Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv TDL3/TDL4 intrusion attempts


  • This topic is locked This topic is locked
39 replies to this topic

#1 KPhoto

KPhoto

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 May 2010 - 06:27 PM

I have Norton Internet Sercurity 2010 Version 17.6.0.32 and Windows XP service pack 3



I have had 38 intrusion on May 14 attempts by the following IP's



85.12.46.159 - HTTP Tidserv Request 7gafd33ja90a.com/(with lots of numbers and letters after this. It is to long to type) \Device\harddiskvolume1\ProgramFiles\Internet\Expl​orer\IExplore.exe



202.157.171.207 - HTTPS Tidserv Request 2

\Device\harddiskvolume1\Windows\system32\SVCHOST.e​xe



91.212.226.59 - HTTPS Tidserv Request 2

\Device\harddiskvolume1\Windows\system32\SVCHOST.e​xe



91.212.226.67 - HTTPS Tidserv Request 2

\Device\harddiskvolume1\Windows\system32\SVCHOST.e​xe



195.170.178.55 - HTTPS Tidserv Request 2

\Device\harddiskvolume1\Windows\system32\SVCHOST.e​xe


209.212.149.18 - HTTP Fake Scan Webpage 5


xxx.1.realsafe-24.com/107abecb5edfc9ae958277ee420b​429028973009011.js
\Device\harddiskvolume1\Windows\system32\SVCHOST.e​xe


202.157.171.207 HTTPS Tidserv Request 2
\Device\harddiskvolume1\Windows\system32\SVCHOST.exe




The following are Quarantined:

1-4-2010 documents(1).txt Downloader

5-6-2010 WS.Reputation.1

5-6-2010 345f6ff1.exe


104 Medium Severity attempts in last two days.

Unauthorized access blocked (Open File)

Unauthorized access blocked (Open Process Token)

Unauthorized access blocked (Duplicate Object)


May 12 - 7 Cookies


I also ran 2 Full Scans with Norton on May 11 - Found nothing and also ran two Malwarebytes Scans which didn't find anything. All scans were done in windows mode not safe mode.

I was away for 5 days so when I started my computer late May 17 I'm still receiveing intrusion attempts which Norton Antivirus is stopping.

91.212.226.67 - HTTPS Tidserv Request 2
\Device\harddiskvolume1\Windows\system32\SVCHOST.exe


202.157.171.207 HTTPS Tidserv Request 2
\Device\harddiskvolume1\Windows\system32\SVCHOST.exe

85.12.46.159 HTTP Tidserv Request
7gafd33ja90a.com/ mkF3xSwx5x5myLs3dmVyPTMuNzImYmlkPTcwMTE3Yzg2LWI2ZjYtNDE20C1iN2MwLWFkMzczYmVjMjEyNyZhaWQ9MjAxOTUmc2lkPTAmcmQ9Ni41LjIwMTAmZW5nPXd3dy5iaW5nLmNvbSZxPXN1cHBvcnRtaWNyb3NvZnQ=27h

lj1i16b0.com 91.212.226.59
\Device\harddiskvolume1\Windows\system32\SVCHOST.exe

I'm getting the intrusion attempts even when I'm not browsing on IE. I'm receiving unexpected pop-ups and the web pages change without me doing it.

I tried running GMER 4 times and each time it froze on me and didn't finish. The 4th time that I restarted (I had to push the restart button on my computer because there were no icons on my desktop each tome it froze) the computer after it froze I got a message on start-up that Microsoft XP needed to be reactivated in 3 days because of hardware changes. I didn't make any changes to my computer so I don't know why that needed done. I thought I would mention this because I don't know if this had any connection with my problem.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Karen at 11:28:34.07 on Tue 05/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3527.2855 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\SanDisk ImageMate\SanDisk Transfer Button.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\UMonit.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Karen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000096.000001d8
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R220"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UMonit] c:\windows\system32\UMonit.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [SanDisk Transfer Button] c:\windows\system32\Starter.exe
StartupFolder: c:\docume~1\karen\startm~1\programs\startup\autoba~1.lnk - c:\program files\seagate\autobackup\MemeoLauncher.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: americangreetings.com\www.veepers.yahoo
Trusted Zone: americangreetings.com\www.yahoo
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} - hxxps://content.ilinc.com/clientdownload/download/ilinci86.dll
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139026103765
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146275402641
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} - hxxp://beta.bookmarks.yahoo.com/YbConvFav.CAB
DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} - hxxp://www.flipviewer.com/exe/fv421.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://developer.intel.com/design/motherbd/boardid/BoardID.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2005-2-15 7680]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-5-11 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-5-11 172592]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2005-2-15 125440]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-5-11 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-5-11 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-5-11 126392]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-11 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100513.002\IDSXpx86.sys [2010-5-17 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100517.040\NAVENG.SYS [2010-5-18 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100517.040\NAVEX15.SYS [2010-5-18 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 CSRBC01;CSRBC01.Sys CSR test driver;c:\windows\system32\drivers\csrbc01.sys [2007-10-26 83124]
S3 USTOR2K;Genesys USB Mass Storage Windows Driver;c:\windows\system32\drivers\ustor2k.sys [2010-3-3 28800]

=============== Created Last 30 ================

2010-05-18 15:21:33 0 ----a-w- c:\documents and settings\karen\defogger_reenable
2010-05-18 05:19:17 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-13 04:17:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 04:17:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 04:17:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 23:08:45 0 d-----w- c:\windows\LMIE.tmp
2010-05-12 14:27:23 191 ----a-w- c:\windows\system32\MRT.INI
2010-05-12 12:05:09 0 d-----w- c:\windows\LMI1224.tmp
2010-05-12 00:02:06 0 d-----w- c:\windows\LMI60.tmp
2010-05-11 23:57:45 0 d-----w- c:\windows\LMI5F.tmp
2010-05-11 21:55:35 0 d-----w- c:\docume~1\karen\applic~1\Tific
2010-05-11 03:54:01 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-11 03:54:01 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-11 03:54:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-11 03:54:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-11 03:54:01 0 d-----w- c:\program files\Symantec
2010-05-11 03:53:04 0 d-----w- c:\windows\system32\drivers\NIS
2010-05-11 03:52:58 0 d-----w- c:\program files\Norton Internet Security
2010-05-11 03:52:50 0 d-----w- c:\program files\NortonInstaller
2010-05-02 14:15:27 0 d-----w- c:\docume~1\karen\applic~1\Malwarebytes
2010-05-02 14:15:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-21 04:53:41 0 d-----w- c:\program files\Shape Collage

==================== Find3M ====================

2010-05-10 20:45:17 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-04-21 03:14:25 96236 ----a-w- c:\windows\fonts\adam_gorry_lights.otf
2010-04-21 03:14:25 53832 ----a-w- c:\windows\fonts\adam_gorry_inline.otf
2010-04-21 03:14:17 135128 ----a-w- c:\windows\fonts\AlphaClouds.ttf
2010-04-21 03:14:08 370068 ----a-w- c:\windows\fonts\AlphaFlowers.ttf
2010-04-21 03:14:00 162048 ----a-w- c:\windows\fonts\AlphaMusicMan.ttf
2010-04-21 03:13:50 91420 ----a-w- c:\windows\fonts\AlphaRope.ttf
2010-04-21 03:13:40 59508 ----a-w- c:\windows\fonts\BackToSchool.ttf
2010-04-21 03:13:31 167164 ----a-w- c:\windows\fonts\BingoStar.ttf
2010-04-21 03:13:11 49292 ----a-w- c:\windows\fonts\BONEAPA.TTF
2010-04-21 03:13:02 184132 ----a-w- c:\windows\fonts\CatsAlphabet.ttf
2010-04-21 03:12:53 72424 ----a-w- c:\windows\fonts\Circus.ttf
2010-04-21 03:12:43 121036 ----a-w- c:\windows\fonts\COUNB___.TTF
2010-04-21 03:12:32 52212 ----a-w- c:\windows\fonts\Djmoo.TTF
2010-04-21 03:12:20 54856 ----a-w- c:\windows\fonts\ennobled.ttf
2010-04-21 03:11:29 159028 ----a-w- c:\windows\fonts\Fleurs de Liane.TTF
2010-04-21 03:11:18 153996 ----a-w- c:\windows\fonts\floral_dawn.ttf
2010-04-21 03:11:06 21872 ----a-w- c:\windows\fonts\flower.TTF
2010-04-21 03:10:56 83007 ----a-w- c:\windows\fonts\GAYANE.TTF
2010-04-21 03:10:42 164416 ----a-w- c:\windows\fonts\Hannah.ttf
2010-04-21 03:10:26 171588 ----a-w- c:\windows\fonts\Hoppy Ribbitday.ttf
2010-04-21 03:10:11 45468 ----a-w- c:\windows\fonts\iArnold_font.ttf
2010-04-21 03:09:57 100832 ----a-w- c:\windows\fonts\Kingthings Xstitch.ttf
2010-04-21 03:09:43 168340 ----a-w- c:\windows\fonts\Kitchen Kapers 1.ttf
2010-04-21 03:09:43 154336 ----a-w- c:\windows\fonts\Kitchen Kapers 2.ttf
2010-04-21 03:09:29 24624 ----a-w- c:\windows\fonts\leaf1.TTF
2010-04-21 03:08:58 178388 ----a-w- c:\windows\fonts\MTF Base Leafy.ttf
2010-04-21 03:08:44 22044 ----a-w- c:\windows\fonts\Newyorkcity.ttf
2010-04-21 03:08:29 163460 ----a-w- c:\windows\fonts\PATCL___.TTF
2010-04-21 03:08:15 397232 ----a-w- c:\windows\fonts\Singer Mears.ttf
2010-04-21 03:08:02 267288 ----a-w- c:\windows\fonts\StarryType.ttf
2010-04-21 03:08:02 261852 ----a-w- c:\windows\fonts\StarryTypeLA.ttf
2010-04-21 03:07:18 154040 ----a-w- c:\windows\fonts\VTKS bandana.ttf
2010-04-21 03:07:04 46232 ----a-w- c:\windows\fonts\VTKS Estilosa.ttf
2010-04-21 03:06:49 89096 ----a-w- c:\windows\fonts\Wood Shapes.ttf
2010-04-21 02:20:21 24876 ----a-w- c:\windows\fonts\aj-cat.ttf
2010-04-21 02:20:09 28420 ----a-w- c:\windows\fonts\ROCKS___.TTF
2010-04-21 02:19:56 46688 ----a-w- c:\windows\fonts\TROPB___.TTF
2010-04-21 02:19:44 31008 ----a-w- c:\windows\fonts\Hoyle Playing Cards.ttf
2010-04-21 02:19:00 395356 ----a-w- c:\windows\fonts\MARIO.TTF
2010-04-21 02:18:48 28112 ----a-w- c:\windows\fonts\HD-corners2.ttf
2010-04-21 02:18:36 50144 ----a-w- c:\windows\fonts\HD-design7.ttf
2010-04-21 02:18:23 64492 ----a-w- c:\windows\fonts\HD-mixedbag.ttf
2010-04-21 02:18:11 59248 ----a-w- c:\windows\fonts\BeautifulOrnamentsThree.ttf
2010-04-21 02:17:59 86912 ----a-w- c:\windows\fonts\DJ horses 1.ttf
2010-04-21 02:17:47 115152 ----a-w- c:\windows\fonts\stillframes.ttf
2010-04-21 02:17:33 95272 ----a-w- c:\windows\fonts\AFRIWB__.TTF
2010-04-21 02:17:20 267000 ----a-w- c:\windows\fonts\Americanic.ttf
2010-04-21 02:17:07 140984 ----a-w- c:\windows\fonts\Fantasy clipart 2.ttf
2010-04-21 02:16:54 22328 ----a-w- c:\windows\fonts\poohbear_gb.ttf
2010-04-21 02:16:42 104848 ----a-w- c:\windows\fonts\littlecity2000.ttf
2010-04-21 02:16:10 174828 ----a-w- c:\windows\fonts\SilhouettA.ttf
2010-04-21 02:15:57 347412 ----a-w- c:\windows\fonts\SilhouettenPeople.ttf
2010-04-21 02:15:44 120512 ----a-w- c:\windows\fonts\Silhouettes03.ttf
2010-04-21 02:15:31 214908 ----a-w- c:\windows\fonts\SILHT___.TTF
2010-04-21 02:15:17 35988 ----a-w- c:\windows\fonts\KFON.TTF
2010-04-21 02:15:02 41016 ----a-w- c:\windows\fonts\funfish_sg.ttf
2010-04-21 02:14:49 175848 ----a-w- c:\windows\fonts\Ballet.otf
2010-04-21 02:14:30 137464 ----a-w- c:\windows\fonts\SoccerII.otf
2010-04-21 02:14:05 100736 ----a-w- c:\windows\fonts\WWFloralCorner.ttf
2010-04-21 02:13:52 482840 ----a-w- c:\windows\fonts\WWHeavenSent.ttf
2010-04-21 02:13:34 145420 ----a-w- c:\windows\fonts\WWSpringTime.ttf
2010-04-21 01:53:07 15832 ----a-w- c:\windows\fonts\BABYBLOC.TTF
2010-04-09 03:20:12 27888 ----a-w- c:\windows\fonts\BALLW___.TTF
2010-04-09 03:19:54 37552 ----a-w- c:\windows\fonts\CHOPS___.TTF
2010-04-09 03:18:55 71396 ----a-w- c:\windows\fonts\FLbrsa1.ttf
2010-04-09 03:18:55 71172 ----a-w- c:\windows\fonts\FLllana1.ttf
2010-04-09 03:18:31 62452 ----a-w- c:\windows\fonts\FREEBSC_.ttf
2010-04-09 03:18:31 21824 ----a-w- c:\windows\fonts\FREEBSCA.ttf
2010-04-09 03:18:12 70016 ----a-w- c:\windows\fonts\HenryMorganHand.ttf
2010-04-09 03:17:50 84004 ----a-w- c:\windows\fonts\HoneyScript-SemiBold.ttf
2010-04-09 03:17:49 82840 ----a-w- c:\windows\fonts\HoneyScript-Light.ttf
2010-04-09 03:17:25 29628 ----a-w- c:\windows\fonts\LaurenScript.ttf
2010-04-09 03:17:04 42652 ----a-w- c:\windows\fonts\Old Script.ttf
2010-04-09 03:16:42 28200 ----a-w- c:\windows\fonts\Radagund.ttf
2010-04-09 03:15:55 82072 ----a-w- c:\windows\fonts\SCRIPTIN.ttf
2010-04-09 03:15:55 11652 ----a-w- c:\windows\fonts\SCRIPALT.ttf
2010-04-09 03:15:24 68356 ----a-w- c:\windows\fonts\tagetts2_U.ttf
2010-04-09 03:15:24 32168 ----a-w- c:\windows\fonts\tagettP2_U.ttf
2010-04-09 03:15:03 34068 ----a-w- c:\windows\fonts\Wild Script.ttf
2010-04-09 03:14:34 84852 ----a-w- c:\windows\fonts\Windsong.ttf
2010-04-09 03:04:31 43592 ----a-w- c:\windows\fonts\Nymphette.ttf
2010-04-09 03:03:03 288944 ----a-w- c:\windows\fonts\Little cuties.ttf
2010-04-08 23:04:08 44344 ----a-w- c:\windows\fonts\Bearbats.ttf
2010-04-08 23:03:33 54468 ----a-w- c:\windows\fonts\carebearsbyIacy.ttf
2010-04-08 23:03:13 84672 ----a-w- c:\windows\fonts\Country Cuties.ttf
2010-04-08 23:02:47 44088 ----a-w- c:\windows\fonts\CROPDING.TTF
2010-04-08 23:02:22 34496 ----a-w- c:\windows\fonts\DamaskDings1.ttf
2010-04-08 23:01:38 331664 ----a-w- c:\windows\fonts\DJ_Stringed.ttf
2010-04-08 23:01:13 33876 ----a-w- c:\windows\fonts\EFON.TTF
2010-04-08 23:00:39 167088 ----a-w- c:\windows\fonts\Eutemia Ornaments.ttf
2010-04-08 22:59:57 97344 ----a-w- c:\windows\fonts\Floralia.ttf
2010-04-08 22:59:26 50540 ----a-w- c:\windows\fonts\fondi_kpz.ttf
2010-04-08 22:59:01 57528 ----a-w- c:\windows\fonts\FcoFlares.TTF
2010-04-08 22:58:17 32016 ----a-w- c:\windows\fonts\KALOF___.TTF
2010-04-08 22:56:14 154916 ----a-w- c:\windows\fonts\KG ABCs.ttf
2010-04-08 22:55:52 135996 ----a-w- c:\windows\fonts\LauriesCountry.ttf
2010-04-08 22:53:11 151464 ----a-w- c:\windows\fonts\LOKIDR__.TTF
2010-04-08 22:53:11 151356 ----a-w- c:\windows\fonts\LOKIDL__.TTF
2010-04-08 22:52:47 24616 ----a-w- c:\windows\fonts\lpflowers2.ttf
2009-04-13 20:32:35 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-07-15 14:49:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071520080716\index.dat
2009-12-04 21:39:31 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-04 21:39:31 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-04 21:39:31 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:30:22.84 ===============

No Ark.txt log to attach. GMER froze each time.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 19 May 2010 - 04:25 PM

Can you try running RootRepeal?

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the tab at the bottom.
  • Now press the button.
  • A box will pop up, check the boxes beside All Seven options/scan area
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button.
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Next... please perform the custom OTL scan with the instructions below..

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 19 May 2010 - 07:36 PM

Hi extremeboy,

I'm doing the scan with RootRepeal on my computer right now. I hope that it allows me to post it because to post the DDS.txt & Attach.txt information I had to transfer it to my husbands computer to post it on bleepingcomputer. I take it that it had something to do with the infection because I didn't have any trouble posting it with my husband computer. I tried 4 times and even restarted my computer to see if I could post it. I guess if it won't let me I'll transfer it to his computer and post it that way. We'll see what happens when I try.

I have one question about the OTL report. Should I disconnect from the internet and turn off my security programs before I scan with OTL?

I want to thank you so much for helping me with this problem.

Karen

#4 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 19 May 2010 - 08:22 PM

Here is the RepealScan Report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/19 20:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB4EB0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF7841000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF795A000 Size: 184320 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Karen\My Documents\My Pictures\Family Assorted Photos\Kristie, Nathan & Walker\Already Burned on CD\Kristie Friends Wedding\FRIEND~1.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a61caa0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a9bf7a0

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a89aa00

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8aa75a60

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a9d5aa0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb71f1210

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8a873f80

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x8a883a78

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a898970

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8aa34710

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb71f1490

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb71f19f0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8a89ac18

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a89ca30

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8aa5a7f8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a9ed158

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a96b6d8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a89c8d0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8aa2a5c8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb71f17a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8a89aeb8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8af59310

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a8c5b98

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8a89ad68

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a87eb38

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a9441f0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a9e9070

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a8a3db0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8aa28c10

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb71f1c40

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8aa3dcd0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8aaee518

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8aa15128

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8ab7d070

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8af01e00

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a89cdc0

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a652cd0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8aa424e0

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x8aaed7c0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8aa5dcd0

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x8a6f88d0

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x89be11e0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8a6f84d8

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x89be1270

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8a9b6760

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8a9acd88

==EOF==

#5 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 19 May 2010 - 09:12 PM

The OTL.txt Report:

OTL logfile created on: 5/19/2010 9:28:58 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Karen\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 81.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.64 Gb Total Space | 523.58 Gb Free Space | 74.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 14.91 Gb Total Space | 9.07 Gb Free Space | 60.83% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KLB
Current User Name: Karen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/19 19:23:01 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karen\Desktop\OTL.exe
PRC - [2010/02/25 19:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe
PRC - [2009/05/07 14:58:28 | 000,040,960 | ---- | M] () -- C:\Program Files\SanDisk ImageMate\SanDisk Transfer Button.exe
PRC - [2009/04/20 12:07:26 | 000,337,216 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2009/03/26 15:58:05 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/03/02 17:16:18 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\UMonit.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/08 17:30:44 | 000,016,712 | R--- | M] () -- C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
PRC - [2008/06/24 21:06:22 | 000,904,768 | ---- | M] (Acronis) -- C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
PRC - [2008/06/24 20:56:52 | 000,136,472 | ---- | M] (Seagate) -- C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
PRC - [2008/06/24 20:56:38 | 000,431,384 | ---- | M] (Seagate) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2008/06/24 20:52:18 | 001,325,848 | ---- | M] (Seagate) -- C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2007/03/13 23:15:08 | 000,109,304 | ---- | M] () -- C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
PRC - [2006/09/14 07:56:06 | 000,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
PRC - [2005/03/09 05:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE
PRC - [2003/05/30 10:42:22 | 000,585,728 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
PRC - [2003/05/29 17:28:32 | 000,790,528 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2001/03/20 14:15:20 | 000,045,056 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Keyboard\Type32.exe


========== Modules (SafeList) ==========

MOD - [2010/05/19 19:23:01 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karen\Desktop\OTL.exe
MOD - [2010/03/26 19:52:36 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\asoehook.dll
MOD - [2009/07/12 04:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 04:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\microsoft.vc90.crt\msvcp90.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/10/26 12:06:56 | 000,062,768 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/25 19:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe -- (NIS)
SRV - [2010/02/19 20:30:16 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/06/24 20:56:38 | 000,431,384 | ---- | M] (Seagate) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (SgtSch2Svc)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/09/14 07:56:06 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 23:57:29 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100519.025\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 23:57:29 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/10 23:57:29 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/10 23:57:29 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100519.025\NAVENG.SYS -- (NAVENG)
DRV - [2010/05/10 23:54:01 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/04/29 17:46:04 | 000,537,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/02/26 22:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1106000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/26 22:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1106000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 22:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1106000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 19:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1106000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/02/12 17:24:27 | 000,000,000 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.hs -- (LVUVC) Logitech Webcam 905(UVC)
DRV - [2010/02/03 21:40:52 | 000,362,032 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1106000.020\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/02/03 21:40:50 | 000,172,592 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1106000.020\SYMEFA.SYS -- (SymEFA)
DRV - [2009/11/05 18:06:13 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1106000.020\SYMDS.SYS -- (SymDS)
DRV - [2009/10/28 18:37:22 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100513.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/02/28 22:31:18 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/02/28 22:31:18 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/02/28 22:31:09 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/02/28 22:30:52 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2009/01/15 16:19:06 | 000,028,800 | ---- | M] (General) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ustor2k.sys -- (USTOR2K)
DRV - [2008/05/16 14:01:00 | 006,557,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 15:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/12/02 23:04:07 | 000,083,124 | ---- | M] (CSR) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\csrbc01.sys -- (CSRBC01)
DRV - [2007/03/13 16:13:54 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2007/03/13 16:13:32 | 000,035,064 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/03/13 16:13:30 | 000,098,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/03/13 16:13:30 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/03/13 16:13:28 | 000,026,744 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/03/13 16:13:26 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/03/13 16:13:26 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/03/13 16:13:24 | 000,104,824 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/03/12 01:25:28 | 000,099,848 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (drvmcdb)
DRV - [2007/02/09 12:34:16 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/02/08 20:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 20:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/12/13 12:19:16 | 000,050,688 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2006/05/23 16:00:26 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2004/12/13 12:28:04 | 000,125,440 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ulsata2.sys -- (ulsata2)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/06/29 15:25:26 | 000,007,680 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\DontGo.sys -- (dontgo)
DRV - [2003/12/30 07:38:52 | 000,028,080 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\incdrm.sys -- (incdrm)
DRV - [2003/11/05 09:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2003/10/14 16:10:02 | 000,036,484 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SMBios.sys -- (SMBios) Intel ®
DRV - [2003/05/09 01:00:56 | 000,033,248 | ---- | M] (Sonic Focus, Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sf.sys -- (sf)
DRV - [2003/05/02 16:39:54 | 000,333,696 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dumant.sys -- (DumaNT)
DRV - [2002/09/20 14:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\paypalfirefoxplugin@orbiscom: C:\Program Files\PayPal\PayPal Plug-In [2010/02/22 12:48:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\ [2010/05/11 15:54:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\ [2010/05/11 14:42:15 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2003/03/31 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O2 - BHO: (OToolbarHelper Class) - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (PayPal Plug-In) - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll ()
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-796845957-362288127-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-796845957-362288127-839522115-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-796845957-362288127-839522115-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-796845957-362288127-839522115-1003\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKU\S-1-5-21-796845957-362288127-839522115-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe (Seagate)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe ()
O4 - HKLM..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IntelliType] C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PtiuPbmd] C:\WINDOWS\System32\ulutil2.dll (Promise Technology,Inc.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [Seagate Scheduler2 Service] C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe (Seagate)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [StxTrayMenu] C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe ()
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\S-1-5-21-796845957-362288127-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [SanDisk Transfer Button] C:\WINDOWS\system32\Starter.exe ()
O4 - Startup: C:\Documents and Settings\Karen\Start Menu\Programs\Startup\AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe (Memeo Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-796845957-362288127-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-796845957-362288127-839522115-1003\..Trusted Domains: americangreetings.com ([www.veepers.yahoo] https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-362288127-839522115-1003\..Trusted Domains: americangreetings.com ([www.yahoo] https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} https://content.ilinc.com/clientdownload/do...ad/ilinci86.dll (ILINCInstall86 Class)
O16 - DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} https://content10.ilinc.com/download/AXCltInstall.dll (ILINCInstall102 Class)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install/00/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1139026103765 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} http://www.nero.com/doc/NeroVersionCheckerControl.cab (NeroVersionCheckerControl Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1146275402641 (MUWebControl Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Housecall ActiveX 6.5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} http://beta.bookmarks.yahoo.com/YbConvFav.CAB (YbUploadFavsCtl Class)
O16 - DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} http://www.flipviewer.com/exe/fv421.cab (Reg Error: Key error.)
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} http://ak.imgag.com/imgag/cp/install/Crusher.cab (Creative Toolbox Plug-in)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} http://developer.intel.com/design/motherbd...did/BoardID.cab (BoardCtl Class)
O16 - DPF: Garmin Communicator Plug-In https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Karen\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Karen\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/04 01:26:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{eb8bd122-76a8-11dd-9f5f-0050bad8563b}\Shell\AutoRun\command - "" = I:\Install FreeAgent Tools.exe -- File not found
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\Install FreeAgent Tools.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/02/04 01:25:58 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {924C1588-90C3-4910-B6CA-D57A1C0418FE} - Reg Error: Value error.
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ae594d5e-dd07-4e54-8252-daa5aebbd4ec} - KB905915
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - lvcodec2.dll File not found
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/19 19:22:59 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Karen\Desktop\OTL.exe
[2010/05/19 19:17:04 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Karen\Desktop\RootRepeal.exe
[2010/05/19 00:12:16 | 012,093,736 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Karen\Desktop\PCCheckupInstaller.exe
[2010/05/18 22:51:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/05/18 22:51:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karen\Application Data\Office Genuine Advantage
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/05/18 19:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/05/18 19:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/05/18 16:07:33 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Easy Assist
[2010/05/18 16:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/05/18 01:19:17 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/18 01:19:17 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/18 01:19:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/18 01:19:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/13 03:15:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/13 00:17:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/13 00:17:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/13 00:17:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/12 19:08:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\LMIE.tmp
[2010/05/12 08:05:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\LMI1224.tmp
[2010/05/11 20:02:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\LMI60.tmp
[2010/05/11 19:57:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\LMI5F.tmp
[2010/05/11 17:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karen\Application Data\Tific
[2010/05/11 17:13:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/05/11 02:56:26 | 000,362,032 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symtdi.sys
[2010/05/11 02:56:26 | 000,340,016 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symtdiv.sys
[2010/05/11 02:56:25 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symds.sys
[2010/05/11 02:56:25 | 000,172,592 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symefa.sys
[2010/05/11 02:56:25 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\srtspx.sys
[2010/05/11 02:56:24 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\cchpx86.sys
[2010/05/11 02:56:24 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\srtsp.sys
[2010/05/11 02:56:24 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1106000.020\ironx86.sys
[2010/05/11 02:55:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS\1106000.020
[2010/05/10 23:54:01 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/10 23:54:01 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/10 23:54:01 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/05/10 23:53:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS
[2010/05/10 23:52:58 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2010/05/10 23:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/05/10 22:27:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/05/10 22:26:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/05/10 21:06:52 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/05/10 20:24:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2010/05/06 15:10:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/04 17:05:38 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/05/02 10:15:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karen\Application Data\Malwarebytes
[2010/05/02 10:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/23 12:33:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karen\My Documents\BTLogo.png
[2010/04/21 00:53:41 | 000,000,000 | ---D | C] -- C:\Program Files\Shape Collage
[10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/19 21:18:57 | 049,807,360 | -H-- | M] () -- C:\Documents and Settings\Karen\NTUSER.DAT
[2010/05/19 21:00:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/19 20:16:57 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Karen\Desktop\settings.dat
[2010/05/19 19:23:01 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karen\Desktop\OTL.exe
[2010/05/19 19:17:07 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Karen\Desktop\RootRepeal.exe
[2010/05/19 19:16:17 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F866C7BC-A3AC-4C15-9933-5420656CD6CE}.job
[2010/05/19 19:14:03 | 000,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/19 19:13:43 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/19 19:13:39 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/19 19:13:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/19 19:12:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/19 00:49:17 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Karen\ntuser.ini
[2010/05/19 00:12:24 | 012,093,736 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Karen\Desktop\PCCheckupInstaller.exe
[2010/05/18 15:57:16 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/05/18 15:00:48 | 000,004,444 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2010/05/18 11:27:23 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Karen\Desktop\gmer.exe
[2010/05/18 11:22:17 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Karen\Desktop\dds.scr
[2010/05/18 11:21:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Karen\defogger_reenable
[2010/05/18 11:04:50 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Karen\Desktop\Defogger.exe
[2010/05/18 01:18:56 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/18 01:18:56 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/18 01:18:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/18 01:18:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/18 01:18:56 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/13 00:17:22 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/12 18:35:11 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/12 10:27:23 | 000,000,191 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 10:23:38 | 000,699,158 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\Cat.DB
[2010/05/12 10:06:10 | 000,000,844 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/12 08:27:32 | 000,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/11 14:41:15 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/05/10 23:54:01 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/10 23:54:01 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/10 23:54:01 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/05/10 23:54:01 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/05/10 23:41:08 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/05/10 20:31:44 | 000,004,608 | ---- | M] () -- C:\Documents and Settings\Karen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/10 16:45:17 | 000,000,952 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/05/04 16:16:01 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 18:52:25 | 000,000,082 | ---- | M] () -- C:\WINDOWS\MPLAYER.INI
[2010/04/21 08:25:15 | 000,450,792 | ---- | M] () -- C:\Documents and Settings\Karen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/21 08:02:52 | 001,110,768 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/21 00:53:41 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Shape Collage.lnk
[10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/19 20:16:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Karen\Desktop\settings.dat
[2010/05/18 15:00:45 | 000,004,444 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2010/05/18 11:22:14 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Karen\Desktop\dds.scr
[2010/05/18 11:21:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Karen\defogger_reenable
[2010/05/18 11:04:50 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Karen\Desktop\Defogger.exe
[2010/05/13 00:17:22 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/12 10:27:23 | 000,000,191 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/11 14:40:30 | 000,699,158 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\Cat.DB
[2010/05/11 02:56:26 | 000,001,473 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symnetv.inf
[2010/05/11 02:56:25 | 000,007,787 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symnetv.cat
[2010/05/11 02:56:25 | 000,007,444 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symefa.cat
[2010/05/11 02:56:25 | 000,007,425 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symds.cat
[2010/05/11 02:56:25 | 000,007,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symnet.cat
[2010/05/11 02:56:25 | 000,003,374 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symefa.inf
[2010/05/11 02:56:25 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symds.inf
[2010/05/11 02:56:25 | 000,001,445 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\symnet.inf
[2010/05/11 02:56:24 | 000,007,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\srtspx.cat
[2010/05/11 02:56:24 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\srtsp.cat
[2010/05/11 02:56:24 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\iron.cat
[2010/05/11 02:56:24 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\srtspx.inf
[2010/05/11 02:56:24 | 000,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\srtsp.inf
[2010/05/11 02:56:24 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\iron.inf
[2010/05/11 02:56:23 | 000,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\cchpx86.cat
[2010/05/11 02:56:23 | 000,001,754 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\cchpx86.inf
[2010/05/11 02:55:29 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1106000.020\isolate.ini
[2010/05/10 23:54:01 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/05/10 23:54:01 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/05/10 23:53:48 | 000,001,973 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/04/21 00:53:41 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shape Collage.lnk
[2010/03/03 15:58:53 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\ustor.dll
[2009/11/05 19:16:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/04/13 16:32:19 | 000,001,056 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/10/14 10:40:08 | 000,000,059 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2008/07/27 20:17:53 | 000,001,066 | ---- | C] () -- C:\WINDOWS\GraphicsDesk.INI
[2008/07/11 18:42:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/05/16 14:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 14:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 14:01:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 14:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/03/13 23:22:59 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/03/13 23:22:59 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/05/10 19:49:39 | 000,000,033 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2007/05/10 19:46:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2007/04/24 06:18:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/02/27 00:49:44 | 000,035,576 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2006/12/13 23:02:32 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/12/13 23:02:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/09/30 13:25:16 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit_.INI
[2006/06/02 21:11:11 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/06/02 21:07:38 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2006/06/02 21:07:27 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPR220.ini
[2006/04/18 08:42:41 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2006/03/29 00:44:42 | 000,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/03/06 21:14:31 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2006/03/06 21:14:30 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2006/02/06 00:27:24 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2006/02/06 00:17:32 | 000,098,304 | R--- | C] () -- C:\WINDOWS\StiRegstEng.dll
[2006/02/06 00:15:25 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2006/02/06 00:15:25 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2006/02/06 00:13:39 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2006/02/06 00:13:39 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2006/02/06 00:12:02 | 000,000,111 | ---- | C] () -- C:\WINDOWS\EPSON Perfection 3170.ini
[2006/02/05 23:52:15 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2006/02/05 23:50:40 | 000,000,190 | ---- | C] () -- C:\WINDOWS\EPSON RX620 Installer.ini
[2006/02/05 22:48:44 | 000,000,045 | ---- | C] () -- C:\WINDOWS\EPSP825.ini
[2006/02/05 15:14:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/10/02 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2003/05/02 16:39:54 | 000,368,640 | ---- | C] () -- C:\WINDOWS\System32\nvimage.dll
[2003/05/02 16:39:54 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\stereoi.dll
[2003/02/12 14:20:24 | 000,006,942 | ---- | C] () -- C:\WINDOWS\cadx2.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/19 18:30:00 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\mag.dll

========== LOP Check ==========

[2008/07/15 15:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\09
[2010/05/18 16:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2006/02/12 17:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/10/06 21:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2008/10/10 00:57:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2008/08/30 16:11:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tanagra
[2006/09/30 11:10:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/08/31 18:56:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Cut It Out
[2008/08/06 23:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\EBookSys
[2006/06/17 12:35:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\EPSON
[2009/10/06 21:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\GARMIN
[2008/08/04 16:11:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Hemera
[2008/03/07 23:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Jetcast
[2006/02/05 23:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Leadertech
[2006/04/18 08:42:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\MyFamily.com
[2009/09/11 01:31:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\onOne Software
[2006/04/20 20:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Opera
[2006/02/26 20:18:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Smart Panel
[2010/05/11 17:55:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Tific
[2006/09/30 11:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Ulead Systems
[2008/07/27 19:51:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Windows Search
[2007/12/15 17:45:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\WinPatrol
[2010/05/19 19:16:17 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{F866C7BC-A3AC-4C15-9933-5420656CD6CE}.job

========== Purity Check ==========



========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2008/07/15 15:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\09
[2010/01/20 02:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2006/02/05 20:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2008/09/02 07:33:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/05/04 17:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/05/18 16:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009/06/10 22:52:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Corel
[2006/02/12 17:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/10/06 21:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2009/03/26 15:28:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/11/05 19:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2008/07/11 18:35:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2010/02/23 19:35:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogiShrd
[2010/05/02 10:15:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/12 14:50:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2010/05/10 23:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/12/16 02:03:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/03/10 10:19:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/05/18 22:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2008/03/13 23:26:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Roxio
[2008/10/10 00:57:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2008/03/13 23:21:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic
[2010/01/27 03:54:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun
[2009/12/16 01:49:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2008/08/30 16:11:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tanagra
[2006/09/30 11:10:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2006/02/04 00:35:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/12/20 20:04:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2010/04/14 20:40:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2008/07/14 10:55:00 | 000,308,600 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\NortonProtectionMemo.exe
[2006/09/14 07:57:52 | 001,581,056 | ---- | M] (Macromedia, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\Photoshop Elements\5.0\Flash Galleries\Dynamic\flashplayer\windows\SAFlashPlayer.exe
[2006/09/14 07:58:04 | 000,077,824 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Adobe\Photoshop Elements\5.0\Flash Galleries\GeoWeb Gallery\gallery\resources\AuthSWF.exe
[2009/03/25 10:33:31 | 021,083,176 | ---- | M] (Macrovision Corporation ) -- C:\Documents and Settings\All Users\Application Data\Corel\Downloads\540225279_807010\1235587639613\PSPPX2ULRAW200904DEFIGS.exe
[2007/08/30 17:18:16 | 341,891,800 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\All Users\Application Data\Corel\Downloads\540225279_807010\1254516286962\PSPP12_Corel_TBYB_EN_IE_FR_DE_ES_IT_NL_ESD.exe
[2010/03/10 00:53:18 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

< %APPDATA%\*. >
[2009/03/24 12:02:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Adobe
[2007/03/19 18:06:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\AdobeUM
[2006/09/23 00:34:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Ahead
[2008/10/04 16:00:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Apple Computer
[2006/07/19 09:55:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\ArcSoft
[2009/04/13 16:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Corel
[2009/08/31 18:56:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Cut It Out
[2009/10/06 20:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Download Manager
[2008/08/06 23:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\EBookSys
[2006/06/17 12:35:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\EPSON
[2009/08/20 09:46:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\FastStone
[2009/10/06 21:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\GARMIN
[2007/10/30 20:12:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Google
[2007/05/10 23:06:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Help
[2008/08/04 16:11:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Hemera
[2006/02/03 22:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Identities
[2009/04/13 16:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\InstallShield
[2008/03/07 23:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Jetcast
[2008/01/15 11:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Lavasoft
[2006/02/05 23:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Leadertech
[2006/02/05 17:34:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Macromedia
[2010/05/02 10:15:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Malwarebytes
[2010/01/09 02:31:53 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Karen\Application Data\Microsoft
[2006/02/06 20:35:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Microsoft Web Folders
[2006/04/18 08:42:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\MyFamily.com
[2010/05/18 22:51:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Office Genuine Advantage
[2009/09/11 01:31:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\onOne Software
[2008/08/07 15:41:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\OpenOffice.org2
[2006/04/20 20:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Opera
[2006/02/26 20:18:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Smart Panel
[2006/02/05 12:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Sun
[2010/05/11 17:55:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Tific
[2010/03/03 16:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\U3
[2006/09/30 11:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Ulead Systems
[2008/07/27 19:51:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Windows Search
[2007/12/15 17:45:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\WinPatrol
[2007/12/12 23:02:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karen\Application Data\Yahoo!

< %APPDATA%\*.exe /s >
[2007/03/19 18:06:49 | 021,277,080 | ---- | M] ( ) -- C:\Documents and Settings\Karen\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_en_US.exe
[2010/01/31 21:45:40 | 000,038,784 | ---- | M] () -- C:\Documents and Settings\Karen\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
[2008/10/10 00:58:24 | 000,002,238 | R--- | M] () -- C:\Documents and Settings\Karen\Application Data\Microsoft\Installer\{8920EF0D-633E-46D1-9561-90E713E3145A}\ARPPRODUCTICON.exe
[2008/10/10 00:58:24 | 000,002,238 | R--- | M] () -- C:\Documents and Settings\Karen\Application Data\Microsoft\Installer\{8920EF0D-633E-46D1-9561-90E713E3145A}\NewShortcut1_03BB2227F87B4FBD990C87BF4A32FCEB.exe
[2008/10/10 00:58:24 | 000,002,238 | R--- | M] () -- C:\Documents and Settings\Karen\Application Data\Microsoft\Installer\{8920EF0D-633E-46D1-9561-90E713E3145A}\NewShortcut2_03BB2227F87B4FBD990C87BF4A32FCEB.exe
[2008/10/10 00:58:24 | 000,002,238 | R--- | M] () -- C:\Documents and Settings\Karen\Application Data\Microsoft\Installer\{8920EF0D-633E-46D1-9561-90E713E3145A}\NewShortcut3_03BB2227F87B4FBD990C87BF4A32FCEB.exe
[2008/10/10 00:58:24 | 000,002,238 | R--- | M] () -- C:\Documents and Settings\Karen\Application Data\Microsoft\Installer\{8920EF0D-633E-46D1-9561-90E713E3145A}\NewShortcut4_03BB2227F87B4FBD990C87BF4A32FCEB.exe
[2008/10/10 00:58:24 | 000,002,238 | R--- | M] () -- C:\Documents and Settings\Karen\Application Data\Microsoft\Installer\{8920EF0D-633E-46D1-9561-90E713E3145A}\NewShortcut6_03BB2227F87B4FBD990C87BF4A32FCEB.exe
[2009/04/13 16:37:34 | 000,883,712 | R--- | M] () -- C:\Documents and Settings\Karen\Application Data\Microsoft\Installer\{8D03A164-B586-4318-AFE6-870A5E2739C1}\Icon8D03A164.exe

< %SYSTEMDRIVE%\*.exe >
[2008/08/04 16:01:43 | 000,151,552 | ---- | M] () -- C:\HTGD0007.exe


< MD5 for: AGP440.SYS >
[2006/02/04 23:28:49 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/07/15 10:15:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2006/02/04 23:28:49 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/07/15 10:15:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\AGP440.SYS
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2006/02/04 23:28:49 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/07/15 10:15:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2006/02/04 23:28:49 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/07/15 10:15:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >

Here is the Extra.txt report

OTL Extras logfile created on: 5/19/2010 9:28:58 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Karen\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 81.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.64 Gb Total Space | 523.58 Gb Free Space | 74.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 14.91 Gb Total Space | 9.07 Gb Free Space | 60.83% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KLB
Current User Name: Karen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with Corel Paint Shop Pro Photo X2] -- "C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{707EB912-C597-49D8-9460-46CC9AB03EBE}" = Corel Painter Photo Essentials 4
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0B8ECA16-E81A-4BDD-87D9-EA8B48EA2292}" = PhotoImpact Pro
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{27D0C7AB-59F1-4D4D-A0BB-05A31AC919EA}" = Windows XP Winter Fun Pack Screensavers
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{2FBF04DC-404C-4FA4-BA28-99903080D2B9}" = Magnifier Powertoy for Windows XP
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{316D8D72-54DA-11D3-9239-00104B94A142}" = Microsoft IntelliType Pro 2.0
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C569633-C8DE-46E2-BB8F-F65198681C2F}" = Corel MediaOne
"{3F262ADC-5AD2-48E5-A586-44315E04A9E9}" = Microsoft Digital Image Library 10
"{42756145-9997-4D28-809B-8756BFD00109}" = Microsoft Digital Image Pro 10
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C0B9393-DFB7-4FFA-9509-E7B9D4430007}" = Preset Viewer 2.1
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{6220E72E-67BD-4E7A-B0FB-2DF318251891}" = onOne Essentials 2.1.1
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{66C8BE35-8BBB-472B-96C7-C7C9A499F988}" = ArcSoft Software Suite
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{707EB912-C597-49D8-9460-46CC9AB03EBE}" = Corel Painter Photo Essentials 4
"{71C1B94A-74CF-4D8A-AE40-A85A00A19E64}" = Photo Clip Art 150,000
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73317C31-2B6E-4B88-9865-B97C1331A39D}" = PayPal Plug-In
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{8920EF0D-633E-46D1-9561-90E713E3145A}" = AutoBackup
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D03A164-B586-4318-AFE6-870A5E2739C1}" = PHOTORECOVERY LE
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9DF0BE48-16F0-4E36-814D-9B4FDFFAF25F}" = PayPal Plug-In
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{9F9F3775-7E5B-4028-B5E5-DA1C042517A8}" = EPSON Photo Print
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-2448-0000-800000000003}" = Chinese Traditional Fonts Support For Adobe Reader 8
"{AE133141-825E-440E-AAE5-898ACE8E33C1}" = Scrapbook Factory Deluxe 4.0
"{AE26E172-5743-40E3-BC11-7C274BC531A3}" = Hemera Photo-Objects 5000
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B69CC1A5-0404-11D6-ABCB-005004C21D30}" = EPSON Copy Utility
"{B7FB0C86-41A4-4402-9A33-912C462042A0}" = Roxio Easy Media Creator
"{BEEFA382-DACD-41AD-82C8-06FCEA966624}" = SanDisk ImageMate
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E8B236-7554-45FE-92C0-94EF76E4D182}" = Garmin City Navigator North America NT 2010.20
"{C43E4B9C-14C8-4EB0-998B-85211B6EDD61}" = SeagateDiscWizard
"{C7DDA8E7-AD3D-4F51-AC1E-B0FF57002192}" = Microsoft IntelliPoint 6.3
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D21553E9-2EC5-4E8C-AB71-07AC07D50BBC}" = EPSON PhotoCenter
"{D87D6386-3C2D-4239-9780-3418FB7B0E94}" = Print Lab Series
"{D9DA2DF6-8CB6-4E3C-A29E-FAECFBA3E9A7}" = Garmin POI Loader
"{E07B7A31-E160-466D-A003-3BB7B8989D52}" = Full Tilt Poker.Net
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F2F4C144-7D1A-47C4-9D53-395A57B0CD64}" = Family Tree Maker 2006
"{F5A83924-6A0A-40A2-9A9C-00D876B62E7F}" = FreeAgent Pro Tools
"{FB7CBCD4-EC1A-425C-90F1-CB2CF0B96D01}" = Hemera Image Browser
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"AnarkClient" = Anark Client 1.0
"AncestryView" = AncestryView
"Color Efex Pro 3.0 Corel Sampler" = Color Efex Pro 3.0 Corel Sampler
"Creative Lettering Combo" = Creative Lettering Combo
"Creative Lettering Super Combo" = Creative Lettering Super Combo
"EPSON Printer and Utilities" = EPSON Printer Software
"FastStone Photo Resizer" = FastStone Photo Resizer 2.8
"Free RAR Extract Frog 1.00" = Free RAR Extract Frog 1.00
"HP Universal Printing PS,HP Universal Printing PS (v4.7)" = HP Universal Printing PS,HP Universal Printing PS (v4.7)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImageSkill Background Remover 3" = ImageSkill Background Remover 3
"InstallShield_{71C1B94A-74CF-4D8A-AE40-A85A00A19E64}" = Photo Clip Art 150,000
"InstallShield_{AE26E172-5743-40E3-BC11-7C274BC531A3}" = Hemera Photo-Objects 5000
"InstallShield_{F5A83924-6A0A-40A2-9A9C-00D876B62E7F}" = FreeAgent Pro Tools
"InstallShield_{FB7CBCD4-EC1A-425C-90F1-CB2CF0B96D01}" = Hemera Image Browser
"Jetcast" = Jetcast 1.1.1
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MRW!UninstallKey" = InCD EasyWrite Reader
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NCR All Occasions Publisher" = NCR All Occasions Publisher
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NeroVision!UninstallKey" = NeroVision Express 2
"NIS" = Norton Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NMIX!UninstallKey" = NeroMIX
"NVEContent!UninstallKey" = NeroVision Express 2 Content
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
"penPalette 1.0" = penPalette 1.0
"Picasa 3" = Picasa 3
"PictureItSuite_v10" = Microsoft Digital Image Suite 10
"procreate Painter Classic" = procreate™ Painter Classic™
"ShapeCollage" = Shape Collage
"Silent Package Run-Time Sample" = EPSON ESPR220 Reference Guide
"SystemRequirementsLab" = System Requirements Lab
"The Font Thing" = The Font Thing
"Uninstall Presto! BizCard 4.1 Eng" = Presto! BizCard 4.1 Eng
"uninstall.exe" = iLinc Client
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPatrol" = WinPatrol 2009
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WrapCandy 7.1 Professional_is1" = WrapCandy 7.1 Professional
"WrapCandy 7.3 Professional_is1" = WrapCandy 7.3 Professional
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-796845957-362288127-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{8920EF0D-633E-46D1-9561-90E713E3145A}" = AutoBackup
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.7.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/18/2010 12:28:43 PM | Computer Name = KLB | Source = ESENT | ID = 489
Description = wuauclt (1744) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 5/18/2010 12:28:43 PM | Computer Name = KLB | Source = ESENT | ID = 455
Description = wuaueng.dll (1744) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 5/18/2010 12:28:53 PM | Computer Name = KLB | Source = ESENT | ID = 489
Description = wuauclt (1744) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 5/18/2010 12:28:53 PM | Computer Name = KLB | Source = ESENT | ID = 455
Description = wuaueng.dll (1744) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 5/18/2010 12:29:35 PM | Computer Name = KLB | Source = ESENT | ID = 489
Description = wuauclt (3368) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 5/18/2010 12:29:35 PM | Computer Name = KLB | Source = ESENT | ID = 455
Description = wuaueng.dll (3368) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 5/18/2010 12:29:45 PM | Computer Name = KLB | Source = ESENT | ID = 489
Description = wuauclt (3368) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 5/18/2010 12:29:45 PM | Computer Name = KLB | Source = ESENT | ID = 455
Description = wuaueng.dll (3368) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 5/18/2010 2:27:20 PM | Computer Name = KLB | Source = Windows Product Activation | ID = 1012
Description = Due to hardware changes on this computer, you will need to reactivate
your Windows product.

Error - 5/18/2010 4:00:09 PM | Computer Name = KLB | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 5/18/2010 1:35:40 PM | Computer Name = KLB | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/18/2010 1:57:02 PM | Computer Name = KLB | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/18/2010 1:57:02 PM | Computer Name = KLB | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/18/2010 1:57:13 PM | Computer Name = KLB | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.1.100. The machine with the IP address 192.168.1.102 did
not allow the name to be claimed by this machine.

Error - 5/18/2010 6:54:38 PM | Computer Name = KLB | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/18/2010 6:54:38 PM | Computer Name = KLB | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/18/2010 10:50:11 PM | Computer Name = KLB | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/18/2010 10:50:11 PM | Computer Name = KLB | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/19/2010 7:13:21 PM | Computer Name = KLB | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/19/2010 7:13:21 PM | Computer Name = KLB | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >


#6 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 19 May 2010 - 09:27 PM

The OTL.txt and the Extra.txt was posted with my husbands computer because my computer won't let me post it. My computer left me post the RepealScan report but not the last 2. Just thought you might like to know this information.

When I did the above scan I disconnected from the internet and closed/disabled all my security programs. Should I be doing this each time I run a scan with different software that you want me run or only certain ones? I just want to make sure I'm doing everything the correct way.

Thanks again,
Karen

Edited by KPhoto, 20 May 2010 - 09:09 AM.


#7 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 20 May 2010 - 09:02 AM

Hi Extremeboy,

I have a Seagate 1 tb external drive that I don't keep hooked up all the time so it hasn't been scan with the other programs that you have had me run and post reports on. This drive has software that automatically updates my files when I have it hooked up to my computer. I would really like to uninstall that software and just manually transfer files to that drive. Should I be doing anything with this external drive to check it for the infection? I just don't want to end up getting the infection all over again by possibly having the infection in that drive.

I really appreciate your help and want to thank you again.
Karen

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 21 May 2010 - 09:35 PM

Hello.

I apologize for the delay. Yes, it is possible your external hard-drive is infected which we will check but for now try to avoid using it as much as possible.

First, we will need to run Combofix which you need administrative privileges.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 22 May 2010 - 12:09 AM

Hi Extremeboy,

You don't have to apologize for the delay I'm just thankful for your help.

ComboFix Log as requested

ComboFix 10-05-21.04 - Karen 05/22/2010 0:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3527.2838 [GMT -4:00]
Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Karen\Recent\Thumbs.db
c:\windows\ANS2000.INI
c:\windows\system32\Thumbs.db
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-20 23:32 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-20 23:32 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-05-20 23:32 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-05-20 23:32 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-05-20 23:32 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-05-20 23:32 . 2009-11-05 22:06 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- c:\documents and settings\Karen\Application Data\Office Genuine Advantage
2010-05-18 20:07 . 2010-05-18 20:07 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-05-18 20:07 . 2010-05-18 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-05-18 05:19 . 2010-05-18 05:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-13 07:15 . 2010-05-13 07:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-13 04:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 04:17 . 2010-05-13 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 04:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 23:08 . 2010-05-12 23:17 -------- d-----w- c:\windows\LMIE.tmp
2010-05-12 12:05 . 2010-05-12 21:33 -------- d-----w- c:\windows\LMI1224.tmp
2010-05-12 00:02 . 2010-05-12 12:32 -------- d-----w- c:\windows\LMI60.tmp
2010-05-11 23:57 . 2010-05-12 12:32 -------- d-----w- c:\windows\LMI5F.tmp
2010-05-11 21:55 . 2010-05-11 21:55 -------- d-----w- c:\documents and settings\Karen\Application Data\Tific
2010-05-11 03:54 . 2010-05-11 03:54 -------- d-----w- c:\program files\Symantec
2010-05-11 03:54 . 2010-05-11 03:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-11 03:54 . 2010-05-11 03:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-11 03:53 . 2010-05-20 23:35 -------- d-----w- c:\windows\system32\drivers\NIS
2010-05-11 03:52 . 2010-05-11 03:53 -------- d-----w- c:\program files\Norton Internet Security
2010-05-11 03:52 . 2010-05-11 03:52 -------- d-----w- c:\program files\NortonInstaller
2010-05-11 03:42 . 2010-05-11 03:42 -------- d-sh--w- c:\documents and settings\Administrator.KLB\PrivacIE
2010-05-11 01:15 . 2010-05-11 01:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-11 01:08 . 2010-05-11 01:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-11 00:24 . 2010-05-11 00:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-05-04 21:05 . 2010-05-04 21:06 -------- d-----w- c:\program files\QuickTime
2010-05-02 14:15 . 2010-05-02 14:15 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2010-05-02 14:15 . 2010-05-02 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 03:28 . 2008-03-12 19:46 -------- d-----w- c:\program files\WrapCandy70
2010-05-18 05:19 . 2006-02-05 16:57 -------- d-----w- c:\program files\Common Files\Java
2010-05-12 22:35 . 2009-03-20 02:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-11 04:01 . 2009-12-16 06:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-11 03:54 . 2010-05-11 03:54 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-11 03:54 . 2010-05-11 03:54 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-11 03:52 . 2009-08-19 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-10 20:45 . 2009-04-14 00:20 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-10 20:45 . 2009-04-14 00:20 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-04 21:04 . 2006-03-29 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-21 12:25 . 2010-02-23 23:39 450792 ----a-w- c:\documents and settings\Karen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-21 04:53 . 2010-04-21 04:53 -------- d-----w- c:\program files\Shape Collage
2010-04-15 00:40 . 2008-12-21 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 04:53 . 2010-03-10 04:53 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-25 06:24 . 2005-10-21 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2006-02-06 02:20 . 2006-02-06 02:20 40295 ----a-w- c:\program files\uninstal.log
2009-04-13 20:32 . 2009-04-13 20:32 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-03-20 45056]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-12 232184]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-03-14 109304]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"PtiuPbmd"="ulutil2.dll" [2003-11-05 110592]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"UMonit"="c:\windows\system32\UMonit.exe" [2009-03-02 24576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Karen\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - c:\program files\Seagate\AutoBackup\MemeoLauncher.exe [2008-1-14 95456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:19 PM 7680]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/20/2010 7:32 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/20/2010 7:32 PM 173104]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2/15/2005 4:19 PM 125440]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [4/29/2010 5:46 PM 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/20/2010 7:32 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/20/2010 7:32 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/20/2010 7:32 PM 126392]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 8:56 PM 431384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2010 2:56 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100513.002\IDSXpx86.sys [5/17/2010 11:37 PM 329592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 3:45 AM 135664]
S3 CSRBC01;CSRBC01.Sys CSR test driver;c:\windows\system32\drivers\csrbc01.sys [10/26/2007 12:38 AM 83124]
S3 USTOR2K;Genesys USB Mass Storage Windows Driver;c:\windows\system32\drivers\ustor2k.sys [3/3/2010 3:58 PM 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 07:45]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 07:45]

2009-07-22 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{F866C7BC-A3AC-4C15-9933-5420656CD6CE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: americangreetings.com\www.veepers.yahoo
Trusted Zone: americangreetings.com\www.yahoo
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} - hxxps://content.ilinc.com/clientdownload/download/ilinci86.dll
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} - hxxp://www.flipviewer.com/exe/fv421.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://developer.intel.com/design/motherbd/boardid/BoardID.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-_{707EB912-C597-49D8-9460-46CC9AB03EBE} - c:\program files\Corel\Corel Painter Photo Essentials 4\MSILauncher {707EB912-C597-49D8-9460-46CC9AB03EBE}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 00:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\UMonit.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.***d"\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63A0982C-5345-B483-1D10-3FE98A08423F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oamililfmmhfdbmfidngipccoippkp"=hex:61,69,63,69,62,6d,69,6a,66,61,66,68,63,6e,
62,64,66,6b,62,69,62,63,63,68,68,61,65,62,70,6f,62,6d,6b,6e,6b,67,70,70,6a,\
"iafjjpidbmmkfgpidp"=hex:6a,61,65,69,67,6e,62,66,69,6b,6d,67,69,66,68,70,63,6f,
6e,68,00,00
"halihpliicdofplb"=hex:6a,61,62,69,68,70,64,6b,70,68,62,6d,6a,63,6c,69,6c,6e,
61,6a,00,00

[HKEY_LOCAL_MACHINE\System\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Services\mirror\*A]
"Attach.ToDesktop"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-05-22 00:58:30
ComboFix-quarantined-files.txt 2010-05-22 04:58

Pre-Run: 556,464,984,064 bytes free
Post-Run: 557,170,061,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 93B9DDED063876B3F54B6C7CF854C2DE

Thanks



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 22 May 2010 - 09:33 AM

Combofix successfully replaced that infected driver. It's looking better.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    RegNull::
    [HKEY_USERS\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63A0982C-5345-B483-1D10-3FE98A08423F}*]
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "@"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 22 May 2010 - 12:37 PM

The ComboFix with CFScript log as requested

ComboFix 10-05-21.04 - Karen 05/22/2010 13:17:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3527.2906 [GMT -4:00]
Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Karen\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-20 23:32 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-20 23:32 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-05-20 23:32 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-05-20 23:32 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-05-20 23:32 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-05-20 23:32 . 2009-11-05 22:06 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- c:\documents and settings\Karen\Application Data\Office Genuine Advantage
2010-05-18 20:07 . 2010-05-18 20:07 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-05-18 20:07 . 2010-05-18 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-05-18 05:19 . 2010-05-18 05:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-13 07:15 . 2010-05-13 07:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-13 04:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 04:17 . 2010-05-13 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 04:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 23:08 . 2010-05-12 23:17 -------- d-----w- c:\windows\LMIE.tmp
2010-05-12 12:05 . 2010-05-12 21:33 -------- d-----w- c:\windows\LMI1224.tmp
2010-05-12 00:02 . 2010-05-12 12:32 -------- d-----w- c:\windows\LMI60.tmp
2010-05-11 23:57 . 2010-05-12 12:32 -------- d-----w- c:\windows\LMI5F.tmp
2010-05-11 21:55 . 2010-05-11 21:55 -------- d-----w- c:\documents and settings\Karen\Application Data\Tific
2010-05-11 03:54 . 2010-05-11 03:54 -------- d-----w- c:\program files\Symantec
2010-05-11 03:54 . 2010-05-11 03:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-11 03:54 . 2010-05-11 03:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-11 03:53 . 2010-05-20 23:35 -------- d-----w- c:\windows\system32\drivers\NIS
2010-05-11 03:52 . 2010-05-11 03:53 -------- d-----w- c:\program files\Norton Internet Security
2010-05-11 03:52 . 2010-05-11 03:52 -------- d-----w- c:\program files\NortonInstaller
2010-05-11 03:42 . 2010-05-11 03:42 -------- d-sh--w- c:\documents and settings\Administrator.KLB\PrivacIE
2010-05-11 01:15 . 2010-05-11 01:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-11 01:08 . 2010-05-11 01:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-11 00:24 . 2010-05-11 00:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-05-04 21:05 . 2010-05-04 21:06 -------- d-----w- c:\program files\QuickTime
2010-05-02 14:15 . 2010-05-02 14:15 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2010-05-02 14:15 . 2010-05-02 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 03:28 . 2008-03-12 19:46 -------- d-----w- c:\program files\WrapCandy70
2010-05-18 05:19 . 2006-02-05 16:57 -------- d-----w- c:\program files\Common Files\Java
2010-05-12 22:35 . 2009-03-20 02:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-11 04:01 . 2009-12-16 06:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-11 03:54 . 2010-05-11 03:54 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-11 03:54 . 2010-05-11 03:54 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-11 03:52 . 2009-08-19 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-10 20:45 . 2009-04-14 00:20 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-10 20:45 . 2009-04-14 00:20 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-04 21:04 . 2006-03-29 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-21 12:25 . 2010-02-23 23:39 450792 ----a-w- c:\documents and settings\Karen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-21 04:53 . 2010-04-21 04:53 -------- d-----w- c:\program files\Shape Collage
2010-04-15 00:40 . 2008-12-21 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 04:53 . 2010-03-10 04:53 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-25 06:24 . 2005-10-21 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2006-02-06 02:20 . 2006-02-06 02:20 40295 ----a-w- c:\program files\uninstal.log
2009-04-13 20:32 . 2009-04-13 20:32 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-22_04.54.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-22 17:06 . 2010-05-22 17:06 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
+ 2010-05-22 17:05 . 2010-05-22 17:05 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
- 2010-05-22 04:38 . 2010-05-22 04:38 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-03-20 45056]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-12 232184]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-03-14 109304]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"PtiuPbmd"="ulutil2.dll" [2003-11-05 110592]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"UMonit"="c:\windows\system32\UMonit.exe" [2009-03-02 24576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Karen\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - c:\program files\Seagate\AutoBackup\MemeoLauncher.exe [2008-1-14 95456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:19 PM 7680]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/20/2010 7:32 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/20/2010 7:32 PM 173104]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2/15/2005 4:19 PM 125440]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [4/29/2010 5:46 PM 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/20/2010 7:32 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/20/2010 7:32 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/20/2010 7:32 PM 126392]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 8:56 PM 431384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2010 2:56 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100513.002\IDSXpx86.sys [5/17/2010 11:37 PM 329592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 3:45 AM 135664]
S3 CSRBC01;CSRBC01.Sys CSR test driver;c:\windows\system32\drivers\csrbc01.sys [10/26/2007 12:38 AM 83124]
S3 USTOR2K;Genesys USB Mass Storage Windows Driver;c:\windows\system32\drivers\ustor2k.sys [3/3/2010 3:58 PM 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 07:45]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 07:45]

2009-07-22 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{F866C7BC-A3AC-4C15-9933-5420656CD6CE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: americangreetings.com\www.veepers.yahoo
Trusted Zone: americangreetings.com\www.yahoo
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} - hxxps://content.ilinc.com/clientdownload/download/ilinci86.dll
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} - hxxp://www.flipviewer.com/exe/fv421.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://developer.intel.com/design/motherbd/boardid/BoardID.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 13:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\UMonit.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-796845957-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.***d"\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Services\mirror\*A]
"Attach.ToDesktop"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-22 13:32:24
ComboFix-quarantined-files.txt 2010-05-22 17:32
ComboFix2.txt 2010-05-22 04:58

Pre-Run: 557,153,345,536 bytes free
Post-Run: 557,142,380,544 bytes free

- - End Of File - - 59A6237129838851BD6333C94DC35A3A


#12 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 22 May 2010 - 12:53 PM

The MBAM og as requested

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4131

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/22/2010 1:50:17 PM
mbam-log-2010-05-22 (13-50-17).txt

Scan type: Quick scan
Objects scanned: 142226
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks

#13 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 22 May 2010 - 01:37 PM

Hi Extremeboy,

I think I got this infection from a pdf file that has been quarantined by Norton Internet Security. The quarantined file was called WS Reputation.1 I opened this file and got no warning from Norton that it was infected. After having intrusion attempts warnings from Norton I did a manual scan of that file and then it found it and quarantined it and deleted the file.

I also at that time downloaded a lot of zipped font files from free font sites. I beleive that I downloaded them from 1001 Free Fonts & Dingbat Depot. I have also downloaded them fromFont Space, Dafont & font 101. They are still zipped and I haven't unzipped any of them yet. Do you think that I could have got the rootkit from one of these font files? If so should I delete these zipped font files?

I know that Norton and MBAM can't detect the rootkits so is there some software that I can scan my files including all zipped files to make sure it is not in any of them yet? I would like to be abale to do this on a regular basis to keep my computer free of rootkits. I will need to do this to my 1 tb external harddrive also because of the Seagate program updating each time I connect it. I think there may be system files on the external drive also so they should be checked also.

If you would like me to uninstall Seagates software that updates my files that will be okay with me. I really would rather do a manual up date. I'm not even sure how to veiw what Seagates software updates or how to open it. I have been doing manual updates also of my graphics, pictures and business files.

Thanks again for your help.
Karen

#14 KPhoto

KPhoto
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 22 May 2010 - 03:23 PM

This is what Norton is blocking since I ran Combofix. I thought it might be helpful.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 22 May 2010 - 04:54 PM

Hello.

Thanks for those logs.

QUOTE
I also at that time downloaded a lot of zipped font files from free font sites. I beleive that I downloaded them from 1001 Free Fonts & Dingbat Depot. I have also downloaded them fromFont Space, Dafont & font 101. They are still zipped and I haven't unzipped any of them yet. Do you think that I could have got the rootkit from one of these font files? If so should I delete these zipped font files?

It's possible, but getting an rootkit from a true pdf file is not very common. I would like to see that zipped file though. If it's less than 5MB please submit to me as follow...

Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/t/317649/tidserv-tdl3tdl4-intrusion-attempts/
  • Click Browse and select the zipped file
  • Under the comments section, say that Extremeboy asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.

QUOTE
I know that Norton and MBAM can't detect the rootkits so is there some software that I can scan my files including all zipped files to make sure it is not in any of them yet? I would like to be abale to do this on a regular basis to keep my computer free of rootkits. I will need to do this to my 1 tb external harddrive also because of the Seagate program updating each time I connect it. I think there may be system files on the external drive also so they should be checked also.

There aren't much easy interfaced and standaloned anti-rootkit scanners out there. Some anti-virus softwares however, do include some sort of anti-rootkit scans. The fact that if a rootkit is installed on your machine, it would be difficult to remove from just regular security programs which makes malware removal not always a simple process and no standerd fix.

QUOTE
If you would like me to uninstall Seagates software that updates my files that will be okay with me. I really would rather do a manual up date. I'm not even sure how to veiw what Seagates software updates or how to open it. I have been doing manual updates also of my graphics, pictures and business files.

We can get you another software if you wish if Seagate is not working well with you.

QUOTE
This is what Norton is blocking since I ran Combofix. I thought it might be helpful.

if possible, you may wish to expand that so I can see exactly what is being detected.

I can tell you that your machine right now is looking a lot better and the previous infection you had is now removed.

Let's get an online scan now.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users