Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with BlueStreak, BurstMedia, CasaleMedia, DoubleClick, MediaPlex, Right Media, Zedo


  • This topic is locked This topic is locked
20 replies to this topic

#1 szxasq1

szxasq1

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 23 May 2010 - 01:51 PM

Hello,

I recently started having my Norton 360 pop up a message saying "A recent attempt to attack your computer was blocked" every time I used my Google toolbar. Further information showed that this was an "HTTP Tidserv Request".

I ran Spybot, which found infections with BlueStreak, BurstMedia, CasaleMedia, DoubleClick, MediaPlex, Right Media, and Zedo. These were removed successfully, but then came back upon restart of the computer.

A full system virus scan showed that one tracking cookie was removed, but no viruses.

Today, I started the workup for malware removal as recommended by Bleeping Computer. The DDS.txt readout is listed below, and the attach.txt zip file is attached to the message.

However, when I ran the GMER program the following occurred:

During my first run, the battery on my computer died and the process was stopped prematurely.

I completed the second run, however the computer completely locked up when trying to save the ark.txt file and I had to restart. One of the programs that had to be forced closed on restart was Google Toolbar.

The third and fourth run of GMER resulted in a Blue Screen Failure, which noted a failure in kxryqpow.sys.

As a result, my GMER file is not attached. I will try running it again after submitting this and if it works, I will append it to this post.

Thank you in advance for all of your help.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff Wall at 11:02:58.96 on Sun 05/23/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3544.2854 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\palmOne\HOTSYNC.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SansaDispatch] c:\documents and settings\jeff wall\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MagnifyingGlass10WorkColl] c:\program files\magniglass\MagniGlass.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [HPLJ Config] c:\program files\hewlett-packard\hp laserjet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1320 PCL 6" -n 1 -l 1033 -sl 120000
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\jeffwa~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\program files\eclinicalworks\wowctl2.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100513.002\IDSXpx86.sys [2010-5-17 329592]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-10-27 108160]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-5-5 36224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-28 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100522.003\NAVENG.SYS [2010-5-22 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100522.003\NAVEX15.SYS [2010-5-22 1347504]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [2009-10-27 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-10-27 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-10-27 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-10-27 157696]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-7 135664]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-5-5 134912]

=============== Created Last 30 ================

2010-05-19 16:11:15 250 ----a-w- c:\windows\cdplayer.ini
2010-05-17 10:14:17 0 d-----w- c:\windows\Performance
2010-05-17 10:13:25 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-05-07 17:03:54 0 d-----w- c:\program files\Lame for Audacity
2010-05-07 16:46:05 0 d-----w- c:\program files\Audacity
2010-05-05 17:13:32 7680 ----a-w- c:\windows\system32\drivers\ArcRec.sys
2010-05-05 17:13:32 36224 ----a-w- c:\windows\system32\drivers\ArcCD.sys
2010-05-05 17:13:32 134912 ----a-w- c:\windows\system32\drivers\ArcUdfs.sys
2010-05-04 22:30:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-05-04 22:30:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-05-04 22:30:24 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-04-30 21:53:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-04-30 21:53:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-04-30 21:53:42 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-04-30 21:52:55 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-04-30 21:52:55 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-04-30 21:52:55 465920 ------w- c:\windows\system32\imapi2fs.dll
2010-04-30 21:52:55 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-04-30 21:52:55 317952 ------w- c:\windows\system32\imapi2.dll

==================== Find3M ====================

2010-05-22 12:35:20 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-28 17:31:03 36368 ----a-w- c:\windows\fonts\Roadgeek 2000 Series D.TTF
2010-04-28 17:31:03 19324 ----a-w- c:\windows\fonts\Roadgeek Transport Heavy.ttf
2010-04-28 17:31:03 19316 ----a-w- c:\windows\fonts\Roadgeek Transport Medium.ttf
2010-04-28 17:31:03 18980 ----a-w- c:\windows\fonts\Roadgeek 2000 Series F.TTF
2010-04-28 17:31:03 18960 ----a-w- c:\windows\fonts\Roadgeek 2000 Series E(M).TTF
2010-04-28 17:31:03 18936 ----a-w- c:\windows\fonts\Roadgeek 2000 Series E.TTF
2010-04-28 17:31:03 18868 ----a-w- c:\windows\fonts\Roadgeek 2000 Series C.TTF
2010-04-28 17:31:03 18764 ----a-w- c:\windows\fonts\Roadgeek 2000 Series B.TTF
2010-04-28 17:31:03 17860 ----a-w- c:\windows\fonts\Roadgeek2000EM.TTF
2010-04-20 20:53:12 25644 ----a-w- c:\windows\fonts\BPdotsSquare.otf
2010-04-20 20:53:11 501740 ----a-w- c:\windows\fonts\BPdots.ttf
2010-04-19 19:22:38 63260 ----a-w- c:\windows\fonts\BEAUTYSC.TTF
2010-04-19 19:22:27 58420 ----a-w- c:\windows\fonts\BeautySchoolDropout.ttf
2010-04-07 03:08:20 113376 ----a-w- c:\windows\fonts\SANTO___.TTF
2010-03-29 14:24:26 37940 ----a-w- c:\windows\fonts\SFCollegiate.ttf
2010-03-29 14:24:26 31660 ----a-w- c:\windows\fonts\SFCollegiate-Italic.ttf
2010-03-29 14:24:26 23884 ----a-w- c:\windows\fonts\SFCollegiateSolid.ttf
2010-03-29 14:24:26 23460 ----a-w- c:\windows\fonts\SFCollegiateSolid-Bold.ttf
2010-03-29 14:24:26 18452 ----a-w- c:\windows\fonts\SFCollegiateSolid-Italic.ttf
2010-03-29 14:24:26 18328 ----a-w- c:\windows\fonts\SFCollegiateSolid-BoldItali.ttf
2010-03-29 14:24:18 29780 ----a-w- c:\windows\fonts\collegiateHeavyOutline Medium.ttf
2010-03-29 14:24:08 19272 ----a-w- c:\windows\fonts\CollegiateFLF.ttf
2010-03-29 14:24:08 17904 ----a-w- c:\windows\fonts\CollegiateBorderFLF.ttf
2010-03-29 14:24:08 16072 ----a-w- c:\windows\fonts\CollegiateOutlineFLF.ttf
2010-03-29 14:24:08 11008 ----a-w- c:\windows\fonts\CollegiateBlackFLF.ttf
2010-03-29 14:24:08 10744 ----a-w- c:\windows\fonts\CollegiateInsideFLF.ttf
2010-03-29 00:33:21 459040 ----a-w- c:\windows\fonts\Heraldic Crests.ttf
2010-03-28 19:07:23 161652 ----a-w- c:\windows\fonts\akaFrivolity.ttf
2010-03-28 18:40:43 134352 ----a-w- c:\windows\fonts\KR Celebrate 2002.ttf
2010-03-18 01:29:51 46184 ----a-w- c:\windows\fonts\pirulen.ttf
2010-03-14 05:03:39 58020 ----a-w- c:\windows\fonts\ROADWAY_.ttf
2010-03-14 05:03:39 23508 ----a-w- c:\windows\fonts\ROADWAY_.otf
2010-03-02 16:57:56 19204 ----a-w- c:\windows\fonts\Running Smobble.ttf
2010-03-02 16:57:37 107836 ----a-w- c:\windows\fonts\LMS Star Spangled.ttf
2010-03-02 16:57:23 161500 ----a-w- c:\windows\fonts\GALAHA__.TTF
2010-03-02 16:57:23 135712 ----a-w- c:\windows\fonts\GALAHRG_.TTF
2010-03-02 16:57:23 120952 ----a-w- c:\windows\fonts\GALAKA__.TTF
2010-03-02 16:57:23 104876 ----a-w- c:\windows\fonts\GALAKRG_.TTF
2010-03-02 16:57:20 96220 ----a-w- c:\windows\fonts\GALARG__.TTF
2010-03-02 16:57:20 119864 ----a-w- c:\windows\fonts\GALAA___.TTF
2010-03-02 16:57:09 31432 ----a-w- c:\windows\fonts\lastninja.ttf
2010-03-02 16:56:58 92200 ----a-w- c:\windows\fonts\USStarsNStripes.ttf
2010-03-02 16:56:48 19036 ----a-w- c:\windows\fonts\Kremlin Chairman.ttf

============= FINISH: 11:03:53.31 ===============

UPDATE: I was able to run GMER in Safe Mode and I obtained a ark.txt file, which is attached below. I don't know if this is helpful to you in any way.

The three times that GMER failed in regular mode Windows XP and resulted in a BSOD showed failures in:

WG11TND5.sys
kxryqpow.sys
SYMEVENT.SYS

Thanks.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-23 17:03:28
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JEFFWA~1\LOCALS~1\Temp\kxryqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\System32\Drivers\ArcRec.SYS entry point in "init" section [0xF79DA138]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B94A0D20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Merged 2 posts. ~ OB

Attached Files


Edited by Orange Blossom, 23 May 2010 - 09:42 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:08 PM

Posted 25 May 2010 - 10:31 AM

Hello szxasq1,


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 szxasq1

szxasq1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 25 May 2010 - 11:40 AM

Thank you.

OTL logfile created on: 5/25/2010 12:15:14 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.33 Gb Total Space | 203.39 Gb Free Space | 70.54% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WESTWOOD
Current User Name: Jeff Wall
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/25 12:13:52 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs\OTL.exe
PRC - [2010/03/24 13:58:22 | 000,309,760 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/01/30 12:37:41 | 000,020,572 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
PRC - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 14:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/11/02 08:42:31 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/10/29 07:12:13 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2009/10/27 17:03:15 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
PRC - [2009/04/03 16:18:16 | 028,905,472 | ---- | M] (eClinicalWorks LLC) -- C:\Program Files\eClinicalWorks\eClinicalWorks.exe
PRC - [2008/07/21 17:54:34 | 000,169,312 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
PRC - [2008/07/21 17:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2008/07/21 11:44:12 | 000,225,362 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\XPM09_6047v002\WDM\stacsv.exe
PRC - [2008/07/21 11:42:16 | 000,442,460 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2008/07/11 13:15:06 | 000,466,944 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\AESTFltr.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/16 07:03:26 | 000,221,184 | ---- | M] (InstallShield Software Corporation) -- c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2004/06/16 07:03:04 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/06/16 07:02:54 | 000,471,040 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
PRC - [2004/04/13 18:03:10 | 000,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\palmOne\HOTSYNC.EXE
PRC - [2004/02/27 13:29:24 | 000,061,440 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
PRC - [2004/01/07 14:02:26 | 000,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2003/08/06 14:24:20 | 012,037,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2003/07/14 23:45:18 | 000,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2003/04/08 15:42:28 | 000,135,168 | ---- | M] () -- C:\Program Files\Belkin\F1U201.401\usbshare.exe


========== Modules (SafeList) ==========

MOD - [2010/05/25 12:13:52 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs\OTL.exe
MOD - [2009/10/27 17:03:09 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\asOEHook.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/07 14:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 14:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/11/01 11:34:01 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/10/27 17:03:15 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)
SRV - [2008/07/21 17:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2008/07/21 11:44:12 | 000,225,362 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\XPM09_6047v002\WDM\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - [2010/05/18 15:24:25 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100518.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/05/10 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100525.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100525.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/01/07 14:22:02 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2009/10/27 17:03:18 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/27 17:03:16 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/10/27 17:03:16 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/10/27 17:03:16 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/10/27 17:03:16 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/10/27 17:03:16 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/10/27 17:03:16 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/10/27 17:03:16 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/10/27 17:03:16 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/10/27 17:03:16 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/10/27 17:03:16 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/10/27 17:03:16 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/10/27 07:23:22 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/10/27 07:23:22 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/11/26 12:39:24 | 001,391,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/07 02:01:00 | 000,268,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Vid.sys -- (OA009Vid)
DRV - [2008/10/06 10:55:22 | 000,144,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Ufd.sys -- (OA009Ufd)
DRV - [2008/09/11 11:52:48 | 006,047,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/08/26 19:57:14 | 000,157,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR)
DRV - [2008/07/24 11:03:00 | 000,289,664 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/07/21 11:46:18 | 001,384,595 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/07/21 01:44:44 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iastor)
DRV - [2008/07/11 13:15:10 | 000,108,160 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/06 13:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ArcCD.sys -- (ArcCD)
DRV - [2007/06/08 02:00:02 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Afx.sys -- (OA009Afx)
DRV - [2007/05/03 14:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/04/25 08:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ArcUdfs.sys -- (ArcUdfs)
DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/09/05 11:21:06 | 000,362,944 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WG11TND5.sys -- (AR5523)
DRV - [2004/04/13 18:03:46 | 000,016,509 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/26 16:04:33 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe (Hewlett-Packard Inc.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [MagnifyingGlass10WorkColl] C:\Program Files\MagniGlass\MagniGlass.exe File not found
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003..\Run: [SansaDispatch] C:\Documents and Settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\F1U201.401.lnk = C:\Program Files\Belkin\F1U201.401\usbshare.exe ()
O4 - Startup: C:\Documents and Settings\Jeff Wall\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (Palm, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/C/B.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Handler\x-mem1 {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\Program Files\eClinicalWorks\wowctl2.dll (EzTools Software)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/27 12:04:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{38e4504d-c3ae-11de-b1b6-002556104e82}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe
O33 - MountPoints2\{d3d1404e-fe9e-11de-b26f-002556104e82}\Shell\AutoRun\command - "" = F:\MI.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/10/27 06:41:12 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010/05/25 00:05:14 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars.NET
[2010/05/25 00:04:55 | 009,741,792 | ---- | C] (PokerStars) -- C:\Documents and Settings\Jeff Wall\Desktop\PokerStarsInstallPM.exe
[2010/05/23 15:22:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/20 18:02:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/20 18:02:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/17 06:14:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2010/05/17 06:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft Corporation
[2010/05/17 06:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2010/05/17 06:13:07 | 008,669,472 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\Windows7UpgradeAdvisorSetup.exe
[2010/05/07 13:03:54 | 000,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2010/05/07 13:02:57 | 000,421,346 | ---- | C] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\Lame_v3.98.2_for_Audacity_on_Windows.exe
[2010/05/07 12:46:05 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2010/05/07 12:44:09 | 002,228,534 | ---- | C] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\audacity-win-1.2.6.exe
[2010/05/05 13:13:32 | 000,134,912 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcUdfs.sys
[2010/05/05 13:13:32 | 000,036,224 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcCD.sys
[2010/05/05 13:13:32 | 000,007,680 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcRec.sys
[2010/04/30 20:04:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/04/30 17:53:42 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2010/04/30 17:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\Zune
[2010/04/30 17:52:55 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2fs.dll
[2010/04/30 17:52:55 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2fs.dll
[2010/04/30 17:52:55 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2.dll
[2010/04/30 17:52:55 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2.dll
[2010/04/30 17:52:55 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2010/04/30 17:39:57 | 057,451,272 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\zunesetuppkg-x86.exe
[2010/04/29 16:35:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Desktop\Portland
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/25 12:11:00 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/25 08:58:17 | 000,475,330 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/25 08:58:17 | 000,404,536 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/25 08:58:17 | 000,063,590 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/25 08:53:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/25 08:53:34 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/25 08:53:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/25 08:53:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/25 08:53:27 | 3716,530,176 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/25 08:51:38 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\NTUSER.DAT
[2010/05/25 08:51:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Jeff Wall\ntuser.ini
[2010/05/25 08:51:21 | 004,838,518 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\IconCache.db
[2010/05/25 07:36:45 | 000,001,738 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\My Documents\Default.rdp
[2010/05/25 00:05:00 | 009,741,792 | ---- | M] (PokerStars) -- C:\Documents and Settings\Jeff Wall\Desktop\PokerStarsInstallPM.exe
[2010/05/24 12:31:54 | 000,000,074 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2010/05/24 11:54:57 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/24 09:09:25 | 000,002,828 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/05/23 17:10:02 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/23 17:10:02 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/23 17:10:02 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/05/19 12:11:15 | 000,000,250 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/05/19 12:10:55 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Application Data\mcs.rma
[2010/05/19 12:10:55 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Application Data\4AE7DF
[2010/05/18 13:01:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/17 06:13:28 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/17 06:13:12 | 008,669,472 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\Windows7UpgradeAdvisorSetup.exe
[2010/05/16 08:13:57 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 14:41:54 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Hotel internet help line.doc
[2010/05/07 13:05:48 | 000,033,726 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\throne_balladry.jpg
[2010/05/07 13:02:57 | 000,421,346 | ---- | M] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\Lame_v3.98.2_for_Audacity_on_Windows.exe
[2010/05/07 12:46:06 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Audacity.lnk
[2010/05/07 12:45:41 | 002,228,534 | ---- | M] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\audacity-win-1.2.6.exe
[2010/05/06 10:50:56 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Mike Munk EMS.doc
[2010/05/05 13:15:27 | 000,001,756 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Media Impression for Kodak.lnk
[2010/05/04 18:30:53 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2010/05/04 18:30:53 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/05/04 18:30:25 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/04 18:30:24 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2010/04/30 17:53:31 | 000,000,628 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2010/04/30 17:40:00 | 057,451,272 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\zunesetuppkg-x86.exe
[2010/04/30 08:35:15 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\YouTube Downloader.lnk
[2010/04/29 09:38:59 | 000,202,240 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Underground Inter station database.xls
[2010/04/29 08:14:18 | 000,451,680 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/28 13:38:03 | 000,150,544 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/27 08:10:48 | 002,266,112 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\PATIENT LIST JAW.xls
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/23 17:09:33 | 3716,530,176 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/19 12:11:15 | 000,000,250 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/05/17 06:13:28 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/16 08:13:57 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 14:41:53 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Hotel internet help line.doc
[2010/05/07 13:06:12 | 000,033,726 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\throne_balladry.jpg
[2010/05/07 12:46:06 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Audacity.lnk
[2010/05/07 09:40:11 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Mike Munk EMS.doc
[2010/05/04 18:30:53 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2010/05/04 18:30:53 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/05/04 18:30:24 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2010/04/30 17:53:31 | 000,000,628 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2010/04/30 08:35:15 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\YouTube Downloader.lnk
[2010/04/29 08:40:10 | 000,202,240 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Underground Inter station database.xls
[2010/02/24 11:00:10 | 000,000,050 | ---- | C] () -- C:\WINDOWS\TOPO.INI
[2010/01/30 12:38:23 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2010/01/30 12:38:23 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2010/01/29 18:35:28 | 000,000,124 | ---- | C] () -- C:\WINDOWS\hplj1320.ini
[2010/01/29 18:34:53 | 000,000,385 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2010/01/29 18:34:24 | 000,001,120 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2010/01/29 18:34:05 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2010/01/18 12:49:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2009/10/28 13:45:02 | 000,000,074 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2009/10/28 13:44:58 | 000,242,688 | ---- | C] () -- C:\WINDOWS\System32\ISP2003.dll
[2009/10/28 13:44:53 | 000,110,592 | ---- | C] () -- C:\WINDOWS\cndya30.dll
[2009/10/27 21:43:46 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/10/27 14:04:27 | 000,000,612 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/27 13:32:00 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/10/27 13:32:00 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/10/27 13:27:53 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4990.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/31 06:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/10/29 03:46:50 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/10/29 03:46:51 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/10/27 06:45:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/10/27 06:45:24 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/10/27 06:45:24 | 000,925,696 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

< >
< End of report >


OTL Extras logfile created on: 5/25/2010 12:15:14 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.33 Gb Total Space | 203.39 Gb Free Space | 70.54% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WESTWOOD
Current User Name: Jeff Wall
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"427:UDP" = 427:UDP:*:Enabled:SLP_Port(427)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"427:UDP" = 427:UDP:*:Enabled:SLP_Port(427)
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"E:\setup\HPZnui01.exe" = E:\setup\HPZnui01.exe:*:Enabled:hpznui01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\setup\HPZnui01.exe" = E:\setup\HPZnui01.exe:*:Enabled:hpznui01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.4
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{300A2961-B2B5-4889-9CB9-5C2A570D08AD}" = Debugging Tools for Windows (x86)
"{32622F02-640A-4335-86FF-557325DC39D4}" = PS_AIO_04_C6300_Software_Min
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{370BCBBA-67D7-4535-ADCD-58CD1C8DEC99}" = Zune Language Pack (DE)
"{40EC6323-497B-44DA-8A88-74578622D9B3}" = Zune Language Pack (IT)
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{465DC07E-3390-401A-A190-6078D73AB4C6}" = CorelDRAW Graphics Suite 12
"{4D36E953-4456-4F8F-BC44-90BC4AA59889}" = Maxtor Manager
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{60D70486-F4E3-4397-A060-262ACFDD2B92}" = eClinicalWorks
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7F04B272-E0DD-47E7-8B55-D97483DB0EBD}" = hp LaserJet 1160/1320 series
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90B5E602-1867-449D-86FD-FC9DEA4434BF}" = HP Software Update
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99832252-D489-4276-B961-6D505CF0AFAA}" = PS_AIO_04_C6300_Software
"{9EDE7573-F2B0-4FAC-8928-A7E9381BCB91}" = ArcSoft MediaImpression for Kodak
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3752427-9AAA-4B1C-B428-01723E0E9FFA}" = 2x1/4x1 USB Peripheral Switch
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA2E8A46-B45E-4aea-8A23-88AB57D04523}" = WebReg
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BD65CAC7-6D63-4D56-BED0-B610281256DF}" = CorelDRAW Graphics Suite 12 Setup Files
"{BF08AB1C-3357-4f20-A200-8EBB8EF27C59}" = BufferChm
"{C8732DC3-1736-44b2-B741-2D636DE58605}" = HP Photosmart C6300 All-In-One Driver Software 11.0 Rel .4
"{C89B5E3A-690F-4CEE-909A-BF869E198B0A}" = Scan
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CA72A82C-7DBC-4814-8CCB-E5BFAC59FAEF}" = ArcSoft MediaImpression for Kodak
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D10CB652-9332-4242-B7A9-2D61570144F7}" = Realtek Card Reader
"{D8490ADB-E45C-49FA-907F-59C3F370242D}" = TabletPC
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E89D78B8-28F7-412F-8B26-C684739CBBDC}" = Palm Desktop
"{E96B0085-6659-486b-A221-5042A042728D}" = Toolbox
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F445476A-42DE-11D4-80D0-00C04F2750A6}" = Epocrates Essentials
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
"{F95F178B-56AD-4fab-87F8-FA81E66C7D68}" = Network
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Audacity_is1" = Audacity 1.2.6
"Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OA009" = Integrated Webcam Driver (1.01.01.1007)
"GoToAssist" = GoToAssist 8.0.0.514
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{4D36E953-4456-4F8F-BC44-90BC4AA59889}" = Maxtor Manager
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"N360" = Norton 360
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Rhapsody" = Rhapsody
"TOPO!" = TOPO!
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Sansa Updater" = Sansa Updater

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/14/2010 2:11:16 PM | Computer Name = WESTWOOD | Source = Google Update | ID = 20
Description =

Error - 5/14/2010 3:11:17 PM | Computer Name = WESTWOOD | Source = Google Update | ID = 20
Description =

Error - 5/14/2010 4:11:16 PM | Computer Name = WESTWOOD | Source = Google Update | ID = 20
Description =

Error - 5/14/2010 5:11:16 PM | Computer Name = WESTWOOD | Source = Google Update | ID = 20
Description =

Error - 5/14/2010 6:11:17 PM | Computer Name = WESTWOOD | Source = Google Update | ID = 20
Description =

Error - 5/14/2010 7:11:16 PM | Computer Name = WESTWOOD | Source = Google Update | ID = 20
Description =

Error - 5/14/2010 8:11:16 PM | Computer Name = WESTWOOD | Source = Google Update | ID = 20
Description =

Error - 5/16/2010 11:00:12 PM | Computer Name = WESTWOOD | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module jvm.dll, version 14.3.0.1, fault address 0x000c6542.

Error - 5/17/2010 8:59:02 PM | Computer Name = WESTWOOD | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/23/2010 2:24:10 PM | Computer Name = WESTWOOD | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0000c4b1.

[ System Events ]
Error - 5/25/2010 11:59:46 AM | Computer Name = WESTWOOD | Source = DCOM | ID = 10006
Description = DCOM got error "%2147746132" from the computer HAL2000 when attempting
to activate the server: {5A5AA0AA-1DEB-4683-96B0-B43301E83971}

Error - 5/25/2010 11:59:46 AM | Computer Name = WESTWOOD | Source = DCOM | ID = 10006
Description = DCOM got error "%2147746132" from the computer HAL2000 when attempting
to activate the server: {5A5AA0AA-1DEB-4683-96B0-B43301E83971}

Error - 5/25/2010 12:00:07 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer OPTIPLEX2 using any
of the configured protocols.

Error - 5/25/2010 12:00:38 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10006
Description = DCOM got error "%2147746132" from the computer HAL2000 when attempting
to activate the server: {5A5AA0AA-1DEB-4683-96B0-B43301E83971}

Error - 5/25/2010 12:00:38 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10006
Description = DCOM got error "%2147746132" from the computer HAL2000 when attempting
to activate the server: {5A5AA0AA-1DEB-4683-96B0-B43301E83971}

Error - 5/25/2010 12:00:59 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer OPTIPLEX2 using any
of the configured protocols.

Error - 5/25/2010 12:01:29 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10006
Description = DCOM got error "%2147746132" from the computer HAL2000 when attempting
to activate the server: {5A5AA0AA-1DEB-4683-96B0-B43301E83971}

Error - 5/25/2010 12:01:29 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10006
Description = DCOM got error "%2147746132" from the computer HAL2000 when attempting
to activate the server: {5A5AA0AA-1DEB-4683-96B0-B43301E83971}

Error - 5/25/2010 12:01:50 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer OPTIPLEX2 using any
of the configured protocols.

Error - 5/25/2010 12:02:42 PM | Computer Name = WESTWOOD | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer OPTIPLEX2 using any
of the configured protocols.


< End of report >


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:08 PM

Posted 25 May 2010 - 02:24 PM

Your welcome smile.gif

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.

unite.jpg


#5 szxasq1

szxasq1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 25 May 2010 - 03:17 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/25/2010 4:12:10 PM
mbam-log-2010-05-25 (16-12-10).txt

Scan type: Quick scan
Objects scanned: 123573
Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C68D01]<<
kernel: MBR read successfully
user & kernel MBR OK

Edited by szxasq1, 25 May 2010 - 03:24 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:08 PM

Posted 25 May 2010 - 03:28 PM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 szxasq1

szxasq1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 25 May 2010 - 04:33 PM

ComboFix 10-05-25.02 - Jeff Wall 05/25/2010 17:24:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3544.3103 [GMT -4:00]
Running from: c:\documents and settings\Jeff Wall\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff Wall\GoToAssistDownloadHelper.exe
c:\windows\system32\st326047.dll

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 20:03 . 2010-05-25 20:03 -------- d-----w- c:\documents and settings\Jeff Wall\Application Data\Malwarebytes
2010-05-25 20:02 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 20:02 . 2010-05-25 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-25 20:02 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 20:02 . 2010-05-25 20:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 04:05 . 2010-05-25 12:46 -------- d-----w- c:\program files\PokerStars.NET
2010-05-17 10:14 . 2010-05-17 10:14 -------- d-----w- c:\windows\Performance
2010-05-17 10:14 . 2010-05-17 10:14 -------- d-----w- c:\documents and settings\Jeff Wall\Local Settings\Application Data\Microsoft Corporation
2010-05-17 10:13 . 2010-05-17 10:13 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-05-07 17:03 . 2010-05-07 17:03 -------- d-----w- c:\program files\Lame for Audacity
2010-05-07 16:46 . 2010-05-07 16:46 -------- d-----w- c:\program files\Audacity
2010-05-05 17:13 . 2007-11-06 17:22 36224 ----a-w- c:\windows\system32\drivers\ArcCD.sys
2010-05-05 17:13 . 2007-04-25 12:55 134912 ----a-w- c:\windows\system32\drivers\ArcUdfs.sys
2010-05-05 17:13 . 2007-04-24 15:33 7680 ----a-w- c:\windows\system32\drivers\ArcRec.sys
2010-04-30 21:53 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-04-30 21:53 . 2010-04-30 21:54 -------- d-----w- c:\program files\Zune
2010-04-30 21:52 . 2008-05-02 13:25 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-04-30 21:52 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2010-04-30 21:52 . 2008-05-02 13:25 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-04-30 21:52 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2010-04-30 21:52 . 2008-05-02 10:49 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 12:36 . 2009-10-28 17:44 -------- d-----w- c:\program files\eClinicalWorks
2010-05-24 13:09 . 2009-10-28 01:43 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-23 21:17 . 2009-11-01 15:03 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-05-16 19:18 . 2009-10-27 17:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-16 12:13 . 2009-10-28 01:30 -------- d-----w- c:\program files\Google
2010-05-06 03:14 . 2009-11-26 23:10 -------- d-----w- c:\documents and settings\Jeff Wall\Application Data\Skype
2010-05-05 23:41 . 2009-11-26 23:13 -------- d-----w- c:\documents and settings\Jeff Wall\Application Data\skypePM
2010-05-05 17:25 . 2010-01-11 13:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-05-05 17:25 . 2010-01-11 13:57 -------- d-----w- c:\documents and settings\Jeff Wall\Application Data\ArcSoft
2010-05-05 17:15 . 2010-01-11 13:58 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-05-04 22:30 . 2010-05-04 22:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-05-04 22:30 . 2010-05-04 22:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-05-04 22:30 . 2010-05-04 22:30 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-04-30 21:53 . 2010-04-30 21:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-04-30 21:53 . 2010-04-30 21:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-04-28 17:38 . 2009-10-28 02:37 150544 ----a-w- c:\documents and settings\Jeff Wall\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-13 17:06 . 2010-04-13 17:06 -------- d-----w- c:\program files\QuickTime
2010-04-13 17:06 . 2010-01-11 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-10-29 79872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-07-11 466944]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 442460]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-02 122880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe" [2003-03-31 28672]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\Jeff Wall\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2009-10-28 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-11-01 15:33 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 11:43 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 11:43 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 11:43 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100518.002\IDSXpx86.sys [5/24/2010 2:25 PM 331640]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 11:43 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/27/2009 1:29 PM 108160]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [5/5/2010 1:13 PM 36224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/28/2009 6:06 AM 102448]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [10/27/2009 1:34 PM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [10/27/2009 1:34 PM 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [10/27/2009 1:34 PM 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [10/27/2009 1:23 PM 157696]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/7/2009 6:56 AM 135664]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [5/5/2010 1:13 PM 134912]

--- Other Services/Drivers In Memory ---

*Deregistered* - ArcRec

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 10:56]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 10:56]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MagnifyingGlass10WorkColl - c:\program files\MagniGlass\MagniGlass.exe
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-05-25 17:31:06
ComboFix-quarantined-files.txt 2010-05-25 21:30

Pre-Run: 218,287,980,544 bytes free
Post-Run: 218,438,971,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BDDF4F7E6C14B86B6B64802A08E299C2


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:08 PM

Posted 26 May 2010 - 06:57 AM

Hi,

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then once you have done that run a new scan with OTL and post back with MBAM log and new OTL log.

Thanks

unite.jpg


#9 szxasq1

szxasq1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 26 May 2010 - 11:56 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/26/2010 8:14:26 AM
mbam-log-2010-05-26 (08-14-26).txt

Scan type: Quick scan
Objects scanned: 122275
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTL logfile created on: 5/26/2010 12:57:59 PM - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 77.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.33 Gb Total Space | 203.32 Gb Free Space | 70.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WESTWOOD
Current User Name: Jeff Wall
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/25 12:13:52 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs\OTL.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/01/30 12:37:41 | 000,020,572 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
PRC - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 14:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/11/02 08:42:31 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/10/29 07:12:13 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2009/10/27 17:03:15 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
PRC - [2008/07/21 17:54:34 | 000,169,312 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
PRC - [2008/07/21 17:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2008/07/21 11:44:12 | 000,225,362 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\XPM09_6047v002\WDM\stacsv.exe
PRC - [2008/07/21 11:42:16 | 000,442,460 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2008/07/11 13:15:06 | 000,466,944 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\AESTFltr.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/16 07:03:04 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/04/13 18:03:10 | 000,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\palmOne\HOTSYNC.EXE
PRC - [2004/02/27 13:29:24 | 000,061,440 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
PRC - [2004/01/07 14:02:26 | 000,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2003/08/06 14:24:20 | 012,037,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2003/07/14 23:45:18 | 000,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2003/04/08 15:42:28 | 000,135,168 | ---- | M] () -- C:\Program Files\Belkin\F1U201.401\usbshare.exe


========== Modules (SafeList) ==========

MOD - [2010/05/25 12:13:52 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs\OTL.exe
MOD - [2009/10/27 17:03:09 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\asOEHook.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/07 14:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 14:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/11/01 11:34:01 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/10/27 17:03:15 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)
SRV - [2008/07/21 17:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2008/07/21 11:44:12 | 000,225,362 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\XPM09_6047v002\WDM\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - [2010/05/18 15:24:25 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100518.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/05/10 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100525.034\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100525.034\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/01/07 14:22:02 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2009/10/27 17:03:18 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/27 17:03:16 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/10/27 17:03:16 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/10/27 17:03:16 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/10/27 17:03:16 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/10/27 17:03:16 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/10/27 17:03:16 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/10/27 17:03:16 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/10/27 17:03:16 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/10/27 17:03:16 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/10/27 17:03:16 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/10/27 17:03:16 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/10/27 07:23:22 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/10/27 07:23:22 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/11/26 12:39:24 | 001,391,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/07 02:01:00 | 000,268,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Vid.sys -- (OA009Vid)
DRV - [2008/10/06 10:55:22 | 000,144,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Ufd.sys -- (OA009Ufd)
DRV - [2008/09/11 11:52:48 | 006,047,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/08/26 19:57:14 | 000,157,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR)
DRV - [2008/07/24 11:03:00 | 000,289,664 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/07/21 11:46:18 | 001,384,595 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/07/21 01:44:44 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iastor)
DRV - [2008/07/11 13:15:10 | 000,108,160 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/06 13:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ArcCD.sys -- (ArcCD)
DRV - [2007/06/08 02:00:02 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Afx.sys -- (OA009Afx)
DRV - [2007/05/03 14:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/04/25 08:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ArcUdfs.sys -- (ArcUdfs)
DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/09/05 11:21:06 | 000,362,944 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WG11TND5.sys -- (AR5523)
DRV - [2004/04/13 18:03:46 | 000,016,509 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/26 16:04:33 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/05/25 17:29:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe (Hewlett-Packard Inc.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003..\Run: [SansaDispatch] C:\Documents and Settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\F1U201.401.lnk = C:\Program Files\Belkin\F1U201.401\usbshare.exe ()
O4 - Startup: C:\Documents and Settings\Jeff Wall\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (Palm, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/C/B.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Handler\x-mem1 {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\Program Files\eClinicalWorks\wowctl2.dll (EzTools Software)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/27 12:04:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/26 08:01:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/26 00:02:50 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars
[2010/05/25 17:16:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/25 17:09:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/25 17:09:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/25 17:09:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/25 17:09:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/25 17:09:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/25 17:08:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/25 16:03:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Application Data\Malwarebytes
[2010/05/25 16:02:32 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/25 16:02:31 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/25 16:02:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/25 16:02:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/25 00:05:14 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars.NET
[2010/05/23 15:22:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/20 18:02:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/20 18:02:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/17 06:14:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2010/05/17 06:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft Corporation
[2010/05/17 06:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2010/05/17 06:13:07 | 008,669,472 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\Windows7UpgradeAdvisorSetup.exe
[2010/05/07 13:03:54 | 000,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2010/05/07 13:02:57 | 000,421,346 | ---- | C] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\Lame_v3.98.2_for_Audacity_on_Windows.exe
[2010/05/07 12:46:05 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2010/05/07 12:44:09 | 002,228,534 | ---- | C] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\audacity-win-1.2.6.exe
[2010/05/05 13:13:32 | 000,134,912 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcUdfs.sys
[2010/05/05 13:13:32 | 000,036,224 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcCD.sys
[2010/05/05 13:13:32 | 000,007,680 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcRec.sys
[2010/04/30 20:04:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/04/30 17:53:42 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2010/04/30 17:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\Zune
[2010/04/30 17:52:55 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2fs.dll
[2010/04/30 17:52:55 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2fs.dll
[2010/04/30 17:52:55 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2.dll
[2010/04/30 17:52:55 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2.dll
[2010/04/30 17:52:55 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2010/04/30 17:39:57 | 057,451,272 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\zunesetuppkg-x86.exe
[2010/04/29 16:35:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Desktop\Portland
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/26 12:11:00 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/26 08:02:36 | 000,475,330 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/26 08:02:36 | 000,404,536 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/26 08:02:36 | 000,063,590 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/26 07:58:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/26 07:57:49 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/26 07:57:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/26 07:57:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/26 07:57:46 | 3716,530,176 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/26 00:45:11 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\NTUSER.DAT
[2010/05/26 00:45:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Jeff Wall\ntuser.ini
[2010/05/26 00:07:18 | 000,002,828 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/05/25 17:58:44 | 004,839,998 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\IconCache.db
[2010/05/25 17:54:46 | 000,000,074 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2010/05/25 17:29:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/25 17:29:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/25 17:16:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/25 17:13:49 | 003,698,620 | R--- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\ComboFix.exe
[2010/05/25 16:23:33 | 000,001,728 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\My Documents\Default.rdp
[2010/05/25 13:01:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/24 11:54:57 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/23 17:10:02 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/23 17:10:02 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/19 12:11:15 | 000,000,250 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/05/19 12:10:55 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Application Data\mcs.rma
[2010/05/19 12:10:55 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Application Data\4AE7DF
[2010/05/17 06:13:28 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/17 06:13:12 | 008,669,472 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\Windows7UpgradeAdvisorSetup.exe
[2010/05/16 08:13:57 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 14:41:54 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Hotel internet help line.doc
[2010/05/07 13:05:48 | 000,033,726 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\throne_balladry.jpg
[2010/05/07 13:02:57 | 000,421,346 | ---- | M] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\Lame_v3.98.2_for_Audacity_on_Windows.exe
[2010/05/07 12:46:06 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Audacity.lnk
[2010/05/07 12:45:41 | 002,228,534 | ---- | M] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\audacity-win-1.2.6.exe
[2010/05/06 10:50:56 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Mike Munk EMS.doc
[2010/05/05 13:15:27 | 000,001,756 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Media Impression for Kodak.lnk
[2010/05/04 18:30:53 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2010/05/04 18:30:53 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/05/04 18:30:25 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/04 18:30:24 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2010/04/30 17:53:31 | 000,000,628 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2010/04/30 17:40:00 | 057,451,272 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\zunesetuppkg-x86.exe
[2010/04/30 08:35:15 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\YouTube Downloader.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/29 09:38:59 | 000,202,240 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Underground Inter station database.xls
[2010/04/29 08:14:18 | 000,451,680 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/28 13:38:03 | 000,150,544 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/27 08:10:48 | 002,266,112 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\PATIENT LIST JAW.xls
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/25 17:16:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/25 17:16:20 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/25 17:09:18 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/25 17:09:18 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/25 17:09:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/25 17:09:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/25 17:09:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/25 17:03:57 | 003,698,620 | R--- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\ComboFix.exe
[2010/05/23 17:09:33 | 3716,530,176 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/19 12:11:15 | 000,000,250 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/05/17 06:13:28 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/16 08:13:57 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 14:41:53 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Hotel internet help line.doc
[2010/05/07 13:06:12 | 000,033,726 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\throne_balladry.jpg
[2010/05/07 12:46:06 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Audacity.lnk
[2010/05/07 09:40:11 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Mike Munk EMS.doc
[2010/05/04 18:30:53 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2010/05/04 18:30:53 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/05/04 18:30:24 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2010/04/30 17:53:31 | 000,000,628 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2010/04/30 08:35:15 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\YouTube Downloader.lnk
[2010/04/29 08:40:10 | 000,202,240 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Underground Inter station database.xls
[2010/02/24 11:00:10 | 000,000,050 | ---- | C] () -- C:\WINDOWS\TOPO.INI
[2010/01/30 12:38:23 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2010/01/30 12:38:23 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2010/01/29 18:35:28 | 000,000,124 | ---- | C] () -- C:\WINDOWS\hplj1320.ini
[2010/01/29 18:34:53 | 000,000,385 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2010/01/29 18:34:24 | 000,001,120 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2010/01/29 18:34:05 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2010/01/18 12:49:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2009/10/28 13:45:02 | 000,000,074 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2009/10/28 13:44:58 | 000,242,688 | ---- | C] () -- C:\WINDOWS\System32\ISP2003.dll
[2009/10/28 13:44:53 | 000,110,592 | ---- | C] () -- C:\WINDOWS\cndya30.dll
[2009/10/27 21:43:46 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/10/27 14:04:27 | 000,000,612 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/27 13:32:00 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/10/27 13:32:00 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/10/27 13:27:53 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4990.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/31 06:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
< End of report >

Edited by szxasq1, 26 May 2010 - 12:00 PM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:08 PM

Posted 26 May 2010 - 07:02 PM

Hello szxasq1,

Please let me know how the computer is running and if you are having any more problems, thanks.

You don't have the latest version of Java, you should run JavaRa to clean up any older Java, then
download and install the latest version from here.

Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • OTL results
  • New OTL log
  • ESET report

Thanks

unite.jpg


#11 szxasq1

szxasq1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 27 May 2010 - 05:06 AM

I let ESET run overnight and it returned with no threats found.

However, when I woke up, my Norton Antivirus was open and showed that a tracking cookie "Tidserv" still was in the system. Do you have any suggestions about that?


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes

User: Jeff Wall
->Temp folder emptied: 5416648 bytes
->Temporary Internet Files folder emptied: 33975663 bytes
->Java cache emptied: 69516400 bytes
->Flash cache emptied: 251151 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 1351 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 20539 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 19831138 bytes

Total Files Cleaned = 125.00 mb


[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Jeff Wall
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.5.0 log created on 05262010_224421

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Jeff Wall\Local Settings\Temp\hsperfdata_Jeff Wall\2752 not found!
C:\Documents and Settings\Jeff Wall\Local Settings\Temporary Internet Files\Content.IE5\O38GBXBL\iframe[1].htm moved successfully.
C:\Documents and Settings\Jeff Wall\Local Settings\Temporary Internet Files\Content.IE5\44OG23I3\installed[1].htm moved successfully.
C:\Documents and Settings\Jeff Wall\Local Settings\Temporary Internet Files\Content.IE5\44OG23I3\topic318650[2].htm moved successfully.
File\Folder C:\WINDOWS\temp\JET92CA.tmp not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_7c8.dat not found!

Registry entries deleted on Reboot...


OTL logfile created on: 5/26/2010 10:50:05 PM - Run 3
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.33 Gb Total Space | 201.71 Gb Free Space | 69.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 232.88 Gb Total Space | 48.20 Gb Free Space | 20.70% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WESTWOOD
Current User Name: Jeff Wall
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/25 12:13:52 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs\OTL.exe
PRC - [2010/03/24 13:58:22 | 000,309,760 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/01/30 12:37:41 | 000,020,572 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
PRC - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 14:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/11/02 08:42:31 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/10/29 07:12:13 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2009/10/27 17:03:15 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
PRC - [2008/07/21 17:54:34 | 000,169,312 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
PRC - [2008/07/21 17:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2008/07/21 11:44:12 | 000,225,362 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\XPM09_6047v002\WDM\stacsv.exe
PRC - [2008/07/21 11:42:16 | 000,442,460 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2008/07/11 13:15:06 | 000,466,944 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\AESTFltr.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/16 07:03:04 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/04/13 18:03:10 | 000,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\palmOne\HOTSYNC.EXE
PRC - [2004/02/27 13:29:24 | 000,061,440 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
PRC - [2004/02/26 17:09:06 | 000,077,824 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\HPBPRO.EXE
PRC - [2004/01/07 14:02:26 | 000,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2003/04/08 15:42:28 | 000,135,168 | ---- | M] () -- C:\Program Files\Belkin\F1U201.401\usbshare.exe
PRC - [2003/03/31 13:32:16 | 000,028,672 | ---- | M] (Hewlett-Packard Inc.) -- C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe


========== Modules (SafeList) ==========

MOD - [2010/05/25 12:13:52 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Wall\Desktop\Computer Clean-up Programs\OTL.exe
MOD - [2009/10/27 17:03:09 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\asOEHook.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/07 14:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 14:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/11/01 11:34:01 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/10/27 17:03:15 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)
SRV - [2008/07/21 17:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2008/07/21 11:44:12 | 000,225,362 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\XPM09_6047v002\WDM\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100526.006\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100526.006\NAVENG.SYS -- (NAVENG)
DRV - [2010/01/07 14:22:02 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2009/10/28 18:37:24 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100520.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/10/27 17:03:18 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/27 17:03:16 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/10/27 17:03:16 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/10/27 17:03:16 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/10/27 17:03:16 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/10/27 17:03:16 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/10/27 17:03:16 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/10/27 17:03:16 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/10/27 17:03:16 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/10/27 17:03:16 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/10/27 17:03:16 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/10/27 17:03:16 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/10/27 07:23:22 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/10/27 07:23:22 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/11/26 12:39:24 | 001,391,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/07 02:01:00 | 000,268,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Vid.sys -- (OA009Vid)
DRV - [2008/10/06 10:55:22 | 000,144,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Ufd.sys -- (OA009Ufd)
DRV - [2008/09/11 11:52:48 | 006,047,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/08/26 19:57:14 | 000,157,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR)
DRV - [2008/07/24 11:03:00 | 000,289,664 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/07/21 11:46:18 | 001,384,595 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/07/21 01:44:44 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iastor)
DRV - [2008/07/11 13:15:10 | 000,108,160 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/06 13:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ArcCD.sys -- (ArcCD)
DRV - [2007/06/08 02:00:02 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA009Afx.sys -- (OA009Afx)
DRV - [2007/05/03 14:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/04/25 08:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ArcUdfs.sys -- (ArcUdfs)
DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/09/05 11:21:06 | 000,362,944 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WG11TND5.sys -- (AR5523)
DRV - [2004/04/13 18:03:46 | 000,016,509 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/26 16:04:33 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/05/25 17:29:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe (Hewlett-Packard Inc.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003..\Run: [SansaDispatch] C:\Documents and Settings\Jeff Wall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\F1U201.401.lnk = C:\Program Files\Belkin\F1U201.401\usbshare.exe ()
O4 - Startup: C:\Documents and Settings\Jeff Wall\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (Palm, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-776561741-1177238915-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/C/B.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Handler\x-mem1 {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\Program Files\eClinicalWorks\wowctl2.dll (EzTools Software)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/27 12:04:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/05/31 15:17:24 | 000,000,118 | ---- | M] () - G:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{d3d1404e-fe9e-11de-b26f-002556104e82}\Shell\AutoRun\command - "" = F:\MI.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/26 22:44:21 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/26 22:42:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/26 22:42:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/05/26 22:42:19 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/26 22:42:19 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/26 22:42:19 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/26 22:42:19 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/26 22:40:37 | 000,921,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Jeff Wall\Desktop\JavaSetup6u20.exe
[2010/05/26 08:01:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/26 00:02:50 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars
[2010/05/25 17:16:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/25 17:09:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/25 17:09:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/25 17:09:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/25 17:09:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/25 17:09:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/25 17:08:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/25 16:03:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Application Data\Malwarebytes
[2010/05/25 16:02:32 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/25 16:02:31 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/25 16:02:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/25 16:02:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/25 00:05:14 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars.NET
[2010/05/23 15:22:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/20 18:02:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/20 18:02:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/17 06:14:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2010/05/17 06:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\Microsoft Corporation
[2010/05/17 06:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2010/05/17 06:13:07 | 008,669,472 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\Windows7UpgradeAdvisorSetup.exe
[2010/05/07 13:03:54 | 000,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2010/05/07 13:02:57 | 000,421,346 | ---- | C] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\Lame_v3.98.2_for_Audacity_on_Windows.exe
[2010/05/07 12:46:05 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2010/05/07 12:44:09 | 002,228,534 | ---- | C] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\audacity-win-1.2.6.exe
[2010/05/05 13:13:32 | 000,134,912 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcUdfs.sys
[2010/05/05 13:13:32 | 000,036,224 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcCD.sys
[2010/05/05 13:13:32 | 000,007,680 | ---- | C] (ArcSoft Inc.) -- C:\WINDOWS\System32\drivers\ArcRec.sys
[2010/04/30 20:04:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/04/30 17:53:42 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2010/04/30 17:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\Zune
[2010/04/30 17:52:55 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2fs.dll
[2010/04/30 17:52:55 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2fs.dll
[2010/04/30 17:52:55 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2.dll
[2010/04/30 17:52:55 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2.dll
[2010/04/30 17:52:55 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2010/04/30 17:39:57 | 057,451,272 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\zunesetuppkg-x86.exe
[2010/04/29 16:35:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Wall\Desktop\Portland

========== Files - Modified Within 30 Days ==========

[2010/05/26 22:52:50 | 000,475,330 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/26 22:52:50 | 000,404,536 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/26 22:52:50 | 000,063,590 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/26 22:48:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/26 22:48:07 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/26 22:48:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/26 22:48:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/26 22:48:01 | 3716,530,176 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/26 22:46:52 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\NTUSER.DAT
[2010/05/26 22:46:52 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Jeff Wall\ntuser.ini
[2010/05/26 22:40:47 | 000,921,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Jeff Wall\Desktop\JavaSetup6u20.exe
[2010/05/26 22:31:44 | 000,001,728 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\My Documents\Default.rdp
[2010/05/26 22:29:40 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Medicare Overpayment.doc
[2010/05/26 22:11:00 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/26 00:07:18 | 000,002,828 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/05/25 17:58:44 | 004,839,998 | -H-- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\IconCache.db
[2010/05/25 17:54:46 | 000,000,074 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2010/05/25 17:29:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/25 17:29:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/25 17:16:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/25 17:13:49 | 003,698,620 | R--- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\ComboFix.exe
[2010/05/25 13:01:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/24 11:54:57 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/23 17:10:02 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/23 17:10:02 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/19 12:11:15 | 000,000,250 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/05/19 12:10:55 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Application Data\mcs.rma
[2010/05/19 12:10:55 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Application Data\4AE7DF
[2010/05/17 06:13:28 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/17 06:13:12 | 008,669,472 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\Windows7UpgradeAdvisorSetup.exe
[2010/05/16 08:13:57 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 14:41:54 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Hotel internet help line.doc
[2010/05/07 13:05:48 | 000,033,726 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\throne_balladry.jpg
[2010/05/07 13:02:57 | 000,421,346 | ---- | M] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\Lame_v3.98.2_for_Audacity_on_Windows.exe
[2010/05/07 12:46:06 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Audacity.lnk
[2010/05/07 12:45:41 | 002,228,534 | ---- | M] ( ) -- C:\Documents and Settings\Jeff Wall\Desktop\audacity-win-1.2.6.exe
[2010/05/06 10:50:56 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Mike Munk EMS.doc
[2010/05/05 13:15:27 | 000,001,756 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Media Impression for Kodak.lnk
[2010/05/04 18:30:53 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2010/05/04 18:30:53 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/05/04 18:30:25 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/04 18:30:24 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2010/04/30 17:53:31 | 000,000,628 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2010/04/30 17:40:00 | 057,451,272 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff Wall\Desktop\zunesetuppkg-x86.exe
[2010/04/30 08:35:15 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\YouTube Downloader.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/29 09:38:59 | 000,202,240 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\Underground Inter station database.xls
[2010/04/29 08:14:18 | 000,451,680 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/28 13:38:03 | 000,150,544 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/27 08:10:48 | 002,266,112 | ---- | M] () -- C:\Documents and Settings\Jeff Wall\Desktop\PATIENT LIST JAW.xls

========== Files Created - No Company Name ==========

[2010/05/26 22:28:53 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Medicare Overpayment.doc
[2010/05/25 17:16:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/25 17:16:20 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/25 17:09:18 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/25 17:09:18 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/25 17:09:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/25 17:09:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/25 17:09:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/25 17:03:57 | 003,698,620 | R--- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\ComboFix.exe
[2010/05/23 17:09:33 | 3716,530,176 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/19 12:11:15 | 000,000,250 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/05/17 06:13:28 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/16 08:13:57 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 14:41:53 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Hotel internet help line.doc
[2010/05/07 13:06:12 | 000,033,726 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\throne_balladry.jpg
[2010/05/07 12:46:06 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Audacity.lnk
[2010/05/07 09:40:11 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Mike Munk EMS.doc
[2010/05/04 18:30:53 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2010/05/04 18:30:53 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/05/04 18:30:24 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/04/30 17:53:44 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2010/04/30 17:53:31 | 000,000,628 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2010/04/30 08:35:15 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\YouTube Downloader.lnk
[2010/04/29 08:40:10 | 000,202,240 | ---- | C] () -- C:\Documents and Settings\Jeff Wall\Desktop\Underground Inter station database.xls
[2010/02/24 11:00:10 | 000,000,050 | ---- | C] () -- C:\WINDOWS\TOPO.INI
[2010/01/30 12:38:23 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2010/01/30 12:38:23 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2010/01/29 18:35:28 | 000,000,124 | ---- | C] () -- C:\WINDOWS\hplj1320.ini
[2010/01/29 18:34:53 | 000,000,385 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2010/01/29 18:34:24 | 000,001,120 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2010/01/29 18:34:05 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2010/01/18 12:49:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2009/10/28 13:45:02 | 000,000,074 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2009/10/28 13:44:58 | 000,242,688 | ---- | C] () -- C:\WINDOWS\System32\ISP2003.dll
[2009/10/28 13:44:53 | 000,110,592 | ---- | C] () -- C:\WINDOWS\cndya30.dll
[2009/10/27 21:43:46 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/10/27 14:04:27 | 000,000,612 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/27 13:32:00 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/10/27 13:32:00 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/10/27 13:27:53 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4990.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/31 06:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
< End of report >




#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:08 PM

Posted 27 May 2010 - 08:25 AM

QUOTE
However, when I woke up, my Norton Antivirus was open and showed that a tracking cookie "Tidserv" still was in the system. Do you have any suggestions about that?


That depends, Can you tell me where Norton located this threat?

unite.jpg


#13 szxasq1

szxasq1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 27 May 2010 - 10:24 AM

QUOTE(syler @ May 27 2010, 09:25 AM) View Post
QUOTE
However, when I woke up, my Norton Antivirus was open and showed that a tracking cookie "Tidserv" still was in the system. Do you have any suggestions about that?


That depends, Can you tell me where Norton located this threat?


It didn't say where it was located, but it was called Backdoor.Tidserv!inf and it is listed as a virus. It also said "Not safe to remove".

Also looking through my Norton logs, Norton appears to continue to find some tracking cookies, including all of those which are listed in my thread title.

Edited by syler, 27 May 2010 - 10:50 AM.
remove unnecessary information


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:08 PM

Posted 27 May 2010 - 10:54 AM

I am aware of what Tidserv thanks it is what we have just removed from your computer. It is more than likely
that Norton is finding it in a quarantined area or the system restore which is normal, my last instruction will take
you through cleaning that up.

Let's just make sure it isn't active again.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg


#15 szxasq1

szxasq1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 27 May 2010 - 10:57 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users