Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Results Redirecting


  • This topic is locked This topic is locked
10 replies to this topic

#1 lhamil64

lhamil64

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:04:49 PM

Posted 10 May 2010 - 01:54 PM

DDS (Ver_10-03-17.01) - NTFSx86
Run by Lee Hamilton at 14:45:40.45 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.306 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Palm\SDK\bin\novacom\x86\novacomd.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\StreamDesk\StreamDesk.Core.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MagniGlass\MagniGlass.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Lightscreen\lightscreen.exe
C:\Program Files\ManyCam 2.4\ManyCam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Documents and Settings\Lee Hamilton\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lee Hamilton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: AhIeBho Class: {10384d0e-2bc1-48b6-844b-ad0e9e6d2511} - c:\program files\zoomtext 8.1\ahoi\ah_ie_bho.dll
BHO: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll
TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll
TB: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {968631B6-4729-440D-9BF4-251F5593EC9A} - No File
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Lightscreen] c:\program files\lightscreen\lightscreen.exe -h
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ManyCam] "c:\program files\manycam 2.4\ManyCam.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [MagnifyingGlass10WorkColl] c:\program files\magniglass\MagniGlass.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Prey Laptop Tracker] c:\prey\cron.exe --log
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\aimlau~1.lnk - c:\documents and settings\lee hamilton\my documents\aimLaunch.ahk
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\lee hamilton\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech touch mouse server\iTouch-Server-Win.exe
StartupFolder: c:\documents and settings\lee hamilton\start menu\programs\startup\Messengers-Startup.bat
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\powermenu\PowerMenu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoSecurityTab = 1 (0x1)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\oldaim5.9\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\lee hamilton\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: k12.ny.us\www.potsdam
Trusted Zone: moove.com
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/downloads/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} - hxxps://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {32A155BD-68EC-404E-A14F-72A851C0811D} - hxxp://cp1.webng.com/client/fm/WebNG-Uploader.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos~1.dll c:\progra~1\google\go333c~1\GOEC62~1.DLL
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leeham~1\applic~1\mozilla\firefox\profiles\ofq19v0e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\lee hamilton\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\lee hamilton\application data\mozilla\firefox\profiles\ofq19v0e.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\lee hamilton\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\lee hamilton\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPSWF32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npmio.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [2008-9-8 7168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-3-6 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-3-6 38528]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2007-6-18 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2007-6-18 41680]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-29 353672]
R2 Gem98;Gem98;c:\windows\system32\drivers\GEM98.SYS [2007-5-24 3664]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-17 45848]
R2 NovacomD;Palm Novacom;c:\program files\palm\sdk\bin\novacom\x86\novacomd.exe [2010-2-17 34304]
R2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\opendns updater\opendns updater.exe --run --> c:\program files\opendns updater\OpenDNS Updater.exe --run [?]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2009-4-2 266240]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-7-1 172032]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2009-4-2 794624]
R2 StreamDeskService;StreamDesk HTTP Data Service;c:\program files\streamdesk\StreamDesk.Core.exe [2009-12-20 111616]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-28 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-6 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-3-25 110608]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S2 CachemanService;Cacheman Service;c:\program files\cacheman\cachemanserv.exe --> c:\program files\cacheman\CachemanServ.exe [?]
S2 gupdate1c87a6131e65d3a;Google Update Service (gupdate1c87a6131e65d3a);c:\program files\google\update\GoogleUpdate.exe [2008-7-12 133104]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-8-21 6016]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [2008-8-24 14848]
S3 cpuz130;cpuz130;\??\c:\docume~1\leeham~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\leeham~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-24 30192]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2010-3-24 28160]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcdevice.sys [2009-2-15 324096]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\drivers\superwebcam.sys [2008-2-23 31872]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2008-4-7 25856]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-1-1 32016]
S3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [2004-9-17 12672]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S4 RDShutdown;RDShutdown Service;"c:\documents and settings\lee hamilton\desktop\dshutdown\rdshutdown.exe" --> c:\documents and settings\lee hamilton\desktop\dshutdown\RDShutdown.exe [?]
S4 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys --> c:\windows\system32\drivers\scrcap.sys [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]
S4 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\webcamdv.sys --> c:\windows\system32\drivers\WebCamDV.sys [?]

=============== Created Last 30 ================

2010-05-10 18:41:41 0 ----a-w- c:\documents and settings\lee hamilton\defogger_reenable
2010-05-09 01:29:43 0 d-----w- c:\program files\ESET
2010-05-08 13:41:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 13:41:31 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-04 20:29:03 0 d-----w- c:\program files\Sun
2010-05-03 19:15:42 0 d-----w- c:\program files\CCleaner
2010-05-03 19:01:00 0 d-----w- c:\program files\common files\Software Update Utility
2010-05-01 00:35:56 0 d-----w- c:\program files\Bonjour
2010-04-28 20:45:21 303 --s-a-w- c:\windows\system32\782220379.dat
2010-04-11 21:05:22 0 d-----w- c:\docume~1\leeham~1\applic~1\QuickStoresToolbar

==================== Find3M ====================

2010-05-08 16:54:45 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-08 16:54:43 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 22:08:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-03-26 00:06:30 99728 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2010-03-26 00:06:28 123856 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2010-03-26 00:06:26 41680 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2010-03-26 00:06:26 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll
2010-03-26 00:06:26 110608 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 14:48:17.39 ===============

Edited to remove "Quote" tags. Please do not use any tags when posting as it makes things more difficult to read - Novi'.

Attached Files


Edited by Noviciate, 10 May 2010 - 02:24 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:49 PM

Posted 10 May 2010 - 02:27 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *
  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 lhamil64

lhamil64
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:04:49 PM

Posted 10 May 2010 - 07:20 PM

Before you replied, I started running GMER (from the link suggested in my other thread)
I'll post that log and then download ComboFix.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 20:16:44
Windows 5.1.2600 Service Pack 3
Running: xn8kj3je.exe; Driver: C:\DOCUME~1\LEEHAM~1\LOCALS~1\Temp\kgldapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEDE3BFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEDE38C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xEDE53170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEDE3C580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEDE50900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEDE50B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEDE54B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEDE3C670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEDE39210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEDE539F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xEDE537A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEDE50280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEDE53F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEDE53F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEDE39070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEDE52180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEDE51F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEDE546F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEDE54150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEDE3BBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xEDE54540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEDE3C190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEDE39440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xEDE534E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEDE51200]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEDD23950]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [80, C5, E3, ED, 00, 09, E5, ...] {ADD CH, 0xe3; IN EAX, DX; ADD [ECX], CL; IN EAX, 0xed; ADC [EBX], CL; IN EAX, 0xed}
? srescan.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\DRIVERS\imapi.sys entry point in ".rsrc" section [0xF7530314]
.text Gem98.SYS F7A7F6C9 3 Bytes [F8, A7, F7]
.text Gem98.SYS F7A7F6CD 3 Bytes [F8, A7, F7]
.text Gem98.SYS F7A7F6D1 3 Bytes [F7, A7, F7]
.text Gem98.SYS F7A7F6D9 3 Bytes [F7, A7, F7]
.text Gem98.SYS F7A7F6DD 3 Bytes [F7, A7, F7]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AA000A
.text C:\WINDOWS\Explorer.EXE[1040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AB000A
.text C:\WINDOWS\Explorer.EXE[1040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A9000C
.text C:\WINDOWS\System32\svchost.exe[2008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0086000A
.text C:\WINDOWS\System32\svchost.exe[2008] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[2008] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0073000C
.text C:\WINDOWS\System32\svchost.exe[2008] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02D5000A
.text C:\WINDOWS\System32\svchost.exe[2008] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0277000A

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\imapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 lhamil64

lhamil64
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:04:49 PM

Posted 10 May 2010 - 08:36 PM

ComboFix 10-05-10.02 - Lee Hamilton 05/10/2010 20:38:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.872 [GMT -4:00]
Running from: c:\documents and settings\Lee Hamilton\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pcwtest.tmp
c:\windows\eSellerateEngine.dll
c:\windows\system32\782220379.dat
c:\windows\system32\msconfig.exe
c:\windows\system32\Temp
c:\windows\system32\Thumbs.db
c:\windows\system32\drivers\etc\lmhosts . . . . failed to delete

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-04-28 01:26 . 2010-04-28 01:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-28 01:07 . 2010-04-28 01:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock
2010-04-11 21:05 . 2010-05-01 21:26 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\QuickStoresToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 00:56 . 2009-11-29 15:38 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\Dropbox
2010-05-10 19:05 . 2009-06-16 12:38 -------- d-----w- c:\program files\Everything
2010-05-10 19:00 . 2009-12-25 15:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-10 19:00 . 2009-12-25 15:27 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-10 18:44 . 2009-03-08 16:10 -------- d-----w- c:\program files\Elaborate Bytes
2010-05-10 01:22 . 2009-06-20 21:42 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\Skype
2010-05-10 00:55 . 2007-06-03 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-09 20:14 . 2009-02-19 20:11 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\skypePM
2010-05-09 19:06 . 2009-12-15 20:07 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\Audacity
2010-05-09 03:23 . 2008-01-01 14:45 -------- d-----w- c:\program files\Unlocker
2010-05-09 01:29 . 2010-05-09 01:29 -------- d-----w- c:\program files\ESET
2010-05-08 17:08 . 2008-11-22 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 15:44 . 2007-10-11 23:39 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-08 13:43 . 2010-05-08 13:43 63488 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-08 13:43 . 2010-05-08 13:43 52224 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-08 13:43 . 2009-09-07 18:49 117760 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-08 13:41 . 2010-05-08 13:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 13:41 . 2010-05-08 13:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-07 23:15 . 2009-12-05 14:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 20:29 . 2010-05-04 20:29 -------- d-----w- c:\program files\Sun
2010-05-03 19:15 . 2010-05-03 19:15 -------- d-----w- c:\program files\CCleaner
2010-05-03 19:01 . 2009-08-23 19:44 -------- d-----w- c:\program files\AIM
2010-05-03 19:01 . 2010-05-03 19:01 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-01 00:44 . 2007-07-19 13:25 -------- d-----w- c:\program files\iTunes
2010-05-01 00:43 . 2008-04-07 22:39 -------- d-----w- c:\program files\iPod
2010-05-01 00:43 . 2007-07-19 13:03 -------- d-----w- c:\program files\Common Files\Apple
2010-05-01 00:35 . 2010-05-01 00:35 -------- d-----w- c:\program files\Bonjour
2010-05-01 00:31 . 2010-05-01 00:31 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-01 00:29 . 2010-05-01 00:29 -------- d-----w- c:\program files\Safari
2010-05-01 00:27 . 2010-05-01 00:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-29 19:39 . 2008-11-22 20:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-22 20:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 22:58 . 2008-03-01 14:30 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\X-Chat 2
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-18 14:38 . 2008-08-03 12:44 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\FileZilla
2010-04-16 02:34 . 2009-11-08 16:33 -------- d-----w- c:\program files\Paint.NET
2010-04-13 21:35 . 2006-03-20 18:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-11 21:05 . 2010-04-11 21:05 704248 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\QuickStoresToolbar\unins000.exe
2010-04-11 20:29 . 2010-02-10 01:52 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\vlc
2010-04-11 20:08 . 2006-03-20 19:27 -------- d-----w- c:\program files\Yahoo!
2010-04-09 21:47 . 2009-08-18 15:54 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-09 21:47 . 2010-04-09 21:30 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-04-09 21:47 . 2010-04-09 21:47 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-04-09 21:47 . 2010-04-09 21:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-09 21:46 . 2007-11-24 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-09 21:43 . 2007-12-01 15:09 193824 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2010-04-09 21:41 . 2007-12-01 15:06 416 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-04-09 00:29 . 2010-04-09 00:29 -------- d-----w- c:\program files\Tunatic
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 22:08 . 2010-04-05 22:08 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-04-05 22:07 . 2009-09-01 18:38 -------- d-----w- c:\program files\DIFX
2010-04-05 22:04 . 2010-04-05 22:04 -------- d-----w- c:\program files\Palm
2010-04-05 17:58 . 2007-01-20 14:13 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\gtk-2.0
2010-04-04 20:39 . 2006-12-26 18:29 -------- d-----w- c:\program files\Liberty BASIC v4.03
2010-04-03 13:24 . 2010-04-03 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-03 13:18 . 2010-04-03 13:17 -------- d-----w- c:\program files\QuickTime
2010-04-02 21:19 . 2010-04-02 21:19 -------- d-----w- c:\program files\Pivot Stickfigure Animator
2010-04-02 12:20 . 2010-04-02 12:20 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\ChrisPirilloLive.43807887EBC3D034D77D35533A41871526D1EC7C.1
2010-04-02 12:20 . 2010-04-02 12:20 -------- d-----w- c:\program files\Chris Pirillo Live
2010-03-27 22:00 . 2008-11-01 14:57 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\.purple
2010-03-27 21:47 . 2010-03-27 21:47 2157 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-03-27 21:47 . 2010-03-27 21:47 2095 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2010-03-27 21:46 . 2010-03-27 21:46 1691 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-03-27 21:43 . 2010-03-27 21:43 1089 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2010-03-27 21:43 . 2010-03-27 21:43 1065 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2010-03-27 21:39 . 2010-03-27 21:39 -------- d-----w- c:\program files\Pidgin
2010-03-27 21:39 . 2007-01-20 14:07 -------- d-----w- c:\program files\Common Files\GTK
2010-03-27 16:25 . 2010-03-27 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2010-03-27 14:22 . 2009-08-04 20:12 -------- d-----w- c:\program files\FileZilla FTP Client
2010-03-27 13:09 . 2008-02-28 21:20 -------- d-----w- c:\program files\CamStudio
2010-03-27 01:23 . 2010-03-27 01:22 -------- d-----w- c:\program files\SBar
2010-03-26 00:06 . 2009-05-06 18:47 99728 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2010-03-26 00:06 . 2007-06-18 16:41 123856 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2010-03-26 00:06 . 2010-03-26 00:06 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll
2010-03-26 00:06 . 2010-03-26 00:06 110608 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2010-03-26 00:06 . 2007-06-18 16:41 41680 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2010-03-21 16:12 . 2010-03-20 17:51 -------- d-----w- c:\program files\Orb Networks
2010-03-21 16:06 . 2009-12-09 16:48 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\TweakNow PowerPack 2009
2010-03-21 15:16 . 2007-06-17 13:01 -------- d-----w- c:\program files\LiveSwif
2010-03-21 15:04 . 2007-07-01 02:49 -------- d-----w- c:\program files\Logitech
2010-03-21 14:52 . 2009-12-05 16:00 -------- d-----w- c:\program files\NCH Software
2010-03-21 14:52 . 2009-12-05 15:59 -------- d-----w- c:\documents and settings\Lee Hamilton\Application Data\NCH Software
2010-03-17 21:57 . 2010-03-17 21:57 -------- d-----w- c:\program files\Blue Onion Software
2010-03-10 06:15 . 2006-03-20 16:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 19:00 . 2010-04-11 21:05 126976 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\QuickStoresToolbar\Interop.SHDocVw.dll
2010-03-03 19:00 . 2010-04-11 21:05 45304 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\QuickStoresToolbar\Update.exe
2010-03-03 19:00 . 2010-04-11 21:05 37624 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\QuickStoresToolbar\QuickStoresToolbar.dll
2010-02-26 19:47 . 2009-11-29 15:39 91696 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Dropbox\bin\Uninstall.exe
2010-02-26 19:46 . 2010-02-26 19:45 13264416 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Dropbox\bin\Dropbox.exe
2010-02-25 06:24 . 2006-03-20 16:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-03-20 16:49 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 01:26 . 2010-02-22 01:26 50354 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Facebook\uninstall.exe
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 13:10 . 2006-03-20 16:49 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:34 . 2008-04-11 12:16 38784 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-03-20 16:48 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-03-20 16:49 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-08-24 21:35 . 2009-08-24 21:35 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Lee Hamilton\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Lightscreen"="c:\program files\Lightscreen\lightscreen.exe" [2009-05-28 559104]
"ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2009-12-19 1824040]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-03-06 356352]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-03 82012]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"MagnifyingGlass10WorkColl"="c:\program files\MagniGlass\MagniGlass.exe" [2006-08-22 770048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2005-02-17 221184]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Lee Hamilton\Start Menu\Programs\Startup\
aimLaunch.ahk.lnk - c:\documents and settings\Lee Hamilton\My Documents\aimLaunch.ahk [2010-1-22 570]
Dropbox.lnk - c:\documents and settings\Lee Hamilton\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Logitech Touch Mouse Server.lnk - c:\program files\Logitech Touch Mouse Server\iTouch-Server-Win.exe [2009-10-23 228352]
Messengers-Startup.bat [2010-4-30 297]
Shortcut to PowerMenu.lnk - c:\program files\PowerMenu\PowerMenu.exe [2002-12-20 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-3-20 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 16:32 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-03-04 04:29 88204 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
2007-08-30 02:12 344064 ------w- c:\program files\HP USB Multimedia Keyboard\Kmaestro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-08-24 21:34 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-08-30 00:49 133104 ----atw- c:\documents and settings\Lee Hamilton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-17 15:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oovoo.exe]
2009-08-10 21:50 17385144 ----a-w- c:\program files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2005-12-06 06:06 1077322 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 21:47 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13 122880 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-16 22:15 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-06 21:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-03 20:11 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2004-12-30 08:32 65536 ----a-w- c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 05:00 282624 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
2006-02-02 19:11 73728 -c--a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Crypkey License"=2 (0x2)
"Bonjour Service"=2 (0x2)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"ASKService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Liberty BASIC v4.03\\liberty.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\X-Chat 2\\xchat.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\UltraVNC\\repeater.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Documents and Settings\\Lee Hamilton\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Lee Hamilton\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Gizmo5\\Gizmo5.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh
"5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"443:TCP"= 443:TCP:ooVoo TCP port 443

R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [9/8/2008 4:45 PM 7168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/6/2007 5:24 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/6/2007 5:27 PM 38528]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [6/18/2007 12:41 PM 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [6/18/2007 12:41 PM 41680]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [12/19/2001 12:45 PM 8576]
R2 Gem98;Gem98;c:\windows\system32\drivers\GEM98.SYS [5/24/2007 8:45 PM 3664]
R2 NovacomD;Palm Novacom;c:\program files\Palm\SDK\bin\novacom\x86\novacomd.exe [2/17/2010 4:10 PM 34304]
R2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run --> c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run [?]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/28/2009 2:41 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 2:40 PM 98304]
R2 StreamDeskService;StreamDesk HTTP Data Service;c:\program files\StreamDesk\StreamDesk.Core.exe [12/20/2009 8:53 PM 111616]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/28/2008 10:34 AM 24652]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [5/6/2009 2:47 PM 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [3/25/2010 8:06 PM 110608]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S2 CachemanService;Cacheman Service;c:\program files\Cacheman\CachemanServ.exe --> c:\program files\Cacheman\CachemanServ.exe [?]
S2 gupdate1c87a6131e65d3a;Google Update Service (gupdate1c87a6131e65d3a);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2008 9:48 AM 133104]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [8/21/2008 6:21 PM 6016]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [8/24/2008 7:55 AM 14848]
S3 cpuz130;cpuz130;\??\c:\docume~1\LEEHAM~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\LEEHAM~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/24/2009 5:34 PM 30192]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [3/24/2010 4:12 PM 28160]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcdevice.sys [2/15/2009 4:56 PM 324096]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\drivers\superwebcam.sys [2/23/2008 10:19 AM 31872]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [4/7/2008 3:41 PM 25856]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [1/1/2009 4:00 PM 32016]
S3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [9/17/2004 11:38 AM 12672]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]
S4 RDShutdown;RDShutdown Service;"c:\documents and settings\Lee Hamilton\Desktop\DShutdown\RDShutdown.exe" --> c:\documents and settings\Lee Hamilton\Desktop\DShutdown\RDShutdown.exe [?]
S4 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 2:42 PM 14976]
S4 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\DRIVERS\WebCamDV.sys --> c:\windows\system32\DRIVERS\WebCamDV.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 18:48]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 00:49]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 00:49]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3485493795-1590923617-3867672825-1006Core.job
- c:\documents and settings\Lee Hamilton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 00:49]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3485493795-1590923617-3867672825-1006UA.job
- c:\documents and settings\Lee Hamilton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 00:49]

2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{D64FB9EA-575C-4F56-B3A7-F5E605AA6B4D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Lee Hamilton\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: k12.ny.us\www.potsdam
Trusted Zone: moove.com
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} - hxxps://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02
DPF: {32A155BD-68EC-404E-A14F-72A851C0811D} - hxxp://cp1.webng.com/client/fm/WebNG-Uploader.cab
FF - ProfilePath - c:\documents and settings\Lee Hamilton\Application Data\Mozilla\Firefox\Profiles\ofq19v0e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Lee Hamilton\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Lee Hamilton\Application Data\Mozilla\Firefox\Profiles\ofq19v0e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Lee Hamilton\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Lee Hamilton\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkanevapatch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera\program\plugins\npmio.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Prey Laptop Tracker - c:\prey\cron.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-Copernic Desktop Search 2 - c:\program files\Copernic Desktop Search 2\DesktopSearchService.exe
MSConfigStartUp-DeskDriveStartup - c:\program files\Blue Onion Software\Desk Drive\DeskDrive.exe
MSConfigStartUp-Desktop Coral - c:\program files\DesktopCoral\DesktopCoral.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-HumanizedEnso - c:\documents and settings\Lee Hamilton\Local Settings\Application Data\HumanizedEnso\Enso.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-Magical Glass - c:\program files\Magical Glass\Magical Glass.exe
MSConfigStartUp-Monitor - c:\windows\PixArt\PAC207\Monitor.exe
MSConfigStartUp-msci - c:\docume~1\LEEHAM~1\LOCALS~1\Temp\20071289847_mcinfo.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-NimiVisuals - c:\documents and settings\Lee Hamilton\Desktop\NV.exe
MSConfigStartUp-Orb - c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe
MSConfigStartUp-OWCWebCamDV - c:\windows\system\wcdvtray.exe
MSConfigStartUp-Red Swoosh - c:\program files\RSSoft\RedSwoosh.exe
MSConfigStartUp-SandboxieControl - c:\program files\Sandboxie\SbieCtrl.exe
MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
MSConfigStartUp-Software Informer - c:\program files\Software Informer\softinfo.exe
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-VirtualDesk - c:\program files\TweakNow PowerPack 2009\VirDesk.exe
MSConfigStartUp-VVSN - c:\program files\VVSN\VVSN.exe
MSConfigStartUp-WhatPulse - c:\program files\WhatPulse\WhatPulse.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-WinExpose - c:\documents and settings\Lee Hamilton\Desktop\WinExpose_64027\WinExpose.exe
AddRemove-Liberty BASIC v4.03 - c:\liberty basic v4.03\uninstall.exe
AddRemove-WinGTK-2_is1 - c:\program files\Common Files\GTK\2.0\setup\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 20:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\EncryptionInterface*]
"c_encryption_d"="585A4B58455F\00e"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\PROGRA~1\\Google\\GOOGLE~4\\GOEC62~1.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1280)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(1144)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\RocketDock\RocketDock.dll
c:\program files\PowerMenu\PowerMenuHook.dll
c:\documents and settings\Lee Hamilton\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
c:\windows\IME\SPGRMR.DLL
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\OpenDNS Updater\OpenDNS Updater.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TDispVol.exe
c:\windows\RTHDCPL.EXE
c:\program files\AutoHotkey\AutoHotkey.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-05-10 21:33:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 01:33

Pre-Run: 14,308,343,808 bytes free
Post-Run: 14,083,670,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C5CB01B5053BE3423977B6E65FC0DEF6


It also opened my Hosts file, I'm not sure why but I wont bother posting it as nothing is different about it.

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:49 PM

Posted 11 May 2010 - 02:42 PM

Good evening. smile.gif

We'll have a peek at your hard drive and se if anything else has taken up residence.

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
  • Let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#6 lhamil64

lhamil64
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:04:49 PM

Posted 11 May 2010 - 02:46 PM

I ran ESET in my previous thread but I'll run it again.
I'll update this post with the log when it's finished.

EDIT:
For some reason, it didn't give me the option to view the log when it was done. I went into the program's directory and found the log.txt file, but I feel like it's the one from last time I scanned. I scanned Today, May 11, and probably started around 2:30-3:00 PM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4ac753ac7aafda4185924500b6b169d0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-09 05:49:18
# local_time=2010-05-09 01:49:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=8449 16775125 100 99 0 79936586 0 0
# compatibility_mode=9217 16777214 100 74 34102063 40717571 0 0
# scanned=177636
# found=13
# cleaned=13
# scan_time=15134
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\A0272611.exe.000 Win32/TrojanDownloader.Zlob.BTY trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.1.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.2.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.3.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.4.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.5.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.6.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\autorun.inf.7.000 INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\doc.pdf.000 PDF/Exploit.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\doc.pdf.1.000 PDF/Exploit.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Lee Hamilton\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.594.0-static.exe probably a variant of Win32/Genetik trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=0
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4ac753ac7aafda4185924500b6b169d0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-11 11:07:29
# local_time=2010-05-11 07:07:29 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=8449 16775142 100 99 0 80174721 0 0
# compatibility_mode=9217 16777214 100 74 34340198 40955706 0 0
# scanned=149791
# found=103
# cleaned=103
# scan_time=12089
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Border Skin 0.2.3.exe.000 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Border Skin 0.2.3.exe.000.000 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Border Skin 0.2.3.exe.1.000 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.1.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.10.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.11.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.12.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.13.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.14.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.15.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.16.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.17.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.18.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.19.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.2.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.20.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.21.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.22.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.23.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.24.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.25.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.26.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.27.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.28.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.29.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.3.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.30.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.31.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.32.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.33.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.34.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.35.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.36.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.37.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.38.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.39.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.4.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.40.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.41.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.42.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.43.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.44.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.45.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.46.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.47.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.48.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.49.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.5.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.50.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.51.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.52.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.53.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.54.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.55.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.56.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.57.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.58.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.59.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.6.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.60.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.61.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.62.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.63.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.64.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.65.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.66.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.67.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.68.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.69.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.7.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.70.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.71.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.72.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.73.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.74.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.75.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.76.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.77.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.78.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.79.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.8.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.80.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.81.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.82.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.83.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.84.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.85.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.86.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.87.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.88.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.89.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.9.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.90.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.91.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.92.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.93.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.94.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.95.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.96.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.97.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\f2.exe.98.000 probably a variant of Win32/Kryptik.EAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\imapi.sys.vir Win32/Patched.EQ trojan (deleted - quarantined) 00000000000000000000000000000000 C

Edited by lhamil64, 11 May 2010 - 06:30 PM.


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:49 PM

Posted 12 May 2010 - 02:12 PM

Good evening. smile.gif

ESET just adds the results of any new scans to the end of any existing log it finds:

# local_time=2010-05-09 01:49:18 (-0500, Eastern Daylight Time)
# found=13
# cleaned=13

# local_time=2010-05-11 07:07:29 (-0500, Eastern Daylight Time)
# found=103
# cleaned=103


The detections all have (cleaned by deleting - quarantined) next to them - did you uncheck the "Remove found threats" box before you ran the scan? Also, how is the PC behaving now.

So long, and thanks for all the fish.

 

 


#8 lhamil64

lhamil64
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:04:49 PM

Posted 12 May 2010 - 02:28 PM

I don't remember if I clicked "Remove found threats"
The computer with the issues is my laptop. I have it hooked up to an external keyboard and mouse. Since I needed a computer to do things on while I scanned, I hooked another computer up to the keyboard/mouse/monitor (a desktop) so I haven't really been doing much with the infected computer. I will check right now though to see if Google still redirects.

Doing a couple google searches, none of the results I've clicked on have redirected me elsewhere.

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:49 PM

Posted 13 May 2010 - 02:47 PM

Good evening. smile.gif

Will you run the PC for a day or two and then let me have another DDS log and tell me how it is behaving.

So long, and thanks for all the fish.

 

 


#10 lhamil64

lhamil64
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:04:49 PM

Posted 14 May 2010 - 02:25 PM

I've pretty much been doing all my Googling on the "infected" computer.
The Google Redirecting problem is definitely gone now. I just hope there isn't any lingering infections not related to searching.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Lee Hamilton at 15:17:50.37 on Fri 05/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.665 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Palm\SDK\bin\novacom\x86\novacomd.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\StreamDesk\StreamDesk.Core.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MagniGlass\MagniGlass.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\ZoomText 8.1\Zt8.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Lightscreen\lightscreen.exe
C:\Program Files\ManyCam 2.4\ManyCam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Documents and Settings\Lee Hamilton\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Documents and Settings\Lee Hamilton\Start Menu\Programs\Startup\TwoFingerScroll.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Lee Hamilton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: AhIeBho Class: {10384d0e-2bc1-48b6-844b-ad0e9e6d2511} - c:\program files\zoomtext 8.1\ahoi\ah_ie_bho.dll
BHO: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll
TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll
TB: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {968631B6-4729-440D-9BF4-251F5593EC9A} - No File
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Lightscreen] c:\program files\lightscreen\lightscreen.exe -h
uRun: [ManyCam] "c:\program files\manycam 2.4\ManyCam.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [MagnifyingGlass10WorkColl] c:\program files\magniglass\MagniGlass.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [ZoomText 8.1] "c:\program files\zoomtext 8.1\Zt8.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\aimlau~1.lnk - c:\documents and settings\lee hamilton\my documents\aimLaunch.ahk
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\lee hamilton\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech touch mouse server\iTouch-Server-Win.exe
StartupFolder: c:\documents and settings\lee hamilton\start menu\programs\startup\Messengers-Startup.bat
StartupFolder: c:\docume~1\leeham~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\powermenu\PowerMenu.exe
StartupFolder: c:\documents and settings\lee hamilton\start menu\programs\startup\TwoFingerScroll.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoSecurityTab = 1 (0x1)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\oldaim5.9\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\lee hamilton\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: k12.ny.us\www.potsdam
Trusted Zone: moove.com
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/downloads/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} - hxxps://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {32A155BD-68EC-404E-A14F-72A851C0811D} - hxxp://cp1.webng.com/client/fm/WebNG-Uploader.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leeham~1\applic~1\mozilla\firefox\profiles\ofq19v0e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\lee hamilton\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\lee hamilton\application data\mozilla\firefox\profiles\ofq19v0e.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\lee hamilton\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\lee hamilton\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npmio.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [2008-9-8 7168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-3-6 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-3-6 38528]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2007-6-18 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2007-6-18 41680]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-29 353672]
R2 Gem98;Gem98;c:\windows\system32\drivers\GEM98.SYS [2007-5-24 3664]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-17 45848]
R2 NovacomD;Palm Novacom;c:\program files\palm\sdk\bin\novacom\x86\novacomd.exe [2010-2-17 34304]
R2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\opendns updater\opendns updater.exe --run --> c:\program files\opendns updater\OpenDNS Updater.exe --run [?]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2009-4-2 266240]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-7-1 172032]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2009-4-2 794624]
R2 StreamDeskService;StreamDesk HTTP Data Service;c:\program files\streamdesk\StreamDesk.Core.exe [2009-12-20 111616]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-28 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-6 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-3-25 110608]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S2 CachemanService;Cacheman Service;c:\program files\cacheman\cachemanserv.exe --> c:\program files\cacheman\CachemanServ.exe [?]
S2 gupdate1c87a6131e65d3a;Google Update Service (gupdate1c87a6131e65d3a);c:\program files\google\update\GoogleUpdate.exe [2008-7-12 133104]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-8-21 6016]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [2008-8-24 14848]
S3 cpuz130;cpuz130;\??\c:\docume~1\leeham~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\leeham~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-24 30192]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2010-3-24 28160]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcdevice.sys [2009-2-15 324096]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\drivers\superwebcam.sys [2008-2-23 31872]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2008-4-7 25856]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-1-1 32016]
S3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [2004-9-17 12672]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S4 RDShutdown;RDShutdown Service;"c:\documents and settings\lee hamilton\desktop\dshutdown\rdshutdown.exe" --> c:\documents and settings\lee hamilton\desktop\dshutdown\RDShutdown.exe [?]
S4 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys --> c:\windows\system32\drivers\scrcap.sys [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]
S4 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\webcamdv.sys --> c:\windows\system32\drivers\WebCamDV.sys [?]

=============== Created Last 30 ================

2010-05-14 01:15:27 0 dc----w- C:\Two Finger Scroll
2010-05-11 00:31:05 0 dcsha-r- C:\cmdcons
2010-05-11 00:26:33 98816 ----a-w- c:\windows\sed.exe
2010-05-11 00:26:33 77312 ----a-w- c:\windows\MBR.exe
2010-05-11 00:26:33 256512 ----a-w- c:\windows\PEV.exe
2010-05-11 00:26:33 161792 ----a-w- c:\windows\SWREG.exe
2010-05-10 18:41:41 0 ----a-w- c:\documents and settings\lee hamilton\defogger_reenable
2010-05-09 01:29:43 0 d-----w- c:\program files\ESET
2010-05-08 13:41:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 13:41:31 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-04 20:29:03 0 d-----w- c:\program files\Sun
2010-05-03 19:15:42 0 d-----w- c:\program files\CCleaner
2010-05-03 19:01:00 0 d-----w- c:\program files\common files\Software Update Utility
2010-05-01 00:35:56 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-10 19:00:35 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-10 19:00:33 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 22:08:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-03-26 00:06:30 99728 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2010-03-26 00:06:28 123856 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2010-03-26 00:06:26 41680 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2010-03-26 00:06:26 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll
2010-03-26 00:06:26 110608 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 15:19:06.81 ===============

Attached Files



#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:49 PM

Posted 16 May 2010 - 02:22 PM

Good evening. smile.gif

I don't see anything of interest in your log, so as it seems to be behaving itself, i'd say that you were probably done, apart from a little housework.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users