Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Series of Nasty Malware Infections Appeared Out of Nowhere! But...My MalwareBytes is Clean?


  • This topic is locked This topic is locked
72 replies to this topic

#1 analyst44

analyst44

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 08 May 2010 - 06:09 PM

Hello there.

First time poster here. I've used a few other services in the past (with great success) but my research on this current round of infection brought me here so I figured I'd give you guys a whirl. I apologize for the length. I've got some crazy stuff happening here:

In the middle of browsing with Google Chrome last night, I was just absolutely ambushed. The AntiSpyware Soft infection went absolutely nuts out of nowhere. Little red Windows security badges (like when your anti-virus is out of date) kept appear in droves in my task tray (like 15-20 at a time). I ended up getting rid of the worst of that between my AV (Avast) and MalwareBytes, but there is some very bad stuff still left on the box.

I regularly update SpywareBlaster and use MalwareBytes, Windows Firewall and Avast to keep the system safe. Not sure where this thing came from or why this particular computer (second time in 4-5 months now) is vulnerable.

Some symptoms:
  • Windows doesn't fully "boot" - I hardly ever hear the startup sound. If I do, it comes about 20 minutes after I've already started to see the desktop and have already been able to preliminarily navigate Windows. The reason I know this is happening is two fold: (1) If my mouse goes anywhere over the tasktray or taskbar, it turns into an hour glass. I have to Alt-Tab to navigate programs. (2) Icons that normally appear in the tray do not show up until that Windows Startup Sound happens (which sometimes never happens). These include things like my network connectivity icon and a few other startup items. Also, in the lower right corner of the screen where the clock is, a small black box with a silver frame/lining appears over part of my taskbar and the tasktray. I tried to take a screenshot of it, but it does not show up on when I do a PrintScreen.
  • I cannot control-alt-delete.
  • My system only boots now (into the limited mode that I spoke of above) for about 10-15 minutes, which makes doing scans difficult. Folders and programs freeze, Windows Freezes, and/or the mouse freezes in the middle of doing something. I have to power off using the button on the tower. There is no other way.
  • The Avast spinning ball in the tasktray often freezes in a weird way that is not normal.
  • Currently, System Restore is turned OFF. I did this to try to eliminate the infection that may have been lingering there.
  • I deactivated any cd-rom emulation with Defogger. I don't think MagicDisk starts up with Windows, but I did it just in case.
Notes:
  • The computer will not last long enough in regular mode for me to actually save the GMER log. I'm going to run it in safe mode and add that one here, though I am not sure if that is comprehensive enough. EDIT: I ran it in safe mode and the computer rebooted in the middle of the scan after about 20 minutes. FWIW, I'm 90% sure that there are rootkits active on this PC given the Avast Warning Logs.
  • I'm going to post the results from two Avast Warning Log here as well given it shows the kinds of malware I'm dealing with probably as well as anything else does. I've deleted any file it found but that doesn't seem to necessarily get rid of it or to stop whatever this is from re-generating like some kind of mutant ninja.
  • I'm not sure if it'll show up in the logs or not since I have not read through them in great detail, but there may be some whacky Windows Activation and Genuine Advantage stuff in them. The reason is for that is not because I'm using a counterfeit version of Windows. It's because when I performed a repair install on this machine a bit ago, my very legitimate activation key would no longer work and MS was not willing to help me out even though I did nothing but follow normal protocols. My activation got completely wiped out.
  • I have a feeling that this fix is going to involve some specialized tools (ComboFix, rKill, etc), but I do not know which ones to employ and when, unfortunately.
Onward to the posts:

Avast Warning Log of various malware:

5/8/2010 12:04:11 AM 1273291451 SYSTEM 1508 Sign of "Win32:MalOb-AS [Cryp]" has been found in "C:\DOCUME~1\LILLIA~1\LOCALS~1\Temp\Ksv.exe" file.
5/8/2010 12:04:19 AM 1273291459 SYSTEM 1508 Sign of "Win32:Malware-gen" has been found in "C:\DOCUME~1\LILLIA~1\LOCALS~1\Temp\ermnscxowa.tmp" file.
5/8/2010 12:04:25 AM 1273291465 SYSTEM 1508 Sign of "Win32:MalOb-AT [Cryp]" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temporary Internet Files\Content.IE5\J10W50B0\oriqbjdp[1].htm" file.
5/8/2010 12:04:31 AM 1273291471 SYSTEM 1508 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\00006fce.sys" file.
5/8/2010 12:04:38 AM 1273291478 SYSTEM 1508 Sign of "Win32:MalOb-AS [Cryp]" has been found in "C:\DOCUME~1\LILLIA~1\LOCALS~1\Temp\Ksv.exe" file.
5/8/2010 12:04:45 AM 1273291485 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\drmkaud.sys" file.
5/8/2010 12:04:50 AM 1273291490 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\drmkaud.sys" file.
5/8/2010 12:04:58 AM 1273291498 SYSTEM 1508 Sign of "Win32:MalOb-AT [Cryp]" has been found in "C:\DOCUME~1\LILLIA~1\LOCALS~1\Temp\nbmrh.exe" file.
5/8/2010 12:05:06 AM 1273291506 SYSTEM 1508 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\qigblhnc.dll" file.
5/8/2010 12:05:23 AM 1273291523 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\lvuvcflt.sys" file.
5/8/2010 12:05:30 AM 1273291530 SYSTEM 1508 Sign of "Win32:MalOb-AT [Cryp]" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temporary Internet Files\Content.IE5\7ICFBKCF\oriqbjdp[1].htm" file.
5/8/2010 12:05:34 AM 1273291534 SYSTEM 1508 Sign of "Win32:Malware-gen" has been found in "C:\DOCUME~1\LILLIA~1\LOCALS~1\Temp\oyxyykshkz.dll" file.
5/8/2010 12:05:48 AM 1273291548 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\lvpopflt.sys" file.
5/8/2010 12:05:55 AM 1273291555 SYSTEM 1508 Sign of "Win32:MalOb-AT [Cryp]" has been found in "C:\DOCUME~1\LILLIA~1\LOCALS~1\Temp\nbmrh.exe" file.
5/8/2010 12:06:05 AM 1273291565 SYSTEM 1508 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\twywcbmb.dll" file.
5/8/2010 12:06:18 AM 1273291578 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\Modem.sys" file.
5/8/2010 12:06:25 AM 1273291585 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\modem.sys" file.
5/8/2010 12:06:30 AM 1273291590 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\mouhid.sys" file.
5/8/2010 12:06:38 AM 1273291598 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\mskssrv.sys" file.
5/8/2010 12:06:44 AM 1273291604 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\mspclock.sys" file.
5/8/2010 12:06:51 AM 1273291611 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\mstee.sys" file.
5/8/2010 12:07:02 AM 1273291622 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\nabtsfec.sys" file.
5/8/2010 12:07:13 AM 1273291633 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\ndisip.sys" file.
5/8/2010 12:07:20 AM 1273291640 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\nv4_mini.sys" file.
5/8/2010 12:07:28 AM 1273291648 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\nwlnkflt.sys" file.
5/8/2010 12:07:35 AM 1273291655 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\nwlnkfwd.sys" file.
5/8/2010 12:07:41 AM 1273291661 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\PCIDump.sys" file.
5/8/2010 12:07:46 AM 1273291666 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\PDCOMP.sys" file.
5/8/2010 12:07:53 AM 1273291673 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\PDFRAME.sys" file.
5/8/2010 12:08:00 AM 1273291680 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\PDRELI.sys" file.
5/8/2010 12:08:07 AM 1273291687 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\PDRFRAME.sys" file.
5/8/2010 12:08:13 AM 1273291693 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\rdpdr.sys" file.
5/8/2010 12:08:52 AM 1273291732 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\LastGood\system32\drivers\rdpdr.sys" file.
5/8/2010 12:09:05 AM 1273291745 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\RDPWD.sys" file.
5/8/2010 12:09:16 AM 1273291756 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\rdpwd.sys" file.
5/8/2010 12:09:24 AM 1273291764 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\program files\superantispyware\sasenum.sys" file.
5/8/2010 12:09:57 AM 1273291797 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\secdrv.sys" file.
5/8/2010 12:10:03 AM 1273291803 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\Sfloppy.sys" file.
5/8/2010 12:10:55 AM 1273291855 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\sfloppy.sys" file.
5/8/2010 12:11:03 AM 1273291863 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\slip.sys" file.
5/8/2010 12:11:10 AM 1273291870 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\LastGood\system32\drivers\slip.sys" file.
5/8/2010 12:11:16 AM 1273291876 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\splitter.sys" file.
5/8/2010 12:11:22 AM 1273291882 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\serscan.sys" file.
5/8/2010 12:11:32 AM 1273291892 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\DRIVERS\serscan.sys" file.
5/8/2010 12:11:36 AM 1273291896 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\streamip.sys" file.
5/8/2010 12:11:40 AM 1273291900 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\LastGood\system32\drivers\serscan.sys" file.
5/8/2010 12:11:47 AM 1273291907 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\DRIVERS\StreamIP.sys" file.
5/8/2010 12:11:50 AM 1273291910 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\streamip.sys" file.
5/8/2010 12:11:53 AM 1273291913 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\swmidi.sys" file.
5/8/2010 12:13:38 AM 1273292018 Lillian User 2524 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
5/8/2010 12:14:56 AM 1273292096 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\LastGood\system32\drivers\swmidi.sys" file.
5/8/2010 12:15:08 AM 1273292108 Lillian User 2524 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
5/8/2010 12:16:13 AM 1273292173 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\swmidi.sys" file.
5/8/2010 12:16:21 AM 1273292181 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\TDPIPE.sys" file.
5/8/2010 12:16:26 AM 1273292186 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\TDTCP.sys" file.
5/8/2010 12:16:30 AM 1273292190 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\usbscan.sys" file.
5/8/2010 12:18:24 AM 1273292304 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\LastGood\system32\drivers\usbscan.sys" file.
5/8/2010 12:18:53 AM 1273292333 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\usbstor.sys" file.
5/8/2010 12:20:10 AM 1273292410 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\usbstor.sys" file.
5/8/2010 12:20:26 AM 1273292426 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\Drivers\OLD1274.tmp" file.
5/8/2010 12:20:32 AM 1273292432 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\wceusbsh.sys" file.
5/8/2010 12:20:36 AM 1273292436 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\wceusbsh.sys" file.
5/8/2010 12:20:45 AM 1273292445 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\Drivers\OLD127E.tmp" file.
5/8/2010 12:20:55 AM 1273292455 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\WDICA.sys" file.
5/8/2010 12:21:50 AM 1273292510 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\System32\Drivers\WDICA.SYS" file.
5/8/2010 12:21:54 AM 1273292514 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\winusb.sys" file.
5/8/2010 12:21:57 AM 1273292517 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\DRIVERS\WinUSB.sys" file.
5/8/2010 12:21:59 AM 1273292519 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\wpdusb.sys" file.
5/8/2010 12:22:45 AM 1273292565 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\wstcodec.sys" file.
5/8/2010 12:32:18 AM 1273293138 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\LastGood\system32\drivers\wstcodec.sys" file.
5/8/2010 12:32:39 AM 1273293159 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\wudfrd.sys" file.
5/8/2010 12:32:46 AM 1273293166 SYSTEM 1508 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\drivers\xvbkyukl.sys" file.
5/8/2010 3:42:21 PM 1273347741 SYSTEM 1512 Sign of "Win32:Qandr [Rtk]" has been found in "C:\WINDOWS\system32\Drivers\winusb.sys" file.
5/8/2010 3:43:23 PM 1273347803 SYSTEM 1512 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temp\qlvoilw.exe" file.
5/8/2010 4:16:00 PM 1273349760 Lillian User 3168 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
5/8/2010 4:23:04 PM 1273350184 Lillian User 3168 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temp\excwranmso.tmp\ezwi1550.exe\$SYSDIR\$R0.dll" file.
5/8/2010 4:23:22 PM 1273350202 Lillian User 3168 Sign of "Win32:Malware-gen" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temp\excwranmso.tmp\howi410.exe\$SYSDIR\$TEMP\$[40].dll" file.
5/8/2010 4:23:29 PM 1273350209 Lillian User 3168 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temp\excwranmso.tmp\smwi1550.exe\$SYSDIR\$R0.dll" file.
5/8/2010 4:23:35 PM 1273350215 Lillian User 3168 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temp\RarSFX0\ezwi1550.exe\$SYSDIR\$R0.dll" file.
5/8/2010 4:23:42 PM 1273350222 Lillian User 3168 Sign of "Win32:Malware-gen" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temp\RarSFX0\howi410.exe\$SYSDIR\$TEMP\$[40].dll" file.
5/8/2010 4:23:45 PM 1273350225 Lillian User 3168 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Lillian User\Local Settings\Temp\RarSFX0\smwi1550.exe\$SYSDIR\$R0.dll" file.



===================================================

DDS:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Lillian User at 18:03:38.12 on Sat 05/08/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1495 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100508-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\Jamal User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Lillian User\Desktop\clean up\Specialty\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\lillian User\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Djisakoho] rundll32.exe "c:\windows\wmsvwins.dll",Startup
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-2-19 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-3 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-1-9 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2005-10-10 138680]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\jamal User\local settings\application data\crossloop\CrossLoopService.exe [2010-4-2 560792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-15 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2005-10-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-10-10 352920]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-12-3 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2008-12-3 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2008-12-3 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2008-12-3 61440]
S0 xvbkyukl;xvbkyukl; [x]
S3 usbxbox;usbxbox;c:\windows\system32\usbxbox.sys [2008-4-14 2304]
S3 uvnc_service;uvnc_service;c:\documents and settings\jamal User\local settings\application data\crossloop\winvnc.exe [2010-4-2 1590216]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-05-08 22:02:22 0 ----a-w- c:\documents and settings\lillian User\defogger_reenable
2010-05-08 04:09:44 2544 ----a-w- c:\windows\osenoguqut.dll
2010-05-08 04:05:48 50990 ----a-w- c:\windows\system32\jewdzvlpnqhl.exe
2010-04-23 21:06:35 68 ----a-w- c:\windows\eyeQ Screen Saver.ini
2010-04-23 21:06:35 4141056 ----a-w- c:\windows\eyeQ Screen Saver.scr
2010-04-23 21:06:21 0 d-----w- c:\program files\Infinite Mind LC
2010-04-21 04:32:15 165376 ----a-w- c:\windows\system32\unrar.dll
2010-04-15 18:22:57 0 d-----w- c:\docume~1\lillia~1\applic~1\Key Metric Software
2010-04-15 17:54:50 0 d-----w- c:\program files\FolderSizes 4
2010-04-15 17:54:50 0 d-----w- c:\program files\common files\Key Metric Software
2010-04-15 17:54:46 0 d--h--w- c:\docume~1\alluse~1\applic~1\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}
2010-04-15 17:49:46 81920 ----a-w- c:\windows\eSellerateControl350.dll
2010-04-15 17:49:46 352256 ----a-w- c:\windows\eSellerateEngine.dll
2010-04-15 17:49:46 0 d-----w- c:\program files\HAS
2010-04-15 14:43:49 0 d-----w- c:\program files\SyncBack

==================== Find3M ====================

2010-05-02 20:19:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-02 20:19:46 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-20 04:32:22 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-10 22:28:44 54132 ----a-w- c:\windows\fonts\Kristen ITC.ttf

============= FINISH: 18:05:49.45 ===============


DDS_Attach - Uploaded

GMER_Ark - Could not save in regular mode. Could not finish scanning in Safe Mode.


Thank you very very much for your help. I'm hopeful to get this resolved sometime soon smile.gif

Best,
Analyst44

Attached Files


Edited by analyst44, 09 May 2010 - 09:15 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:34 AM

Posted 10 May 2010 - 04:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 analyst44

analyst44
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 10 May 2010 - 08:44 PM

Hi Myrti,

Thanks so much for the response. I know you guys are swamped so no worries on the response! I was prepared to wait a day or two and have grabbed an older laptop for my parents to use in the mean time (they are a bit older so I don't want them to use their infected computer). I really appreciate you getting back to me smile.gif

I have not done anything to the computer since I posted. In fact, I turned it off after I posted my original post because it just wasn't worth it to have it continue to crash. I know how efficient you guys are at diagnosing and helping, so once I post in a forum, I typically sit back and wait so I can do things in the right order.

The description of the problems I'm having are the same as those in the original post so I will not detail them again here and save your eyes some strain!

I signed up for instant email notification as soon as I signed up for the board so I think I am all set there!

Thanks so much for your help again, Myrti. I'm so grateful for your help!

=====================================
OTL Log:

OTL logfile created on: 5/10/2010 9:32:59 PM - Run 4
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Lillian User\Desktop\clean up
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.26 Gb Total Space | 19.32 Gb Free Space | 27.12% Space Free | Partition Type: NTFS
Drive D: | 7.82 Mb Total Space | 7.80 Mb Free Space | 99.75% Space Free | Partition Type: FAT
E: Drive not present or media not loaded
Drive F: | 142.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 1.87 Gb Total Space | 0.33 Gb Free Space | 17.73% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: User-OFFICE
Current User Name: Lillian User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/10 20:59:14 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lillian User\Desktop\clean up\OTL.exe
PRC - [2010/03/15 12:24:06 | 000,560,792 | ---- | M] (CrossLoop Inc) -- C:\Documents and Settings\Jamal User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
PRC - [2009/11/24 19:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 19:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 19:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 19:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 19:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/07 02:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2008/11/10 13:23:38 | 000,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2006/06/28 08:46:30 | 000,622,592 | ---- | M] () -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2006/03/30 10:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/10/29 00:28:44 | 000,052,736 | ---- | M] (Macrovision) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE
PRC - [2005/03/17 15:25:54 | 000,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2005/01/07 18:30:56 | 000,864,256 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2004/10/15 16:54:14 | 000,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PRC - [2004/10/15 16:54:12 | 000,046,768 | ---- | M] (America Online Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
PRC - [2004/10/14 20:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/09/10 16:32:48 | 000,053,248 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\BrmfBAgS.exe
PRC - [2004/07/27 17:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2003/08/27 11:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2003/06/27 14:09:00 | 000,266,240 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
PRC - [2001/08/17 23:36:00 | 000,032,256 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\BrmfRsmg.exe


========== Modules (SafeList) ==========

MOD - [2010/05/10 20:59:14 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lillian User\Desktop\clean up\OTL.exe
MOD - [2010/02/20 00:47:14 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/15 12:24:06 | 000,560,792 | ---- | M] (CrossLoop Inc) [Auto | Running] -- C:\Documents and Settings\Jamal User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe -- (CrossLoopService)
SRV - [2009/12/06 22:12:48 | 001,590,216 | ---- | M] (UltraVNC) [On_Demand | Stopped] -- C:\Documents and Settings\Jamal User\Local Settings\Application Data\CrossLoop\winvnc.exe -- (uvnc_service)
SRV - [2009/11/24 19:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 19:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 19:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 19:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/07 02:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/11/10 13:23:50 | 005,117,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/11/10 13:23:42 | 000,243,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2008/11/10 13:23:38 | 000,060,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2006/03/30 10:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/01/05 00:06:02 | 000,163,840 | ---- | M] (Alex Feinman) [On_Demand | Stopped] -- C:\Program Files\ISO Recorder\ImapiHelper.exe -- (Imapi Helper)
SRV - [2005/10/29 00:28:44 | 000,052,736 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2004/10/15 16:54:14 | 000,100,016 | ---- | M] (America Online, Inc) [Auto | Running] -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor)
SRV - [2004/09/10 16:32:48 | 000,053,248 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\BrmfBAgS.exe -- (brmfbags)
SRV - [2004/06/29 09:29:30 | 000,184,373 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe -- (AOLService)
SRV - [2003/08/27 11:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2003/06/27 14:09:00 | 000,266,240 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe -- (Diskeeper)


========== Driver Services (SafeList) ==========

DRV - [2010/02/20 00:47:05 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/02/20 00:47:00 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/24 19:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 19:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 19:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 19:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 19:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 19:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/10/07 04:49:38 | 006,756,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2009/10/07 04:47:54 | 000,266,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/10/07 02:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/11/10 13:09:32 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2008/04/14 08:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2008/04/14 08:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2008/04/14 08:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2008/04/14 08:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2008/04/14 08:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2008/04/14 08:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2008/04/14 08:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2008/04/14 08:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2008/04/14 08:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2008/04/14 08:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2008/04/14 08:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2008/04/14 08:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2008/04/14 08:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2008/04/14 08:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2008/04/14 08:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2008/04/14 08:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2008/04/14 08:00:00 | 000,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\usbxbox.sys -- (usbxbox)
DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/10/11 22:00:43 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2005/10/29 00:28:43 | 000,011,376 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2005/05/31 06:33:00 | 000,100,605 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2005/05/31 06:33:00 | 000,098,716 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2005/05/31 06:33:00 | 000,086,876 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2005/05/31 06:33:00 | 000,034,845 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2005/05/31 06:33:00 | 000,025,725 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2005/05/31 06:33:00 | 000,015,069 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2005/05/31 06:33:00 | 000,006,365 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2005/05/31 06:33:00 | 000,004,125 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2005/05/31 06:33:00 | 000,002,241 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2005/05/13 11:37:28 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2005/05/13 11:37:20 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2005/04/22 04:22:00 | 000,088,352 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2005/04/21 03:56:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/11/23 18:39:36 | 000,061,440 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrSerWdm.sys -- (BrSerWDM)
DRV - [2004/09/17 15:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 14:12:24 | 000,003,168 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrParImg.sys -- (brparimg)
DRV - [2001/08/17 13:12:18 | 000,039,552 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrParwdm.sys -- (BrParWdm)
DRV - [2001/08/17 13:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\extensions\\{DF6099AE-C875-4BCE-978F-BF7919FDA290}: C:\Documents and Settings\Lillian User\Local Settings\Application Data\{DF6099AE-C875-4BCE-978F-BF7919FDA290}\ [2010/02/17 11:34:50 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/02/17 12:39:27 | 000,380,196 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13099 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll (Microsoft Corp.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe ()
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe File not found
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007..\Run: [Djisakoho] C:\WINDOWS\wmsvwins.DLL (Open Source Software community project)
O4 - Startup: C:\Documents and Settings\Michael User\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\S-1-5-21-1605293762-1705067530-1475829602-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/Facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll (Installation Support)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Lillian User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lillian User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/27 14:32:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/04/13 21:17:27 | 000,000,000 | ---D | M] - C:\Autosafe Excel Backups -- [ NTFS ]
O32 - AutoRun File - [2002/02/12 06:23:58 | 000,397,312 | R--- | M] () - F:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2001/12/06 21:31:32 | 000,000,042 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk - C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe - ()
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe - (Intuit Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe - (Southwest Airlines)
MsConfig - StartUpFolder: C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^Logitech . Product Registration.lnk - C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe - (Leader Technologies/Logitech)
MsConfig - StartUpFolder: C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe - (MagicISO, Inc.)
MsConfig - StartUpReg: AIM - hkey= - key= - C:\PROGRA~1\AIM\aim.exe -cnetwait.odl File not found
MsConfig - StartUpReg: Aim6 - hkey= - key= - C:\Program Files\AIM6\aim6.exe (AOL LLC)
MsConfig - StartUpReg: AOL Spyware Protection - hkey= - key= - C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe ()
MsConfig - StartUpReg: AOLDialer - hkey= - key= - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
MsConfig - StartUpReg: ccApp - hkey= - key= - C:\Program Files\Common Files\Symantec Shared\ccApp.exe File not found
MsConfig - StartUpReg: DellSupport - hkey= - key= - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
MsConfig - StartUpReg: dlmMgr - hkey= - key= - C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe File not found
MsConfig - StartUpReg: FreeRAM XP - hkey= - key= - C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe (YourWare Solutions ™)
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig - StartUpReg: HAS.exe - hkey= - key= - C:\Program Files\HAS\HAS.EXE (Heatsoft Corporation)
MsConfig - StartUpReg: HostManager - hkey= - key= - C:\Program Files\Common Files\AOL\1128960999\EE\aolsoftware.exe (AOL LLC)
MsConfig - StartUpReg: IMEKRMIG6.1 - hkey= - key= - C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
MsConfig - StartUpReg: IMJPMIG8.1 - hkey= - key= - C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: IndexSearch - hkey= - key= - C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
MsConfig - StartUpReg: IS CfgWiz - hkey= - key= - C:\Program Files\Norton Internet Security\cfgwiz.exe File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: LogitechQuickCamRibbon - hkey= - key= - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
MsConfig - StartUpReg: Messenger (Yahoo!) - hkey= - key= - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
MsConfig - StartUpReg: mmtask - hkey= - key= - C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe File not found
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: msnmsgr - hkey= - key= - C:\Program Files\MSN Messenger\msnmsgr.exe File not found
MsConfig - StartUpReg: Pure Networks Port Magic - hkey= - key= - C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe File not found
MsConfig - StartUpReg: RealTray - hkey= - key= - C:\Program Files\Real\RealPlayer\RealPlay.exe File not found
MsConfig - StartUpReg: Riya - hkey= - key= - C:\Program Files\Riya\riyatray.exe File not found
MsConfig - StartUpReg: Skype - hkey= - key= - C:\Program Files\Skype\Phone\Skype.exe File not found
MsConfig - StartUpReg: SpybotSD TeaTimer - hkey= - key= - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
MsConfig - StartUpReg: SSC_UserPrompt - hkey= - key= - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe File not found
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: SUPERAntiSpyware - hkey= - key= - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
MsConfig - StartUpReg: SWF Printer Agent - hkey= - key= - C:\Program Files\SWF Printer Pro\swfpagent.exe ()
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
MsConfig - StartUpReg: updateMgr - hkey= - key= - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: uTorrent - hkey= - key= - C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
MsConfig - StartUpReg: Yahoo! Pager - hkey= - key= - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
MsConfig - StartUpReg: Zune Launcher - hkey= - key= - c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Macromedia Shockwave Director 10.1.1
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/09/27 16:52:33 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/08 00:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/08 00:14:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/08 00:04:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lillian User\Local Settings\Application Data\imvvjjdbd
[2010/04/23 17:06:21 | 000,000,000 | ---D | C] -- C:\Program Files\Infinite Mind LC
[2010/04/21 00:33:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lillian User\Application Data\Media Player Classic
[2010/04/21 00:20:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lillian User\Desktop\Zane
[2010/04/21 00:20:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lillian User\Desktop\Freddie
[2010/04/15 14:22:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lillian User\Application Data\Key Metric Software
[2010/04/15 13:54:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Key Metric Software
[2010/04/15 13:54:50 | 000,000,000 | ---D | C] -- C:\Program Files\FolderSizes 4
[2010/04/15 13:54:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}
[2010/04/15 13:49:46 | 000,352,256 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateEngine.dll
[2010/04/15 13:49:46 | 000,081,920 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateControl350.dll
[2010/04/15 13:49:46 | 000,000,000 | ---D | C] -- C:\Program Files\HAS
[2010/04/15 10:43:49 | 000,000,000 | ---D | C] -- C:\Program Files\SyncBack

========== Files - Modified Within 30 Days ==========

[2010/05/10 21:30:00 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E5370868-93A1-49F4-BC52-3354A03D4260}.job
[2010/05/10 21:20:33 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{331E5C16-7238-48C5-8545-5FE91CC513C6}.job
[2010/05/10 21:14:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006UA.job
[2010/05/10 21:10:00 | 000,001,018 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009UA.job
[2010/05/10 21:05:37 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/10 21:03:05 | 000,002,669 | ---- | M] () -- C:\WINDOWS\BrmfBidi.ini
[2010/05/10 21:02:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/10 21:02:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/08 19:49:00 | 000,001,018 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007UA.job
[2010/05/08 19:10:00 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009Core.job
[2010/05/08 18:02:22 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Lillian User\defogger_reenable
[2010/05/08 16:38:51 | 010,223,616 | ---- | M] () -- C:\Documents and Settings\Lillian User\ntuser.dat
[2010/05/08 16:38:25 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Lillian User\ntuser.ini
[2010/05/08 00:09:44 | 000,002,544 | ---- | M] () -- C:\WINDOWS\osenoguqut.dll
[2010/05/08 00:05:48 | 000,050,990 | ---- | M] () -- C:\WINDOWS\System32\jewdzvlpnqhl.exe
[2010/05/07 17:14:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006Core.job
[2010/05/07 13:49:01 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007Core.job
[2010/05/06 09:52:24 | 003,062,272 | ---- | M] () -- C:\Documents and Settings\Lillian User\Desktop\lifeonatrain2.pps
[2010/05/02 16:19:49 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2010/05/02 16:19:46 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2010/04/30 16:36:29 | 000,000,896 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 21:41:20 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/26 21:41:19 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/26 17:51:28 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/04/24 19:51:59 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Lillian User\My Documents\Lillian_User_Mercy_Award_Speech.doc
[2010/04/23 17:06:32 | 000,001,675 | ---- | M] () -- C:\Documents and Settings\Lillian User\Desktop\eyeQ.lnk
[2010/04/21 00:32:17 | 000,000,926 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Media Player Classic.lnk
[2010/04/14 23:03:22 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/04/14 20:29:38 | 000,000,065 | ---- | M] () -- C:\WINDOWS\System32\BD7420.dat

========== Files Created - No Company Name ==========

[2010/05/08 18:02:22 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Lillian User\defogger_reenable
[2010/05/08 00:09:44 | 000,002,544 | ---- | C] () -- C:\WINDOWS\osenoguqut.dll
[2010/05/08 00:05:48 | 000,050,990 | ---- | C] () -- C:\WINDOWS\System32\jewdzvlpnqhl.exe
[2010/05/06 09:52:17 | 003,062,272 | ---- | C] () -- C:\Documents and Settings\Lillian User\Desktop\lifeonatrain2.pps
[2010/04/23 17:06:35 | 004,141,056 | ---- | C] () -- C:\WINDOWS\eyeQ Screen Saver.scr
[2010/04/23 17:06:35 | 000,000,068 | ---- | C] () -- C:\WINDOWS\eyeQ Screen Saver.ini
[2010/04/23 17:06:32 | 000,001,675 | ---- | C] () -- C:\Documents and Settings\Lillian User\Desktop\eyeQ.lnk
[2010/04/21 00:32:17 | 000,000,926 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Media Player Classic.lnk
[2010/04/21 00:32:15 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/04/14 10:32:29 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Lillian User\My Documents\Lillian_User_Mercy_Award_Speech.doc
[2009/10/18 13:47:06 | 000,000,015 | ---- | C] () -- C:\WINDOWS\Powerplayer.ini
[2009/10/18 13:45:04 | 000,000,546 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2009/10/07 02:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/10/07 02:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/08/22 13:10:35 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\swfppm.dll
[2009/04/04 11:22:10 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2009/04/04 11:22:07 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2008/12/03 19:22:32 | 000,002,669 | ---- | C] () -- C:\WINDOWS\BrmfBidi.ini
[2008/12/03 19:19:28 | 000,000,052 | ---- | C] () -- C:\WINDOWS\System32\BrmfBAgP.ini
[2008/12/03 19:19:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\BrmfBAgS.ini
[2008/12/03 19:19:20 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2008/04/14 08:00:00 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\usbxbox.sys
[2008/02/24 15:14:13 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/08/09 13:08:04 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/01/28 21:52:04 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/01/28 21:52:04 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/01/28 21:51:31 | 000,001,276 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2007/01/28 21:51:31 | 000,000,152 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2007/01/28 21:50:18 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2007/01/28 21:37:52 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/09/04 13:10:00 | 000,000,074 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2006/06/05 22:08:36 | 000,001,273 | ---- | C] () -- C:\WINDOWS\EQNEDIT.INI
[2006/03/29 00:14:30 | 000,000,074 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/10/29 00:28:55 | 000,000,071 | ---- | C] () -- C:\WINDOWS\MPCWIN02.INI
[2005/10/29 00:28:45 | 000,202,752 | ---- | C] () -- C:\WINDOWS\CDAC14BA.DLL
[2005/10/29 00:28:43 | 000,011,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\CdaC15BA.SYS
[2005/10/29 00:08:06 | 000,000,225 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/10/10 12:11:51 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/10/10 11:57:48 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/10/10 00:28:54 | 000,000,478 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/27 08:37:22 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/09/27 08:27:20 | 000,000,313 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/09/27 08:02:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/09/27 08:01:52 | 000,000,394 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/09 18:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 11:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1999/01/04 14:25:00 | 000,375,296 | ---- | C] () -- C:\WINDOWS\System32\tx32.dll
[1998/11/04 03:20:00 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\Ic32.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/07/09 14:44:00 | 000,122,880 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\psshutdown.exe


< MD5 for: AGP440.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/09/27 16:59:48 | 001,671,168 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/09/27 20:39:39 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/09/27 16:59:48 | 035,913,728 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/09/27 16:59:48 | 006,029,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >


=================================

Extras

OTL Extras logfile created on: 5/10/2010 9:32:59 PM - Run 4
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Lillian User\Desktop\clean up
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.26 Gb Total Space | 19.32 Gb Free Space | 27.12% Space Free | Partition Type: NTFS
Drive D: | 7.82 Mb Total Space | 7.80 Mb Free Space | 99.75% Space Free | Partition Type: FAT
E: Drive not present or media not loaded
Drive F: | 142.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 1.87 Gb Total Space | 0.33 Gb Free Space | 17.73% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: User-OFFICE
Current User Name: Lillian User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"4458:TCP" = 4458:TCP:*:Enabled:Application Sharing
"5910:TCP" = 5910:TCP:*:Enabled:vnc5910

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"E:\Program Files\America Online 9.0\waol.exe" = E:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"E:\Program Files\America Online 9.0\waol.exe" = E:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (AOL LLC)
"C:\Program Files\America Online 9.0a\waol.exe" = C:\Program Files\America Online 9.0a\waol.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- (America Online, Inc)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- (America Online Inc)
"C:\Program Files\Common Files\AOL\1128960999\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1128960999\EE\AOLServiceHost.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- (America Online Inc.)
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL -- ()
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL -- (AOL Spyware Protection)
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- (Gteko Ltd.)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe" = C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Microsoft Help and Support Center -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\1128960999\EE\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1128960999\EE\aolsoftware.exe:*:Enabled:AOL Services -- (AOL LLC)
"C:\Program Files\Common Files\AOL\1128960999\EE\aim6.exe" = C:\Program Files\Common Files\AOL\1128960999\EE\aim6.exe:*:Enabled:AIM -- (America Online, Inc.)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Riya\jre\bin\javaw.exe" = C:\Program Files\Riya\jre\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- File not found
"C:\Program Files\CrossLoop\CrossLoopConnect.exe" = C:\Program Files\CrossLoop\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\PPMate\ppmate.exe" = C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate -- File not found
"C:\Program Files\PPMate\ppamnet.exe" = C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Documents and Settings\Lillian User\Local Settings\Application Data\CrossLoop\vncviewer.exe" = C:\Documents and Settings\Lillian User\Local Settings\Application Data\CrossLoop\vncviewer.exe:*:Enabled:vncviewer.exe -- (UltraVNC)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Documents and Settings\Jamal User\Local Settings\Application Data\CrossLoop\vncviewer.exe" = C:\Documents and Settings\Jamal User\Local Settings\Application Data\CrossLoop\vncviewer.exe:*:Enabled:vncviewer.exe -- (UltraVNC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{17A7FDBC-FB38-4258-B623-BCBA212BC25D}" = Costco Photo Organizer
"{17FE8F8E-D8FA-440E-9ACF-3C51787E7225}" = FolderSizes 4
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 15
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{39C16060-EAA2-012B-ADFC-000000000000}" = TurboTax 2009 wmiiper
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B09BD67-4C99-46A1-8161-B7208CE18121}" = QuickTime
"{6710FE30-27F7-492B-A660-D31D4A898A43}" = MSN Toolbar
"{67A5D171-4C74-4075-A492-0E480FA4B944}" = Brother BRAdmin Professional 2.74
"{69B02159-7623-4DBB-B9EE-F933039830AD}" = QuickBooks Premier: Accountant Edition 2006
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84031A18-BA9A-4156-A74F-E05B52DDFCE2}" = DING!
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A9DBB606-A7B0-4525-902F-7D4F091265D6}" = DiskeeperWorkstation
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AC76BA86-7AD7-5760-0000-705000000001}" = Adobe Reader Japanese Fonts
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B33CD700-6738-11D4-87FE-0080C6F974A2}" = eyeQ
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5C209B1-8DDB-4642-A573-375B951514CB}" = Apple Mobile Device Support
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B7F98125-4955-41E3-8A71-4CE11CE9C198}" = KODAK Gallery Upload Software
"{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}" = LogMeIn
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}" = Brother MFL-Pro Suite
"{D9E86289-52C9-4CD3-B9DA-87CCB83DC6A2}" = Brother Internet Print 1.65
"{DE58B061-6936-4913-AA5C-682E49356D86}" = TurboTax 2008 wmiiper
"{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder
"{E371C150-A9F1-49CE-ACC1-51AEFD01C1D4}_is1" = Turbo Tax Audit Support Center 2.0
"{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}" = iTunes
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E7559288-223B-453C-9F06-340E3BE21E39}" = MyWay Search Assistant
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF70513F-E3A7-402F-84FB-B7810A064BE2}" = Zune
"7-Zip" = 7-Zip 4.65
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Spyware Protection" = AOL Spyware Protection
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AolCoach2_en" = AOL Coach Version 2.0(Build:20041026.5 en)
"ATT-RC" = ATT-RC Self Support Tool
"Autosafe3.5, build 124" = Autosafe
"avast!" = avast! Antivirus
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner (remove only)
"CdaC13Ba" = SafeCast Shared Components
"CrossLoop_is1" = CrossLoop 2.72
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"ERUNT_is1" = ERUNT 1.1j
"Flickr Uploadr" = Flickr Uploadr 2.3
"FolderSizes 4" = FolderSizes 4
"FTW" = Family Tree Maker
"HAS" = HAS
"HijackThis" = HijackThis 2.0.2
"InstallShield_{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"IrfanView" = IrfanView (remove only)
"jewdzvlpnqhl" = Performance Solution Hotrevenue
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.9.0 (Standard)
"lvdrivers_12.10" = Logitech Webcam Software Driver Package
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"PandoraRecovery" = PandoraRecovery (Remove Only)
"PC Wizard 2008_is1" = PC Wizard 2008.1.871
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Adapters and Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"Recuva" = Recuva
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Screen Paver Screen Saver" = Screen Paver Screen Saver
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SpywareBlaster_is1" = SpywareBlaster 4.3
"SWF Printer Pro (FREEWARE)_is1" = SWF Printer Pro
"SyncBack_is1" = SyncBack
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"TurboTax Deluxe 2004" = TurboTax Deluxe 2004
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"uTorrent" = µTorrent
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.1
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Yahoo Message Archive Decoder" = Yahoo Message Archive Decoder 4.5
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1605293762-1705067530-1475829602-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\crashRestore.html
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\crashRestore.js
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\jquery-1.4.1.min.js
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\manifest.json
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\options.css
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\options.html
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\options.js
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\popup.css
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\popup.html
failed, 00000005.

Error - 5/5/2010 3:22:18 AM | Computer Name = User-OFFICE | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Lillian User\Local Settings\Temp\scoped_dir15902\TEMP_INSTALL\popup.js
failed, 00000005.

[ Application Events ]
Error - 5/8/2010 7:09:36 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/8/2010 7:16:41 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/8/2010 7:16:41 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/8/2010 7:16:41 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 5/8/2010 7:16:41 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/8/2010 7:16:41 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/10/2010 9:02:50 PM | Computer Name = User-OFFICE | Source = Diskeeper | ID = 6
Description = Diskeeper Control Center - ERROR Diskeeper is unable to retrieve the
defragmentation settings from the Windows registry.

Error - 5/10/2010 9:08:19 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 5/10/2010 9:08:20 PM | Computer Name = User-OFFICE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/10/2010 9:27:51 PM | Computer Name = User-OFFICE | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.4.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/8/2010 6:52:33 PM | Computer Name = User-OFFICE | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/8/2010 6:52:33 PM | Computer Name = User-OFFICE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss SASDIFSV
SASKUTIL
Tcpip
WS2IFSL

Error - 5/8/2010 6:52:47 PM | Computer Name = User-OFFICE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/8/2010 7:04:47 PM | Computer Name = User-OFFICE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/8/2010 7:04:47 PM | Computer Name = User-OFFICE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/8/2010 7:25:21 PM | Computer Name = User-OFFICE | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the CiSvc service.

Error - 5/10/2010 9:02:36 PM | Computer Name = User-OFFICE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/10/2010 9:02:36 PM | Computer Name = User-OFFICE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/10/2010 9:05:53 PM | Computer Name = User-OFFICE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 5/10/2010 9:06:47 PM | Computer Name = User-OFFICE | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{6C33FF4D-28BD-4710-AD93-87E1C0DDECEC}. The
backup browser is stopping.


< End of report >

Edited by analyst44, 10 May 2010 - 08:46 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:34 AM

Posted 10 May 2010 - 11:28 PM

Hi,

could you please to run gmer with only the option sections checked as shown in this image:


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 analyst44

analyst44
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2010 - 09:58 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 10:57:08
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\LILLIA~1\LOCALS~1\Temp\fwtiipod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\WudfPf.sys entry point in ".rsrc" section [0xF7471C14]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB904BF80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1052] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DF000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[3532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[3532] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[3532] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\WudfPf.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by analyst44, 11 May 2010 - 10:04 AM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:34 AM

Posted 11 May 2010 - 02:32 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 analyst44

analyst44
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2010 - 04:44 PM

Hi Myrti,

Before I do anything, I wanted to ask your personal opinion on the re-install. If you think I should do that, I will do that. Given this computer was infected before and there is still a Rootkit present after a thorough clean with the help of an expert (Geeks2Go), I am thinking that it is probably a good idea to do that.

If you think I should as well, my question is, do I have to worry about any infected files in terms of personal data in the various My Documents folders or Documents and Settings? If I am to re-install, what am I allowed to take with me if I do it? The reason I've been trying to repair this computer is because it's my parents and they are a bit older. They will lose all their customizations and all their programs and it will be a very difficult adjustment for them -- not to mention somewhat costly if they do not have original disks for some of their software anymore.

I will check out those links as well.



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:34 AM

Posted 11 May 2010 - 06:14 PM

Hi,

this is a decision I can not make for you. Format is a safe solution. Cleaning leaves the possibility of leftovers, but in this case it looks more as if you recently got reinfected and not like this is a leftover from a previous infection . (about 4 days ago, is that possilbe?)

One of the most important parts of staying clean is to stay up to date. I see outdated Java and an old version of Adobe Reader, which may leave your PC open to infections.

If you have the possiblity for backups and the CDs and know how to do a reinstall, this certainly isn't the worst solution.
If you want it another go at cleaning you are welcome to do so too, I'd be happy to help. You can always reformat if you feel like you can't trust your PC.

Lemme know how you decide.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 analyst44

analyst44
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2010 - 07:11 PM

Thank you for the information. I will try to clean it with you and see where we get.

I had to connect the computer to the internet so ComboFix could install the Recovery Console from Microsoft's website. I immediately unhooked the internet connection when it was finished per your request.

I ran ComboFix. It rebooted a few times and went through its removal process. During the last stage, my computer rebooted and ComboFix said not to do anything until it was finished and it had created a log. An error box (RUNDLL red exclamation mark) came up that said wmsvwins.dll had failed. About 30 seconds later after that box had disappeared and while ComboFix was still preparing the log, the computer froze and went to a BSOD with the following:

IRQL_NOT_LESS_OR_EQUAL
STOP: 0X0000000a (0X000000016, ...... 1C, ......00, .......0x804E5E11

I rebooted the computer and it turned on like normal. However, the same wmsvwins.dll error appeared again.

Here is the copy of the ComboFix log. I do not think it was finished when my computer crashed. I will wait to hear what you say before running it again or doing anything else:

=====================================

ComboFix 10-05-10.05 - Lillian User 05/11/2010 19:41:11.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1558 [GMT -4:00]
Running from: G:\Cleanup\05-2010\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100511-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.



#10 analyst44

analyst44
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2010 - 08:57 PM

Also, just one quick question. Do you think we will be able to fix this in the next 15 hours or so? I will have to make alternative plans for a laptop and most likely have to login to the infected computer remotely via Internet (using logmein) to fix it after that.



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:34 AM

Posted 12 May 2010 - 07:31 AM

Hi,

we can try. If you are going to be away and don't need the PC clean before you leave, we can actually let it rest and take the cleaning back up after you come back?

Please try running ComboFix again.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 analyst44

analyst44
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 12 May 2010 - 09:28 AM

Sounds great. My plans may have changed so I may not be leaving after all. If I do, I will definitely let you know that I am leaving and we can take a break. As of now, we can continue to try and clean the machine. Thanks so much!

New ComboFix.txt file:

ComboFix 10-05-10.05 - Lillian User 05/12/2010 10:09:09.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1630 [GMT -4:00]
Running from: c:\documents and settings\Lillian User\Desktop\clean up\Specialty\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100511-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Lillian User\Local Settings\Application Data\{DF6099AE-C875-4BCE-978F-BF7919FDA290}\chrome.manifest
c:\documents and settings\Lillian User\Local Settings\Application Data\{DF6099AE-C875-4BCE-978F-BF7919FDA290}\chrome\content\_cfg.js
c:\documents and settings\Lillian User\Local Settings\Application Data\{DF6099AE-C875-4BCE-978F-BF7919FDA290}\chrome\content\overlay.xul
c:\documents and settings\Lillian User\Local Settings\Application Data\{DF6099AE-C875-4BCE-978F-BF7919FDA290}\install.rdf
c:\windows\eSellerateEngine.dll
c:\windows\osenoguqut.dll
c:\windows\system32\bszip.dll
c:\windows\system32\usbxbox.sys
c:\windows\system32\Vb40032.dll
c:\windows\system32\winlogon.bak
c:\windows\wmsvwins.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_USBXBOX
-------\Service_usbxbox


((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-11 14:47 . 2010-05-11 14:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-08 05:40 . 2010-05-08 05:40 -------- d-----w- c:\documents and settings\Administrator.User-OFFICE\Application Data\Media Player Classic
2010-05-08 04:05 . 2010-05-08 04:05 50990 ----a-w- c:\windows\system32\jewdzvlpnqhl.exe
2010-05-08 04:04 . 2010-05-08 04:40 -------- d-----w- c:\documents and settings\Lillian User\Local Settings\Application Data\imvvjjdbd
2010-04-23 21:06 . 2002-02-20 18:22 4141056 ----a-w- c:\windows\eyeQ Screen Saver.scr
2010-04-23 21:06 . 2010-04-23 21:06 -------- d-----w- c:\program files\Infinite Mind LC
2010-04-21 04:33 . 2010-04-21 04:33 -------- d-----w- c:\documents and settings\Lillian User\Application Data\Media Player Classic
2010-04-21 04:32 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-04-15 18:22 . 2010-04-15 18:22 -------- d-----w- c:\documents and settings\Lillian User\Application Data\Key Metric Software
2010-04-15 17:54 . 2008-04-10 01:50 2375584 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\FolderSizes4-Setup.exe
2010-04-15 17:54 . 2010-04-15 17:54 -------- d-----w- c:\program files\FolderSizes 4
2010-04-15 17:54 . 2010-04-15 17:54 -------- d-----w- c:\program files\Common Files\Key Metric Software
2010-04-15 17:54 . 2010-04-15 17:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}
2010-04-15 17:54 . 2008-04-10 01:38 126640 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\DFFECFA6\2A7075CE\FSShExt.dll
2010-04-15 17:54 . 2006-11-11 19:51 413696 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\46C14A23\9DE5D2FC\qhtm.DLL
2010-04-15 17:54 . 2004-05-04 15:53 1645320 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\1C07AE6E\F3622594\gdiplus.dll
2010-04-15 17:54 . 2008-04-10 01:38 2653872 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\93B554D0\809AD94A\FolderSizes.exe
2010-04-15 17:49 . 2010-04-15 17:49 -------- d-----w- c:\program files\HAS
2010-04-15 17:49 . 2004-07-28 05:01 81920 ----a-w- c:\windows\eSellerateControl350.dll
2010-04-15 14:43 . 2010-04-15 20:09 -------- d-----w- c:\program files\SyncBack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 04:09 . 2007-02-25 23:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 04:06 . 2010-02-17 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 20:19 . 2008-02-24 19:14 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-02 20:19 . 2008-02-24 19:13 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-29 19:39 . 2010-02-17 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-17 16:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 21:09 . 2009-05-04 21:11 -------- d-----w- c:\program files\MagicDisc
2010-04-23 21:06 . 2005-09-27 12:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-21 04:35 . 2009-09-12 00:23 -------- d-----w- c:\documents and settings\Lillian User\Application Data\vlc
2010-04-21 04:32 . 2007-04-15 18:47 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-04-20 02:33 . 2009-10-30 22:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-20 02:33 . 2006-11-11 00:28 -------- d-----w- c:\program files\SpywareBlaster
2010-04-15 13:54 . 2010-02-10 08:15 10719040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 00:29 . 2009-12-30 04:42 65 ----a-w- c:\windows\system32\BD7420.dat
2010-04-02 23:15 . 2010-04-02 23:15 -------- d-----w- c:\documents and settings\Jamal User\Application Data\UltraVNC
2010-03-20 22:48 . 2010-03-20 22:48 -------- d-----w- c:\documents and settings\Lillian User\Application Data\UltraVNC
2010-03-20 19:31 . 2005-10-10 16:17 -------- d-----w- c:\program files\Pure Networks
2010-03-20 19:23 . 2006-07-04 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-20 19:21 . 2005-10-29 04:06 -------- d-----w- c:\program files\ItsDeductibleEX
2010-03-20 19:20 . 2007-03-21 22:31 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-20 19:16 . 2005-10-10 15:07 -------- d-----w- c:\documents and settings\Jamal User\Application Data\Lavasoft
2010-03-20 19:04 . 2005-10-10 04:09 79184 ----a-w- c:\documents and settings\Jamal User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 15:55 . 2010-03-05 15:55 79184 ----a-w- c:\documents and settings\Lillian User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 02:15 . 2010-02-20 04:48 117760 ----a-w- c:\documents and settings\Lillian User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 07:51 . 2010-02-20 07:51 444 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-20 04:48 . 2010-02-20 04:48 52224 ----a-w- c:\documents and settings\Lillian User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-20 04:32 . 2008-04-14 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-02-17 15:29 . 2010-02-17 15:29 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
.

------- Sigcheck -------

[-] 2010-02-20 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\Michael User\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-5-4 576000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-02-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-02-20 04:47 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 19:08 67160 ----a-w- c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
2006-03-23 04:13 1591808 ----a-r- c:\program files\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-04 15:03 133104 ----atw- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HAS.exe]
2004-12-24 00:07 1780224 ----a-w- c:\program files\HAS\HAS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1128960999\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 10:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 10:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 19:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 23:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-20 04:47 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWF Printer Agent]
2007-06-14 11:45 90112 ----a-w- c:\program files\SWF Printer Pro\swfpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-08-23 15:11 288560 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 17:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
cliprsh REG_SZ

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Lillian User\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\Jamal User\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4458:TCP"= 4458:TCP:Application Sharing
"5910:TCP"= 5910:TCP:vnc5910

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/19/2010 4:55 PM 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 10:27 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/9/2007 3:09 PM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 10:27 PM 20560]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Jamal User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [4/2/2010 7:13 PM 560792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/15/2007 3:14 PM 24652]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/3/2008 7:22 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/3/2008 7:22 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/3/2008 7:22 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/3/2008 7:22 PM 61440]
S0 xvbkyukl;xvbkyukl; [x]
S3 uvnc_service;uvnc_service;c:\documents and settings\Jamal User\Local Settings\Application Data\CrossLoop\winvnc.exe [4/2/2010 7:13 PM 1590216]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006Core.job
- c:\documents and settings\Jamal User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 14:20]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006UA.job
- c:\documents and settings\Jamal User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 14:20]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007Core.job
- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-04 15:03]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007UA.job
- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-04 15:03]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009Core.job
- c:\documents and settings\Michael User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-04 21:10]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009UA.job
- c:\documents and settings\Michael User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-04 21:10]

2010-05-12 c:\windows\Tasks\User_Feed_Synchronization-{331E5C16-7238-48C5-8545-5FE91CC513C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]

2010-05-12 c:\windows\Tasks\User_Feed_Synchronization-{E5370868-93A1-49F4-BC52-3354A03D4260}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Djisakoho - c:\windows\wmsvwins.dll
HKLM-Run-ControlCenter3 - c:\program files\Brother\ControlCenter3\brctrcen.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-dlmMgr - c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-QuickTime Task - c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-Riya - c:\program files\Riya\riyatray.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-HijackThis - c:\documents and settings\Lillian User\My Documents\My Downloads\HijackThis.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3204)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-12 10:24:50
ComboFix-quarantined-files.txt 2010-05-12 14:24

Pre-Run: 18,342,350,848 bytes free
Post-Run: 18,304,409,600 bytes free

- - End Of File - - E3C7FC31C8A96FB47B754BA423C6204D


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:34 AM

Posted 12 May 2010 - 09:56 AM

Hi,

there are a couple of leftovers I'd like to remove:
Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/315591/series-of-nasty-malware-infections-appeared-out-of-nowhere-butmy-malwarebytes-is-clean/
Collect::
c:\windows\system32\jewdzvlpnqhl.exe
Folder::
c:\documents and settings\Lillian User\Local Settings\Application Data\imvvjjdbd
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
Driver::
xvbkyukl


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 analyst44

analyst44
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 12 May 2010 - 10:49 AM

Apologize for the delay. I didn't realize that the code you had given me was custom for the user I am logged in as. I change her last name in her logs to "User" so her name is not floating around the internet.

After I realized my mistake, I replaced "User" in your code box above to her proper last name that is on the Windows machine and re-ran. Here are the results for both scans.

First, with incorrect Lillian User Code:

ComboFix 10-05-11.06 - Lillian User 05/12/2010 11:03:19.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1439 [GMT -4:00]
Running from: c:\documents and settings\Lillian User\Desktop\clean up\Specialty\ComboFix.exe
Command switches used :: c:\documents and settings\Lillian User\Desktop\clean up\Specialty\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100511-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\jewdzvlpnqhl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ialmuARA.dll
c:\windows\system32\ialmuARB.dll
c:\windows\system32\ialmuCHS.dll
c:\windows\system32\ialmuCHT.dll
c:\windows\system32\ialmuCSY.dll
c:\windows\system32\ialmuDAN.dll
c:\windows\system32\ialmuDEU.dll
c:\windows\system32\ialmudlg.exe
c:\windows\system32\ialmuELL.dll
c:\windows\system32\ialmuENG.dll
c:\windows\system32\ialmuESP.dll
c:\windows\system32\ialmuFIN.dll
c:\windows\system32\ialmuFRA.dll
c:\windows\system32\ialmuFRC.dll
c:\windows\system32\ialmuHEB.dll
c:\windows\system32\ialmuHUN.dll
c:\windows\system32\ialmuITA.dll
c:\windows\system32\ialmuJPN.dll
c:\windows\system32\ialmuKOR.dll
c:\windows\system32\ialmuNLD.dll
c:\windows\system32\ialmuNOR.dll
c:\windows\system32\ialmuPLK.dll
c:\windows\system32\ialmuPTB.dll
c:\windows\system32\ialmuPTG.dll
c:\windows\system32\ialmuRUS.dll
c:\windows\system32\ialmuSVE.dll
c:\windows\system32\ialmuTHA.dll
c:\windows\system32\ialmuTRK.dll
c:\windows\system32\igfxrara.lrc
c:\windows\system32\igfxrchs.lrc
c:\windows\system32\igfxrcht.lrc
c:\windows\system32\igfxrcsy.lrc
c:\windows\system32\igfxrdan.lrc
c:\windows\system32\igfxrdeu.lrc
c:\windows\system32\igfxrell.lrc
c:\windows\system32\igfxrenu.lrc
c:\windows\system32\igfxresp.lrc
c:\windows\system32\igfxrfin.lrc
c:\windows\system32\igfxrfra.lrc
c:\windows\system32\igfxrheb.lrc
c:\windows\system32\igfxrhun.lrc
c:\windows\system32\igfxrita.lrc
c:\windows\system32\igfxrjpn.lrc
c:\windows\system32\igfxrkor.lrc
c:\windows\system32\igfxrnld.lrc
c:\windows\system32\igfxrnor.lrc
c:\windows\system32\igfxrplk.lrc
c:\windows\system32\igfxrptb.lrc
c:\windows\system32\igfxrptg.lrc
c:\windows\system32\igfxrrus.lrc
c:\windows\system32\igfxrsve.lrc
c:\windows\system32\igfxrtha.lrc
c:\windows\system32\igfxrtrk.lrc
c:\windows\system32\jewdzvlpnqhl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XVBKYUKL
-------\Service_xvbkyukl


((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-08 05:40 . 2010-05-08 05:40 -------- d-----w- c:\documents and settings\Administrator.User-OFFICE\Application Data\Media Player Classic
2010-04-21 04:33 . 2010-04-21 04:33 -------- d-----w- c:\documents and settings\Lillian User\Application Data\Media Player Classic
2010-04-15 18:22 . 2010-04-15 18:22 -------- d-----w- c:\documents and settings\Lillian User\Application Data\Key Metric Software
2010-04-15 17:54 . 2010-04-15 17:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 14:25 . 2006-11-11 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-08 04:09 . 2007-02-25 23:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 04:06 . 2010-02-17 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 20:19 . 2008-02-24 19:14 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-02 20:19 . 2008-02-24 19:13 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-29 19:39 . 2010-02-17 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-17 16:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 21:09 . 2009-05-04 21:11 -------- d-----w- c:\program files\MagicDisc
2010-04-23 21:06 . 2010-04-23 21:06 -------- d-----w- c:\program files\Infinite Mind LC
2010-04-23 21:06 . 2005-09-27 12:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-21 04:35 . 2009-09-12 00:23 -------- d-----w- c:\documents and settings\Lillian User\Application Data\vlc
2010-04-21 04:32 . 2007-04-15 18:47 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-04-20 02:33 . 2009-10-30 22:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-20 02:33 . 2006-11-11 00:28 -------- d-----w- c:\program files\SpywareBlaster
2010-04-15 20:09 . 2010-04-15 14:43 -------- d-----w- c:\program files\SyncBack
2010-04-15 17:54 . 2010-04-15 17:54 -------- d-----w- c:\program files\FolderSizes 4
2010-04-15 17:54 . 2010-04-15 17:54 -------- d-----w- c:\program files\Common Files\Key Metric Software
2010-04-15 17:49 . 2010-04-15 17:49 -------- d-----w- c:\program files\HAS
2010-04-15 13:54 . 2010-02-10 08:15 10719040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 00:29 . 2009-12-30 04:42 65 ----a-w- c:\windows\system32\BD7420.dat
2010-04-02 23:15 . 2010-04-02 23:15 -------- d-----w- c:\documents and settings\Jamal User\Application Data\UltraVNC
2010-03-20 22:48 . 2010-03-20 22:48 -------- d-----w- c:\documents and settings\Lillian User\Application Data\UltraVNC
2010-03-20 19:31 . 2005-10-10 16:17 -------- d-----w- c:\program files\Pure Networks
2010-03-20 19:23 . 2006-07-04 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-20 19:21 . 2005-10-29 04:06 -------- d-----w- c:\program files\ItsDeductibleEX
2010-03-20 19:20 . 2007-03-21 22:31 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-20 19:16 . 2005-10-10 15:07 -------- d-----w- c:\documents and settings\Jamal User\Application Data\Lavasoft
2010-03-20 19:04 . 2005-10-10 04:09 79184 ----a-w- c:\documents and settings\Jamal User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 09:31 . 2010-04-21 04:32 165376 ----a-w- c:\windows\system32\unrar.dll
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 15:55 . 2010-03-05 15:55 79184 ----a-w- c:\documents and settings\Lillian User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 07:51 . 2010-02-20 07:51 444 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-20 04:32 . 2008-04-14 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-02-17 15:29 . 2010-02-17 15:29 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
.

------- Sigcheck -------

[-] 2010-02-20 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\Michael User\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-5-4 576000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-02-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-02-20 04:47 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 19:08 67160 ----a-w- c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
2006-03-23 04:13 1591808 ----a-r- c:\program files\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-04 15:03 133104 ----atw- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HAS.exe]
2004-12-24 00:07 1780224 ----a-w- c:\program files\HAS\HAS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1128960999\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 10:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 10:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 19:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 23:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-20 04:47 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWF Printer Agent]
2007-06-14 11:45 90112 ----a-w- c:\program files\SWF Printer Pro\swfpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-08-23 15:11 288560 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 17:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
cliprsh REG_SZ

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Lillian User\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\Jamal User\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4458:TCP"= 4458:TCP:Application Sharing
"5910:TCP"= 5910:TCP:vnc5910

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/19/2010 4:55 PM 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 10:27 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/9/2007 3:09 PM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 10:27 PM 20560]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Jamal User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [4/2/2010 7:13 PM 560792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/15/2007 3:14 PM 24652]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/3/2008 7:22 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/3/2008 7:22 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/3/2008 7:22 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/3/2008 7:22 PM 61440]
S3 uvnc_service;uvnc_service;c:\documents and settings\Jamal User\Local Settings\Application Data\CrossLoop\winvnc.exe [4/2/2010 7:13 PM 1590216]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006Core.job
- c:\documents and settings\Jamal User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 14:20]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006UA.job
- c:\documents and settings\Jamal User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 14:20]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007Core.job
- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-04 15:03]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007UA.job
- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-04 15:03]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009Core.job
- c:\documents and settings\Michael User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-04 21:10]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009UA.job
- c:\documents and settings\Michael User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-04 21:10]

2010-05-12 c:\windows\Tasks\User_Feed_Synchronization-{331E5C16-7238-48C5-8545-5FE91CC513C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]

2010-05-12 c:\windows\Tasks\User_Feed_Synchronization-{E5370868-93A1-49F4-BC52-3354A03D4260}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-jewdzvlpnqhl - c:\windows\system32\jewdzvlpnqhl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 11:09
Windows 5.1.2600 Service Pack 3

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5404)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\BrmfBAgS.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\BRMFRSMG.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\WgaTray.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-05-12 11:22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-12 15:22
ComboFix2.txt 2010-05-12 14:24

Pre-Run: 18,299,097,088 bytes free
Post-Run: 18,262,540,288 bytes free

- - End Of File - - 317B739306F5BBAFC2CCFC4A88C7630C


Next, with correct change to proper last name:



ComboFix 10-05-11.06 - Lillian User 05/12/2010 11:35:39.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1519 [GMT -4:00]
Running from: c:\documents and settings\Lillian User\Desktop\clean up\Specialty\ComboFix.exe
Command switches used :: c:\documents and settings\Lillian User\Desktop\clean up\Specialty\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100512-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lillian User\Local Settings\Application Data\imvvjjdbd

.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 15:29 . 2010-05-12 15:29 -------- d-----w- c:\windows\LastGood
2010-05-11 14:47 . 2010-05-11 14:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-08 05:40 . 2010-05-08 05:40 -------- d-----w- c:\documents and settings\Administrator.User-OFFICE\Application Data\Media Player Classic
2010-04-23 21:06 . 2002-02-20 18:22 4141056 ----a-w- c:\windows\eyeQ Screen Saver.scr
2010-04-23 21:06 . 2010-04-23 21:06 -------- d-----w- c:\program files\Infinite Mind LC
2010-04-21 04:33 . 2010-04-21 04:33 -------- d-----w- c:\documents and settings\Lillian User\Application Data\Media Player Classic
2010-04-21 04:32 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-04-15 18:22 . 2010-04-15 18:22 -------- d-----w- c:\documents and settings\Lillian User\Application Data\Key Metric Software
2010-04-15 17:54 . 2008-04-10 01:50 2375584 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\FolderSizes4-Setup.exe
2010-04-15 17:54 . 2010-04-15 17:54 -------- d-----w- c:\program files\FolderSizes 4
2010-04-15 17:54 . 2010-04-15 17:54 -------- d-----w- c:\program files\Common Files\Key Metric Software
2010-04-15 17:54 . 2010-04-15 17:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}
2010-04-15 17:54 . 2008-04-10 01:38 126640 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\DFFECFA6\2A7075CE\FSShExt.dll
2010-04-15 17:54 . 2006-11-11 19:51 413696 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\46C14A23\9DE5D2FC\qhtm.DLL
2010-04-15 17:54 . 2004-05-04 15:53 1645320 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\1C07AE6E\F3622594\gdiplus.dll
2010-04-15 17:54 . 2008-04-10 01:38 2653872 ----a-w- c:\documents and settings\All Users\Application Data\{1FD94113-C78D-4E31-A3B6-8EB6161F9986}\offline\93B554D0\809AD94A\FolderSizes.exe
2010-04-15 17:49 . 2010-04-15 17:49 -------- d-----w- c:\program files\HAS
2010-04-15 17:49 . 2004-07-28 05:01 81920 ----a-w- c:\windows\eSellerateControl350.dll
2010-04-15 14:43 . 2010-04-15 20:09 -------- d-----w- c:\program files\SyncBack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 14:25 . 2006-11-11 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-08 04:09 . 2007-02-25 23:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 04:06 . 2010-02-17 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 20:19 . 2008-02-24 19:14 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-02 20:19 . 2008-02-24 19:13 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-29 19:39 . 2010-02-17 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-17 16:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 21:09 . 2009-05-04 21:11 -------- d-----w- c:\program files\MagicDisc
2010-04-23 21:06 . 2005-09-27 12:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-21 04:35 . 2009-09-12 00:23 -------- d-----w- c:\documents and settings\Lillian User\Application Data\vlc
2010-04-21 04:32 . 2007-04-15 18:47 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-04-20 02:33 . 2009-10-30 22:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-20 02:33 . 2006-11-11 00:28 -------- d-----w- c:\program files\SpywareBlaster
2010-04-15 13:54 . 2010-02-10 08:15 10719040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 00:29 . 2009-12-30 04:42 65 ----a-w- c:\windows\system32\BD7420.dat
2010-04-02 23:15 . 2010-04-02 23:15 -------- d-----w- c:\documents and settings\Jamal User\Application Data\UltraVNC
2010-03-20 22:48 . 2010-03-20 22:48 -------- d-----w- c:\documents and settings\Lillian User\Application Data\UltraVNC
2010-03-20 19:31 . 2005-10-10 16:17 -------- d-----w- c:\program files\Pure Networks
2010-03-20 19:23 . 2006-07-04 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-20 19:21 . 2005-10-29 04:06 -------- d-----w- c:\program files\ItsDeductibleEX
2010-03-20 19:20 . 2007-03-21 22:31 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-20 19:16 . 2005-10-10 15:07 -------- d-----w- c:\documents and settings\Jamal User\Application Data\Lavasoft
2010-03-20 19:04 . 2005-10-10 04:09 79184 ----a-w- c:\documents and settings\Jamal User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 15:55 . 2010-03-05 15:55 79184 ----a-w- c:\documents and settings\Lillian User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 02:15 . 2010-02-20 04:48 117760 ----a-w- c:\documents and settings\Lillian User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 07:51 . 2010-02-20 07:51 444 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-20 04:48 . 2010-02-20 04:48 52224 ----a-w- c:\documents and settings\Lillian User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-20 04:32 . 2008-04-14 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-02-17 15:29 . 2010-02-17 15:29 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
.

------- Sigcheck -------

[-] 2010-02-20 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-05-12_14.19.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 15:09 . 2010-05-12 15:09 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
+ 2010-05-12 15:08 . 2010-05-12 15:08 16384 c:\windows\Temp\Perflib_Perfdata_55c.dat
+ 2005-10-10 04:28 . 2010-05-12 15:33 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-10 18:02 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2004-08-10 18:02 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2004-08-10 18:02 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2004-08-10 18:02 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
- 2005-10-10 04:28 . 2010-04-15 12:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-10-10 04:28 . 2010-05-12 15:33 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2005-10-10 04:28 . 2010-04-15 12:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2004-08-10 18:02 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2004-08-10 18:02 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\1417f7.msp
+ 2010-04-21 21:46 . 2010-04-21 21:46 5522432 c:\windows\Installer\1417e0.msp
+ 2005-10-10 04:37 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\Michael User\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-5-4 576000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-02-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-02-20 04:47 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lillian User^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Lillian User\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 19:08 67160 ----a-w- c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
2006-03-23 04:13 1591808 ----a-r- c:\program files\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-04 15:03 133104 ----atw- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HAS.exe]
2004-12-24 00:07 1780224 ----a-w- c:\program files\HAS\HAS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1128960999\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 10:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 10:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 19:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 23:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-20 04:47 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWF Printer Agent]
2007-06-14 11:45 90112 ----a-w- c:\program files\SWF Printer Pro\swfpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-08-23 15:11 288560 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 17:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
cliprsh REG_SZ

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1128960999\\EE\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Lillian User\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\Jamal User\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4458:TCP"= 4458:TCP:Application Sharing
"5910:TCP"= 5910:TCP:vnc5910

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/19/2010 4:55 PM 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 10:27 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/9/2007 3:09 PM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 10:27 PM 20560]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Jamal User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [4/2/2010 7:13 PM 560792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/15/2007 3:14 PM 24652]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/3/2008 7:22 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/3/2008 7:22 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/3/2008 7:22 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/3/2008 7:22 PM 61440]
S3 uvnc_service;uvnc_service;c:\documents and settings\Jamal User\Local Settings\Application Data\CrossLoop\winvnc.exe [4/2/2010 7:13 PM 1590216]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006Core.job
- c:\documents and settings\Jamal User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 14:20]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1006UA.job
- c:\documents and settings\Jamal User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 14:20]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007Core.job
- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-04 15:03]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1007UA.job
- c:\documents and settings\Lillian User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-04 15:03]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009Core.job
- c:\documents and settings\Michael User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-04 21:10]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1605293762-1705067530-1475829602-1009UA.job
- c:\documents and settings\Michael User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-04 21:10]

2010-05-12 c:\windows\Tasks\User_Feed_Synchronization-{331E5C16-7238-48C5-8545-5FE91CC513C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]

2010-05-12 c:\windows\Tasks\User_Feed_Synchronization-{E5370868-93A1-49F4-BC52-3354A03D4260}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-12 11:43:21
ComboFix-quarantined-files.txt 2010-05-12 15:43
ComboFix2.txt 2010-05-12 14:24

Pre-Run: 18,151,337,984 bytes free
Post-Run: 18,113,024,000 bytes free

- - End Of File - - 64C477C4EC41287358241FF15FE12F03



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:34 AM

Posted 12 May 2010 - 11:38 AM

Hi,

ComboFix accidentally deleted a couple of files. Could you please provide ComboFix_quarantined_files.txt in your next post.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users