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (PulseUsb) -- C:\WINDOWS\system32\drivers\PulseUsb.sys (Windows ® Codename Longhorn DDK provider)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (SmartpenCom) -- C:\WINDOWS\system32\drivers\SmartpenCom.sys (Livescribe)
DRV - (SmartpenBus) -- C:\WINDOWS\system32\drivers\SmartpenBus.sys (Livescribe)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.washburn.edu/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.washburn.edu"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/02 14:25:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/17 17:36:00 | 000,000,000 | ---D | M]

[2008/08/27 23:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Extensions
[2010/05/12 18:20:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions
[2009/08/15 19:48:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/07/07 23:17:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{81a7a680-d724-460d-aa2f-4b0d8d926fe3}
[2008/05/07 23:11:52 | 000,000,000 | ---D | M] (Blue Ice 2) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{a8dd47cf-239f-48c4-8379-e6b4cbafdcfa}
[2009/06/11 12:34:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2009/06/11 12:34:05 | 000,004,207 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\searchplugins\aim-search.xml
[2009/11/09 18:41:31 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\Mozilla\Firefox\Profiles\gea8qnir.default\searchplugins\bing.xml
[2010/05/17 18:11:45 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/17 18:11:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/17 18:11:25 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2004/08/10 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (Google)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [Walgreens PhotoShow Media Manager] C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\AmandaV\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.124.0.193 24.124.0.194 24.124.0.195
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\WINDOWS\Soap Bubbles.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/17 18:11:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/17 18:11:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/17 18:11:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/17 18:11:43 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/13 14:11:47 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/05/13 14:03:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/11 23:01:40 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
[2010/05/11 15:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/08 12:41:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/08 09:49:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/08 09:43:40 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/08 09:43:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/08 09:43:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/08 09:43:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/08 09:43:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/08 09:42:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/04 18:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Desktop\gmer
[2010/05/04 17:06:53 | 000,000,000 | --SD | C] -- C:\Documents and Settings\AmandaV\My Documents\My DVDs
[2010/05/04 16:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\alistoffilesfrom desktop
[2010/05/01 19:30:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/01 19:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/01 19:30:12 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/01 19:20:46 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/30 20:10:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/30 20:09:57 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/29 06:11:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/04/28 18:36:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\Symantec
[2010/04/28 18:33:03 | 000,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/28 18:33:02 | 000,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/28 18:26:24 | 000,511,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\capicom.dll
[2010/04/28 18:26:18 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/04/28 18:24:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/04/28 18:24:20 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec AntiVirus
[2010/04/28 18:24:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2010/04/28 18:19:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Desktop\Symantec
[2010/04/27 21:20:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\My Documents\dad
[2010/04/27 20:24:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/27 11:10:50 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidserv.dll
[2010/04/26 14:35:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\AmandaV\Recent
[2010/04/26 14:35:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/26 14:24:28 | 002,732,032 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2r32.dll
[2010/04/26 14:24:28 | 000,557,056 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\Netw2c32.dll
[2010/04/26 14:14:11 | 004,679,665 | ---- | C] (Intel® Corporation) -- C:\Documents and Settings\AmandaV\Desktop\ICS_Dx32.exe
[2010/04/22 13:29:16 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/04/22 11:20:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\PCHealth
[2010/04/22 11:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2010/04/22 11:01:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AmandaV\Application Data\Malwarebytes
[2010/04/22 11:01:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/22 11:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/22 11:01:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/22 11:01:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/17 18:11:24 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/17 18:11:23 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/17 18:11:23 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/17 18:11:23 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/17 18:11:23 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/17 18:09:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/17 18:08:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/17 18:08:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/17 18:08:08 | 1064,763,392 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/17 18:06:59 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\AmandaV\NTUSER.DAT
[2010/05/17 18:06:59 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\AmandaV\ntuser.ini
[2010/05/17 17:23:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\null
[2010/05/13 14:11:20 | 000,490,232 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\HelpAsst_mebroot_fix.exe
[2010/05/11 23:01:48 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AmandaV\Desktop\OTL.exe
[2010/05/11 18:05:51 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\esetsmartinstaller_enu.exe
[2010/05/08 10:04:12 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/08 09:50:00 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/05/08 09:24:47 | 003,684,271 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\ComboFix.exe
[2010/05/08 09:23:56 | 003,684,271 | R--- | M] () -- C:\Documents and Settings\AmandaV\Desktop\shrauber.exe
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/04 18:52:11 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.exe
[2010/05/04 18:51:18 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.zip
[2010/05/04 18:45:14 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\dds.scr
[2010/05/04 18:41:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\AmandaV\defogger_reenable
[2010/05/04 18:40:41 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\Defogger.exe
[2010/05/04 17:36:42 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/04 16:01:26 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/02 14:25:29 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/01 19:12:08 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 18:33:25 | 000,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/28 18:33:25 | 000,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/28 18:33:25 | 000,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/28 18:33:25 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/27 21:22:21 | 004,319,574 | -H-- | M] () -- C:\Documents and Settings\AmandaV\Local Settings\Application Data\IconCache.db
[2010/04/27 16:14:50 | 000,040,198 | ---- | M] () -- C:\Documents and Settings\AmandaV\Application Data\wklnhst.dat
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 14:35:10 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\AmandaV\Desktop\CCleaner.lnk
[2010/04/26 14:14:34 | 004,679,665 | ---- | M] (Intel® Corporation) -- C:\Documents and Settings\AmandaV\Desktop\ICS_Dx32.exe
[2010/04/24 01:27:20 | 000,012,299 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Hammond.docx
[2010/04/23 09:58:12 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/20 22:33:20 | 000,012,365 | ---- | M] () -- C:\Documents and Settings\AmandaV\My Documents\Snagajob.docx
[2010/04/20 19:42:49 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp0D085.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmpA2F75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp7AF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp5FF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmp26085.FOT
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/13 14:42:13 | 000,000,324 | ---- | C] () -- C:\Documents and Settings\AmandaV\mbr.log
[2010/05/13 14:11:19 | 000,490,232 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\HelpAsst_mebroot_fix.exe
[2010/05/11 18:05:23 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\esetsmartinstaller_enu.exe
[2010/05/08 09:50:00 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/05/08 09:49:56 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/08 09:43:40 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/08 09:43:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/08 09:43:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/08 09:43:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/08 09:43:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/08 09:24:46 | 003,684,271 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\ComboFix.exe
[2010/05/08 09:23:44 | 003,684,271 | R--- | C] () -- C:\Documents and Settings\AmandaV\Desktop\shrauber.exe
[2010/05/04 18:51:17 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\gmer.zip
[2010/05/04 18:45:14 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\dds.scr
[2010/05/04 18:41:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\AmandaV\defogger_reenable
[2010/05/04 18:40:41 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\Defogger.exe
[2010/05/04 15:56:33 | 1064,763,392 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/01 19:31:51 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/28 18:33:03 | 000,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/28 18:33:02 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/26 14:35:10 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\AmandaV\Desktop\CCleaner.lnk
[2010/04/24 01:27:20 | 000,012,299 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Hammond.docx
[2010/04/20 22:33:19 | 000,012,365 | ---- | C] () -- C:\Documents and Settings\AmandaV\My Documents\Snagajob.docx
[2010/04/20 19:42:49 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp0D085.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmpA2F75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp7AF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp5FF75.FOT
[2010/04/20 19:42:48 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmp26085.FOT
[2009/03/13 21:41:41 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/02/15 10:09:20 | 000,000,051 | ---- | C] () -- C:\WINDOWS\VistaEmail.ini
[2006/09/13 16:32:44 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/09/13 16:27:37 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/09/13 15:56:25 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/09/11 23:04:01 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\2EACE13AF4.sys
[2006/04/30 11:59:17 | 000,006,580 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/02/19 23:03:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/19 22:58:39 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/02/19 22:56:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/19 22:17:50 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/02/19 22:17:18 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 09:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 05:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/05 15:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
< End of report >

#15 schrauber

Mr.Mechanic

Malware Response Team
24,794 posts
OFFLINE

Gender:Male
Location:Munich,Germany
Local time:07:20 AM

Posted 19 May 2010 - 02:30 AM

Hi,

Click Start > Run > type helpasst -cleanup > OK

Click Start > Run > type combofix /Uninstall > OK

Please run OTL one more time and hit Cleanup. This will remove OTL and all helper tools.

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean

Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make Internet Explorer 7 more secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

regards,
schrauber

Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware